ploeh blog

Vendor Media Types With the ASP.NET Web API

Mark Seemann — Tue, 24 Apr 2012 11:45:41 GMT

In RESTful services, media types (e.g. application/xml, application/json) are an important part of Content Negotiation (conneg in the jargon). This enables an API to provide multiple representations of the same resource.

Apart from the standard media types such as application/xml, application/json, etc. an API can (and often should, IMO) expose its resources using specialized media types. These often take the form of vendor-specific media types, such as application/vnd.247e.catalog+xml or application/vnd.247e.album+json.

In this article I'll present some initial findings I've made while investigating this in the ASP.NET Web API (beta).

For an introduction to conneg with the Web API, see Gunnar Peipman's ASP.NET blog, particularly these two posts:

The Problem

In a particular RESTful API, I'd like to enable vendor-specific media types as well as the standard application/xml and application/json media types.

More specifically, I'd like to add these media types to the API:

application/vnd.247e.album+xml
application/vnd.247e.artist+xml
application/vnd.247e.catalog+xml
application/vnd.247e.search-result+xml
application/vnd.247e.track+xml
application/vnd.247e.album+json
application/vnd.247e.artist+json
application/vnd.247e.catalog+json
application/vnd.247e.search-result+json
application/vnd.247e.track+json

However, I can't just add all these media types to GlobalConfiguration.Configuration.Formatters.XmlFormatter.SupportedMediaTypes or GlobalConfiguration.Configuration.Formatters.JsonFormatter.SupportedMediaTypes. If I do that, each and every resource in the API would accept and (claim to) return all of those media types. That's not what I want. Rather, I want specific resources to accept and return specific media types.

For example, if a resource (Controller) returns an instance of the SearchResult (Model) class, it should only accept the media types application/vnd.247e.search-result+xml, application/vnd.247e.search-result+json (as well as the standard application/xml and application/json media types).

Likewise, a resource handling the Album (Model) class should accept and return application/vnd.247e.album+xml and application/vnd.247e.album+json, and so on.

Figuring out how to enable such behavior took me a bit of fiddling (yes, Fiddler was involved).

The Solution

The Web API uses a polymorphic collection of MediaTypeFormatter classes. These classes can be extended to be more specifically targeted at a specific Model class.

For XML formatting, this can be done by deriving from the built-in XmlMediaTypeFormatter class:

public class TypedXmlMediaTypeFormatter : XmlMediaTypeFormatter

    private readonly Type resourceType;

    public TypedXmlMediaTypeFormatter(Type resourceType,

        MediaTypeHeaderValue mediaType)

        this.resourceType = resourceType;

        this.SupportedMediaTypes.Clear();

        this.SupportedMediaTypes.Add(mediaType);

    protected override bool CanReadType(Type type)

        return this.resourceType == type;

    protected override bool CanWriteType(Type type)

        return this.resourceType == type;

The implementation is quite simple. In the constructor, it makes sure to clear out any existing supported media types and to add only the media type passed in via the constructor.

The CanReadType and CanWriteType overrides only return true of the type parameter matches the type targeted by the particular TypedXmlMediaTypeFormatter instance. You could say that the TypedXmlMediaTypeFormatter provides a specific match between a media type and a resource Model class.

The JSON formatter is similar:

public class TypedJsonMediaTypeFormatter : JsonMediaTypeFormatter

    private readonly Type resourceType;

    public TypedJsonMediaTypeFormatter(Type resourceType,

        MediaTypeHeaderValue mediaType)

        this.resourceType = resourceType;

        this.SupportedMediaTypes.Clear();

        this.SupportedMediaTypes.Add(mediaType);

    protected override bool CanReadType(Type type)

        return this.resourceType == type;

    protected override bool CanWriteType(Type type)

        return this.resourceType == type;

The only difference from the TypedXmlMediaTypeFormatter class is that this one derives from JsonMediaTypeFormatter instead of XmlMediaTypeFormatter.

With these two classes available, I can now register all the custom media types in Global.asax like this:

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedXmlMediaTypeFormatter(

        typeof(Album),

        new MediaTypeHeaderValue(

            "application/vnd.247e.album+xml")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedXmlMediaTypeFormatter(

        typeof(Artist),

        new MediaTypeHeaderValue(

            "application/vnd.247e.artist+xml")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedXmlMediaTypeFormatter(

        typeof(Catalog),

        new MediaTypeHeaderValue(

            "application/vnd.247e.catalog+xml")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedXmlMediaTypeFormatter(

        typeof(SearchResult),

        new MediaTypeHeaderValue(

            "application/vnd.247e.search-result+xml")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedXmlMediaTypeFormatter(

        typeof(Track),

        new MediaTypeHeaderValue(

            "application/vnd.247e.track+xml")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedJsonMediaTypeFormatter(

        typeof(Album),

        new MediaTypeHeaderValue(

            "application/vnd.247e.album+json")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedJsonMediaTypeFormatter(

        typeof(Artist),

        new MediaTypeHeaderValue(

            "application/vnd.247e.artist+json")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedJsonMediaTypeFormatter(

        typeof(Catalog),

        new MediaTypeHeaderValue(

            "application/vnd.247e.catalog+json")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedJsonMediaTypeFormatter(

        typeof(SearchResult),

        new MediaTypeHeaderValue(

            "application/vnd.247e.search-result+json")));

GlobalConfiguration.Configuration.Formatters.Add(

    new TypedJsonMediaTypeFormatter(

        typeof(Track),

        new MediaTypeHeaderValue(

            "application/vnd.247e.track+json")));

This is rather repetitive code, but I'll leave it as an exercise to the reader to write a set of conventions that appropriately register the correct media type for a Model class.

Caveats

Please be aware that I've only tested this with a read-only API. You may need to tweak this solution in order to also handle incoming data.

As far as I can tell from the Web API source repository, it seems as though there are some breaking changes in the pipeline in this area, so don't bet the farm on this particular solution.

Lastly, it seems as though this solution doesn't correctly respect opt-out quality parameters in incoming Accept headers. As an example, if I request a 'Catalog' resource, but supply the following Accept header, I'd expect the response to be 406 (Not Acceptable).

Accept: application/vnd.247e.search-result+xml; q=1, */*; q=0.0

However, the result is that the service falls back to its default representation, which is application/json. Whether this is a problem with my approach or a bug in the Web API, I haven't investigated.

Wiring HttpControllerContext With Castle Windsor

Mark Seemann — Thu, 19 Apr 2012 15:14:30 GMT

In a previous post I demonstrated how to wire up HttpControllerContext with Poor Man's DI. In this article I'll show how to wire up HttpControllerContext with Castle Windsor.

This turns out to be remarkably difficult, at least with the constraints I tend to set for myself:

Readers of this blog may have an inkling that I have an absolute abhorrence of static state, so anything relying on that is out of the question.
In addition to that, I also prefer to leverage the container as much as possible, so I'm not keen on duplicating a responsibility that really belongs to the container.
No injecting the container into itself. That's just unnatural and lewd (without being fun).
If possible, the solution should be thread-safe.
The overall solution should still adhere to the Register Resolve Release pattern, so registering a captured HttpControllerContext is a no-go. It's also unlikely to work, since you'd need to somehow scope each registered instance to its source request.
That also rules out nested containers.

OK, so given these constraints, how can an object graph like this one be created, only with Castle Windsor instead of Poor Man's DI?

return new CatalogController(

    new RouteLinker(

        baseUri,

        controllerContext));

Somehow, the HttpControllerContext instance must be captured and made available for further resolution of a CatalogController instance.

Capturing the HttpControllerContext

The first step is to capture the HttpControllerContext instance, as early as possible. From my previous post it should be reasonably clear that the best place to capture this instance is from within IHttpControllerActivator.Create.

Here's the requirement: the HttpControllerContext instance must be captured and made available for further resolution of the object graph – preferably in a thread-safe manner. Ideally, it should be captured in a thread-safe object that can start out uninitialized, but then allow exactly one assignment of a value.

At the time I first struggled with this, I was just finishing The Joy of Clojure, so this sounded to me an awful lot like the description of a promise. Crowdsourcing on Twitter turned up that the .NET equivalent of a promise is TaskCompletionSource<T>.

Creating a custom IHttpControllerActivator with an injected TaskCompletionSource<HttpControllerContext> sounds like a good approach. If the custom IHttpControllerActivator can be scoped to a specific request, that would be the solution then and there.

However, as I've previously described, the current incarnation of the ASP.NET Web API has the unfortunate behavior that all framework Services (such as IHttpControllerActivator) are resolved once and cached forever (effectively turning them into having the Singleton lifestyle, despite what you may attempt to configure in your container).

With Dependency Injection, the common solution to bridge the gap between a long-lasting lifestyle and a shorter lifestyle is a factory.

Thus, instead of injecting TaskCompletionSource<HttpControllerContext> into a custom IHttpControllerActivator, a Func<TaskCompletionSource<HttpControllerContext>> can be injected to bridge the lifestyle gap.

One other thing: the custom IHttpControllerActivator is only required to capture the HttpControllerContext for further reference, so I don't want to reimplement all the functionality of DefaultHttpControllerActivator. This is the reason why the custom IHttpControllerActivator ends up being a Decorator:

public class ContextCapturingControllerActivator :

    IHttpControllerActivator

    private readonly IHttpControllerActivator activator;

    private readonly Func<TaskCompletionSource<HttpControllerContext>>

        promiseFactory;

    public ContextCapturingControllerActivator(

        Func<TaskCompletionSource<HttpControllerContext>> promiseFactory,

        IHttpControllerActivator activator)

        this.activator = activator;

        this.promiseFactory = promiseFactory;

    public IHttpController Create(

        HttpControllerContext controllerContext,

        Type controllerType)

        this.promiseFactory().SetResult(controllerContext);

        return this.activator.Create(controllerContext, controllerType);

The ContextCapturingControllerActivator class simply Decorates another IHttpControllerActivator and does one thing before delegating the call to the inner implementation: it uses the factory to create a new instance of TaskCompletionSource<HttpControllerContext> and assigns the HttpControllerContext instance to that promise.

Scoping

Because the Web API is basically being an ass (I can write this here, because I'm gambling that the solitary reader making it this far is so desperate that he or she is not going to care about the swearing) by treating framework Services as Singletons, it doesn't matter how it's being registered:

container.Register(Component

    .For<IHttpControllerActivator>()

    .ImplementedBy<ContextCapturingControllerActivator>());

container.Register(Component

    .For<IHttpControllerActivator>()

    .ImplementedBy<DefaultHttpControllerActivator>());

Notice that because Castle Windsor is being such an awesome library that it implicitly understands the Decorator pattern, I can simple register both Decorator and Decoratee in an ordered sequence.

The factory itself must also be registered as a Singleton (the default in Castle Windsor):

container.Register(Component

    .For<Func<TaskCompletionSource<HttpControllerContext>>>()

    .AsFactory());

Here, I'm taking advantage of Castle Windsor's Typed Factory Facility, so I'm simply asking it to treat a Func<TaskCompletionSource<HttpControllerContext>> as an Abstract Factory. Doing that means that every time the delegate is being invoked, Castle Windsor will create an instance of TaskCompletionSource<HttpControllerContext> with the correct lifetime.

This provides the bridge from Singleton lifestyle to PerWebRequest:

container.Register(Component

    .For<TaskCompletionSource<HttpControllerContext>>()

    .LifestylePerWebRequest());

Notice that TaskCompletionSource<HttpControllerContext> is registered with a PerWebRequest lifestyle, which means that every time the above delegate is invoked, it's going to create an instance which is scoped to the current request. This is exactly the desired behavior.

Registering HttpControllerContext

The only thing left is registering the HttpControllerContext class itself:

container.Register(Component

    .For<HttpControllerContext>()

    .UsingFactoryMethod(k =>

        k.Resolve<TaskCompletionSource<HttpControllerContext>>()

            .Task.Result)

    .LifestylePerWebRequest());

This defines that HttpControllerContext instances are going to be resolved the following way: each time an HttpControllerContext instance is requested, the container is going to look up a TaskCompletionSource<HttpControllerContext> and return the result from that task.

The TaskCompletionSource<HttpControllerContext> instance is scoped per web request and previously captured (as you may recall) by the ContextCapturingControllerActivator class.

That's all (sic!) there's to it :)

Injecting HttpControllerContext With the ASP.NET Web API

Mark Seemann — Tue, 17 Apr 2012 15:17:05 GMT

The ASP.NET Web API (beta) defines a class called HttpControllerContext. As the name implies, it provides a context for a Controller. This article describes how to inject an instance of this class into a Service.

The Problem

A Service may need an instance of the HttpControllerContext class. For an example, see the RouteLinker class in my previous post. A Controller, on the other hand, may depend on such a Service:

public CatalogController(IResourceLinker resourceLinker)

How can a CatalogController instance be wired up with an instance of RouteLinker, which again requires an instance of HttpControllerContext? In contrast to the existing ASP.NET MVC API, there's no easy way to read the current context. There's no HttpControllerContext.Current method or any other easy way (that I have found) to refer to an HttpControllerContext as part of the Composition Root.

True: it's easily available as a property on a Controller, but at the time of composition, there's no Controller instance (yet). A Controller instance is exactly what the Composition Root is attempting to create. This sounds like a circular reference problem. Fortunately, it's not.

The Solution

For Poor Man's DI, the solution is relatively simple. As I've previously described, by default the responsibility of creating Controller instances is handled by an instance of IHttpControllerActivator. This is, essentially, the Composition Root (at least for all Controllers).

The Create method of that interface takes exactly the HttpControllerContext required by RouteLinker – or, put differently: the framework will supply an instance every time it invokes the Create method. Thus, a custom IHttpControllerActivator solves the problem:

public class PoorMansCompositionRoot : IHttpControllerActivator

    public IHttpController Create(

        HttpControllerContext controllerContext,

        Type controllerType)

        if (controllerType == typeof(CatalogController))

            var url = HttpContext.Current.Request.Url;

            var baseUri =

                new UriBuilder(

                    url.Scheme,

                    url.Host,

                    url.Port).Uri;

            return new CatalogController(

                new RouteLinker(

                    baseUri,

                    controllerContext));

        // Handle other types here...

The controllerContext parameter is simply passed on to the RouteLinker constructor.

The only thing left is to register the PoorMansCompositionRoot with the ASP.NET Web API. This can be done in Global.asax by using the GlobalConfiguration.Configuration.ServiceResolver.SetResolver method, as described in my previous post. Just resolve IHttpControllerActivator to an instance of PoorMansCompositionRoot.

Hyperlinking With the ASP.NET Web API

Mark Seemann — Tue, 17 Apr 2012 14:46:42 GMT

When creating resources with the ASP.NET Web API (beta) it's important to be able to create correct hyperlinks (you know, if it doesn't have hyperlinks, it's not REST). These hyperlinks may link to other resources in the same API, so it's important to keep the links consistent. A client following such a link should hit the desired resource.

This post describes an refactoring-safe approach to creating hyperlinks using the Web API RouteCollection and Expressions.

The Problem

Obviously hyperlinks can be hard-coded, but since incoming requests are matched based on the Web API's RouteCollection, there's a risk that hard-coded links become disconnected from the API's incoming routes. In other words, hard-coding links is probably not a good idea.

For reference, the default route in the Web API looks like this:

routes.MapHttpRoute(

    name: "DefaultApi",

    routeTemplate: "{controller}/{id}",

    defaults: new

        controller = "Catalog",

        id = RouteParameter.Optional

);

A sample action fitting that route might look like this:

public Artist Get(string id)

where the Get method is defined by the ArtistController class.

Desired Outcome

In order to provide a refactoring-safe way to create links to e.g. the artist resource, the strongly typed Resource Linker approach outlined by José F. Romaniello can be adopted. The IResourceLinker interface looks like this:

public interface IResourceLinker

    Uri GetUri<T>(Expression<Action<T>> method);

This makes it possible to create links like this:

var artist = new Artist

    Name = artistName,

    Links = new[]

        new Link

            Href = this.resourceLinker.GetUri<ArtistController>(r =>

                r.Get(artistsId)).ToString(),

            Rel = "self"

},

    // More crap goes here...

};

In this example, the resourceLinker field is an injected instance of IResourceLinker.

Since the input to the GetUri method is an Expression, it's being checked at compile time. It's refactoring-safe because a refactoring tool will be able to e.g. change the name of the method call in the Expression if the name of the method changes.

Example Implementation

It's possible to implement IResourceLinker over a Web API RouteCollection. Here's an example implementation:

public class RouteLinker : IResourceLinker

    private Uri baseUri;

    private readonly HttpControllerContext ctx;

    public RouteLinker(Uri baseUri, HttpControllerContext ctx)

        this.baseUri = baseUri;

        this.ctx = ctx;

    public Uri GetUri<T>(Expression<Action<T>> method)

        if (method == null)

            throw new ArgumentNullException("method");

        var methodCallExp = method.Body as MethodCallExpression;

        if (methodCallExp == null)

            throw new ArgumentException("The expression's body must be a MethodCallExpression. The code block supplied should invoke a method.\nExample: x => x.Foo().", "method");

        var routeValues = methodCallExp.Method.GetParameters()

            .ToDictionary(p => p.Name, p => GetValue(methodCallExp, p));

        var controllerName = methodCallExp.Method.ReflectedType.Name

            .ToLowerInvariant().Replace("controller", "");

        routeValues.Add("controller", controllerName);

        var relativeUri = this.ctx.Url.Route("DefaultApi", routeValues);

        return new Uri(this.baseUri, relativeUri);

    private static object GetValue(MethodCallExpression methodCallExp,

        ParameterInfo p)

        var arg = methodCallExp.Arguments[p.Position];

        var lambda = Expression.Lambda(arg);

        return lambda.Compile().DynamicInvoke().ToString();

This isn't much different from José F. Romaniello's example, apart from the fact that it creates a dictionary of route values and then uses the UrlHelper.Route method to create a relative URI.

Please not that this is just an example implementation. For instance, the call to the Route method supplies the hard-coded string "DefaultApi" to indicate which route (from Global.asax) to use. I'll leave it as an exercise for the interested reader to provide a generalization of this implementation.

IQueryable is Tight Coupling

Mark Seemann — Mon, 26 Mar 2012 13:53:31 GMT

From time to time I encounter people who attempt to express an API in terms of IQueryable<T>. That's almost always a bad idea. In this post, I'll explain why.

In short, the IQueryable<T> interface is one of the best examples of a Header Interface that .NET has to offer. It's almost impossible to fully implement it.

Please note that this post is about the problematic aspects of designing an API around the IQueryable<T> interface. It's not an attack on the interface itself, which has its place in the BCL. It's also not an attack on all the wonderful LINQ methods available on IEnumerable<T>.

You can say that IQueryable<T> is one big Liskov Substitution Principle (LSP)violation just waiting to happen. In the next two section, I will apply Postel's law to explain why that is.

Consuming IQueryable<T>

The first part of Postel's law applied to API design states that an API should be liberal in what it accepts. In other words, we are talking about input, so an API that consumes IQueryable<T> would take this generalized shape:

IFoo SomeMethod(IQueryable<Bar> q);

Is that a liberal requirement? It must certainly is not. Such an interface demands of any caller that they must be able to supply an implementation of IQueryable<Bar>. According to the LSP we must be able to supply any implementation without changing the correctness of the program. That goes for both the implementer of IQueryable<Bar> as well as the implementation of SomeMethod.

At this point it's important to keep in mind the purpose of IQueryable<T>: it's intended for implementation by query providers. In other words, this isn't just some sequence of Bar instances which can be filtered and projected; no, this is a query expression which is intended to be translated into a query somewhere else – most often some dialect of SQL.

That's quite a demand to put on the caller.

It's certainly a powerful interface (or so it would seem), but is it really necessary? Does SomeMethod really need to be able to perform arbitrarily complex queries against a data source?

In one recent discussion, it turns out that all the developer really wanted to do was to be able to select based on a handful of simple criteria. In another case, the developer only wanted to do simple paging.

Such requirements could be modeled much simpler without making huge demands on the caller. In both cases, we could provide specialized Query Objects instead, or perhaps even simpler just a set of specialized queries:

IFoo FindById(int fooId);

IFoo FindByCorrelationId(int correlationId);

Or, in the case of paging:

IEnumerable<IFoo> GetFoos(int page);

This is certainly much more liberal in that it requires the caller to supply only the required information in order to implement the methods. Designing APIs in terms of Role Interfaces instead of Header Interfaces makes the APIs much more flexible. This will enable you to respond to change.

Exposing IQueryable<T>

The other part of Postel's law states that an API should be conservative in what it sends. In other words, a method must guarantee that the data it returns conforms rigorously to the contract between caller and implementer.

A method returning IQueryable<T> would take this generalized shape:

IQueryable<Bar> GetBars();

When designing APIs, a huge part of the contract is defined by the interface (or base class). Thus, the return type of a method specifies a conservative guarantee about the returned data. In the case of returning IQueryable<Bar> the method thus guarantees that it will return a complete implementation of IQueryable<Bar>.

Is that conservative?

Once again invoking the LSP, a consumer must be able to do anything allowed by IQueryable<Bar> without changing the correctness of the program.

That's a big honking promise to make.

Who can keep that promise?

Current Implementations

Implementing IQueryable<T> is a huge undertaking. If you don't believe me, just take a look at the official Building an IQueryable provider series of blog posts. Even so, the interface is so flexible and expressive that with a single exception, it's always possible to write a query that a given provider can't translate.

Have you ever worked with LINQ to Entities or another ORM and received a NotSupportedException? Lots of people have. In fact, with a single exception, it's my firm belief that all existing implementations violate the LSP (in fact, I challenge my readers to refer me to a real, publicly available implementation of IQueryable<T> that can accept any expression I throw at it, and I'll ship a free copy of my book to the first reader to do so).

Furthermore, the subset of features that each implementation supports varies from query provider to query provider. An expression that can be translated by the Entity framework may not work with Microsoft's OData query provider.

The only implementation that fully implements IQueryable<T> is the in-memory implementation (and referring to this one does not earn you a free book). Ironically, this implementation can be considered a Null Object implementation and goes against the whole purpose of the IQueryable<T> interface exactly because it doesn't translate the expression to another language.

Why This Matters

You may think this is all a theoretical exercise, but it actually does matter. When writing Clean Code, it's important to design an API in such a way that it's clear what it does.

An interface like this makes false guarantees:

public interface IRepository

    IQueryable<T> Query<T>();

According to the LSP and Postel's law, it would seem to guarantee that you can write any query expression (no matter how complex) against the returned instance, and it would always work.

In practice, this is never going to happen.

Programmers who define such interfaces invariably have a specific ORM in mind, and they implicitly tend to stay within the bounds they know are safe for that specific ORM. This is a leaky abstraction.

If you have a specific ORM in mind, then be explicit about it. Don't hide it behind an interface. It creates the illusion that you can replace one implementation with another. In practice, that's impossible. Imagine attempting to provide an implementation over an Event Store.

The cake is a lie.

Robust DI With the ASP.NET Web API

Mark Seemann — Tue, 20 Mar 2012 16:02:51 GMT

Like the WCF Web API, the new ASP.NET Web API supports Dependency Injection (DI), but the approach is different and the resulting code you'll have to write is likely to be more complex. This post describes how to enable robust DI with the new Web API. Since this is based on the beta release, I hope that it will become easier in the final release.

At first glance, enabling DI on an ASP.NET Web API looks seductively simple. As always, though, the devil is in the details. Nikos Baxevanis has already provided a more thorough description, but it's even more tricky than that.

Protocol

To enable DI, all you have to do is to call the SetResolver method, right? It even has an overload that enables you to supply two code blocks instead of implementing an interface (although you can certainly also implement IDependencyResolver). Could it be any easier than that?

Yes, it most certainly could.

Imagine that you'd like to hook up your DI Container of choice. As a first attempt, you try something like this:

GlobalConfiguration.Configuration.ServiceResolver.SetResolver(

    t => this.container.Resolve(t),

    t => this.container.ResolveAll(t).Cast<object>());

This compiles. Does it work? Yes, but in a rather scary manner. Although it satisfies the interface, it doesn't satisfy the protocol ("an interface describes whether two components will fit together, while a protocol describes whether they will work together." (GOOS, p. 58)).

The protocol, in this case, is that if you (or rather the container) can't resolve the type, you should return null. What's even worse is that if your code throws an exception (any exception, apparently), DependencyResolver will suppress it. In case you didn't know, this is strongly frowned upon in the .NET Framework Design Guidelines.

Even so, the official introduction article instead chooses to play along with the protocol and explicitly handle any exceptions. Something along the lines of this ugly code:

GlobalConfiguration.Configuration.ServiceResolver.SetResolver(

    t =>

try

            return this.container.Resolve(t);

        catch (ComponentNotFoundException)

            return null;

},

    t =>

try

            return this.container.ResolveAll(t).Cast<object>();

        catch (ComponentNotFoundException)

            return new List<object>();

);

Notice how try/catch is used for control flow – another major no no in the .NET Framework Design Guidelines.

At least with a good DI Container, we can do something like this instead:

GlobalConfiguration.Configuration.ServiceResolver.SetResolver(

    t => this.container.Kernel.HasComponent(t) ?

        this.container.Resolve(t) :

        null,

    t => this.container.ResolveAll(t).Cast<object>());

Still, first impressions don't exactly inspire trust in the implementation...

API Design Issues

Next, I would like to direct your attention to the DependencyResolver API. At its core, it looks like this:

public interface IDependencyResolver

    object GetService(Type serviceType);

    IEnumerable<object> GetServices(Type serviceType);

It can create objects, but what about decommissioning? What if, deep in a dependency graph, a Controller contains an IDisposable object? This is not a particularly exotic scenario – it might be an instance of an Entity Framework ObjectContext. While an ApiController itself implements IDisposable, it may not know that it contains an injected object graph with one or more IDisposable leaf nodes.

It's a fundamental rule of DI that you must Release what you Resolve. That's not possible with the DependencyResolver API. The result may be memory leaks.

Fortunately, it turns out that there's a fix for this (at least for Controllers). Unfortunately, this workaround leverages another design problem with DependencyResolver.

Mixed Responsibilities

It turns out that when you wire a custom resolver up with the SetResolver method, the ASP.NET Web API will query your custom resolver (such as a DI Container) for not only your application classes, but also for its own infrastructure components. That surprised me a bit because of the mixed responsibility, but at least this is a useful hook.

One of the first types the framework will ask for is an instance of IHttpControllerFactory, which looks like this:

public interface IHttpControllerFactory

    IHttpController CreateController(HttpControllerContext controllerContext,

        string controllerName);

    void ReleaseController(IHttpController controller);

Fortunately, this interface has a Release hook, so at least it's possible to release Controller instances, which is most important because there will be a lot of them (one per HTTP request).

Discoverability Issues

The IHttpControllerFactory looks a lot like the well-known ASP.NET MVC IControllerFactory interface, but there are subtle differences. In ASP.NET MVC, there's a DefaultControllerFactory with appropriate virtual methods one can overwrite (it follows the Template Method pattern).

There's also a DefaultControllerFactory in the Web API, but unfortunately no Template Methods to override. While I could write an algorithm that maps from the controllerName parameter to a type which can be passed to a DI Container, I'd rather prefer to be able to reuse the implementation which the DefaultControllerFactory contains.

In ASP.NET MVC, this is possible by overriding the GetControllerInstance method, but it turns out that the Web API (beta) does this slightly differently. It favors composition over inheritance (which is actually a good thing, so kudos for that), so after mapping controllerName to a Type instance, it invokes an instance of the IHttpControllerActivator interface (did I hear anyone say "FactoryFactory?"). Very loosely coupled (good), but not very discoverable (not so good). It would have been more discoverable if DefaultControllerFactory had used Constructor Injection to get its dependency, rather than relying on the Service Locator which DependencyResolver really is.

However, this is only an issue if you need to hook into the Controller creation process, e.g. in order to capture the HttpControllerContext for further use. In normal scenarios, despite what Nikos Baxevanis describes in his blog post, you don't have to override or implement IHttpControllerFactory.CreateController. The DependencyResolver infrastructure will automatically invoke your GetService implementation (or the corresponding code block) whenever a Controller instance is required.

Releasing Controllers

The easiest way to make sure that all Controller instances are being properly released is to derive a class from DefaultControllerFactory and override the ReleaseController method:

public class ReleasingControllerFactory : DefaultHttpControllerFactory

    private readonly Action<object> release;

    public ReleasingControllerFactory(Action<object> releaseCallback,

        HttpConfiguration configuration)

        : base(configuration)

        this.release = releaseCallback;

    public override void ReleaseController(IHttpController controller)

        this.release(controller);

        base.ReleaseController(controller);

Notice that it's not necessary to override the CreateController method, since the default implementation is good enough – it'll ask the DependencyResolver for an instance of IHttpControllerActivator, which will again ask the DependencyResolver for an instance of the Controller type, in the end invoking your custom GetObject implemention.

To keep the above example generic, I just injected an Action<object> into ReleasingControllerFactory – I really don't wish to turn this into a discussion about the merits and demerits of various DI Containers. In any case, I'll leave it as an exercise to you to wire up your favorite DI Container so that the releaseCallback is actually a call to the container's Release method.

Lifetime Cycles of Infrastructure Components

Before I conclude, I'd like to point out another POLA violation that hit me during my investigation.

The ASP.NET Web API utilizes DependencyResolver to resolve its own infrastructure types (such as IHttpControllerFactory, IHttpControllerActivator, etc.). Any custom DependencyResolver you supply will also be queried for these types. However:

When resolving infrastructure components, the Web API doesn't respect any custom lifecycle you may have defined for these components.

At a certain point while I investigated this, I wanted to configure a custom IHttpControllerActivator to have a Web Request Context (my book, section 8.3.4) – in other words, I wanted to create a new instance of IHttpControllerActivator for each incoming HTTP request.

This is not possible. The framework queries a custom DependencyResolver for an infrastructure type, but even when it receives an instance (i.e. not null), it doesn't trust the DependencyResolver to efficiently manage the lifetime of that instance. Instead, it caches this instance for ever, and never asks for it again. This is, in my opinion, a mistaken responsibility, and I hope it will be corrected in the final release.

Concluding Thoughts

Wiring up the ASP.NET Web API with robust DI is possible, but much harder than it ought to be. Suggestions for improvements are:

A Release hook in DependencyResolver.
The framework itself should trust the DependencyResolver to efficiently manage lifetime of all objects it create.

As I've described, there are other places were minor adjustments would be helpful, but these two suggestions are the most important ones.

Update (2012.03.21): I've posted this feedback to the product group on uservoice and Connect – if you agree, please visit those sites and vote up the issues.

Migrating from WCF Web API to ASP.NET Web API

Mark Seemann — Mon, 19 Mar 2012 22:24:47 GMT

Now that the WCF Web API has ‘become’ the ASP.NET Web API, I’ve had to migrate a semi-complex code base from the old to the new framework. These are my notes from that process.

Migrating Project References

As far as I can tell, the ASP.NET Web API isn’t just a port of the WCF Web API. At a cursory glance, it looks like a complete reimplementation. If it’s a port of the old code, it’s at least a rather radical one. The assemblies have completely different names, and so on.

Both old and new project, however, are based on NuGet packages, so it wasn’t particularly hard to change.

To remove the old project references, I ran this NuGet command:

Uninstall-Package webapi.all –RemoveDependencies

followed by

Install-Package aspnetwebapi

to install the project references for the ASP.NET Web API.

Rename Resources to Controllers

In the WCF Web API, there was no naming convention for the various resource classes. In the quickstarts, they were sometimes called Apis (like ContactsApi), and I called mine Resources (like CatalogResource). Whatever your naming convention was, the easiest things is to find them all and rename them to end with Controller (e.g. CatalogController).

AFAICT you can change the naming convention, but I didn’t care enough to do so.

Derive Controllers from ApiController

Unless you care to manually implement IHttpController, each Controller should derive from ApiController:

public class CatalogController : ApiController

Remove Attributes

The WCF Web API uses the [WebGet] and [WebInvoke] attributes. The ASP.NET Web API, on the other hand, uses routes, so I removed all the attributes, including their UriTemplates:

//[WebGet(UriTemplate = "/")]

public Catalog GetRoot()

Add Routes

As a replacement for attributes and UriTemplates, I added HTTP routes:

routes.MapHttpRoute(

    name: "DefaultApi",

    routeTemplate: "{controller}/{id}",

    defaults: new { controller = "Catalog", id = RouteParameter.Optional }

);

The MapHttpRoute method is an extension method defined in the System.Web.Http namespace, so I had to add a using directive for it.

Composition

Wiring up Controllers with Constructor Injection turned out to be rather painful. For a starting point, I used Nikos Baxevanis' guide, but it turns out there are further subtleties which should be addressed (more about this later, but to prevent a stream of comments about the DependencyResolver API: yes, I know about that, but it's inadequate for a number of reasons).

Media Types

In the ASP.NET Web API application/json is now the default media type format if the client doesn't supply any Accept header. For the WCF Web API I had had to resort to a hack to change the default, so this was a pleasant surprise.

It's still pretty easy to add more supported media types:

GlobalConfiguration.Configuration.Formatters.XmlFormatter

    .SupportedMediaTypes.Add(

        new MediaTypeHeaderValue("application/vnd.247e.artist+xml"));

GlobalConfiguration.Configuration.Formatters.JsonFormatter

    .SupportedMediaTypes.Add(

        new MediaTypeHeaderValue("application/vnd.247e.artist+json"));

(Talk about a Law of Demeter violation, BTW...)

However, due to an over-reliance on global state, it's not so easy to figure out how one would go about mapping certain media types to only a single Controller. This was much easier in the WCF Web API because it was possible to assign a separate configuration instance to each Controller/Api/Resource/Service/Whatever... This, I've still to figure out how to do...

Implementing an Abstract Factory

Mark Seemann — Thu, 15 Mar 2012 21:01:13 GMT

Abstract Factory is a tremendously useful pattern when used with Dependency Injection (DI). While I’ve repeatedly described how it can be used to solve various problems in DI, apparently I’ve never described how to implement one. As a comment to an older blog post of mine, Thomas Jaskula asks how I’d implement the IOrderShipperFactory.

To stay consistent with the old order shipper scenario, this blog post outlines three alternative ways to implement the IOrderShipperFactory interface.

To make it a bit more challenging, the implementation should create instances of the OrderShipper2 class, which itself has a dependency:

public class OrderShipper2 : IOrderShipper

    private readonly IChannel channel;

    public OrderShipper2(IChannel channel)

        if (channel == null)

            throw new ArgumentNullException("channel");

        this.channel = channel;

    public void Ship(Order order)

        // Ship the order and

        // raise a domain event over this.channel

In order to be able to create an instance of OrderShipper2, any factory implementation must be able to supply an IChannel instance.

Manually Coded Factory

The first option is to manually wire up the OrderShipper2 instance within the factory:

public class ManualOrderShipperFactory :

    IOrderShipperFactory

    private readonly IChannel channel;

    public ManualOrderShipperFactory(IChannel channel)

        if (channel == null)

            throw new ArgumentNullException("channel");

        this.channel = channel;

    public IOrderShipper Create()

        return new OrderShipper2(this.channel);

This has the advantage that it’s easy to understand. It can be unit tested and implemented in the same library that also contains OrderShipper2 itself. This means that any client of that library is supplied with a read-to-use implementation.

The disadvantage of this approach is that if/when the constructor of OrderShipper2 changes, the ManualOrderShipperFactory class must also be corrected. Pragmatically, this may not be a big deal, but one could successfully argue that this violates the Open/Closed Principle.

Container-based Factory

Another option is to make the implementation a thin Adapter over a DI Container – in this example Castle Windsor:

public class ContainerFactory : IOrderShipperFactory

    private IWindsorContainer container;

    public ContainerFactory(IWindsorContainer container)

        if (container == null)

            throw new ArgumentNullException("container");

        this.container = container;

    public IOrderShipper Create()

        return this.container.Resolve<IOrderShipper>();

But wait! Isn’t this an application of the Service Locator anti-pattern? Not if this class is part of the Composition Root.

If this implementation was placed in the same library as OrderShipper2 itself, it would mean that the library would have a hard dependency on the container. In such a case, it would certainly be a Service Locator.

However, when a Composition Root already references a container, it makes sense to place the ContainerFactory class there. This changes its role to the pure infrastructure component it really ought to be. This seems more SOLID, but the disadvantage is that there’s no longer a ready-to-use implementation packaged together with the LazyOrderShipper2 class. All new clients must supply their own implementation.

Dynamic Proxy

The third option is to basically reduce the principle behind the container-based factory to its core. Why bother writing even a thin Adapter if one can be automatically generated.

With Castle Windsor, the Typed Factory Facility makes this possible:

container.AddFacility<TypedFactoryFacility>();

container.Register(Component

    .For<IOrderShipperFactory>()

    .AsFactory());

var factory =

    container.Resolve<IOrderShipperFactory>();

There is no longer any code which implements IOrderShipperFactory. Instead, a class conceptually similar to the ContainerFactory class above is dynamically generated and emitted at runtime.

While the code never materializes, conceptually, such a dynamically emitted implementation is still part of the Composition Root.

This approach has the advantage that it’s very DRY, but the disadvantages are similar to the container-based implementation above: there’s no longer a ready-to-use implementation. There’s also the additional disadvantage that out of the three alternative here outlined, the proxy-based implementation is the most difficult to understand.

Is Layering Worth the Mapping?

Mark Seemann — Thu, 09 Feb 2012 22:55:44 GMT

For years, layered application architecture has been a de-facto standard for loosely coupled architectures, but the question is: does the layering really provide benefit?

In theory, layering is a way to decouple concerns so that UI concerns or data access technologies don’t pollute the domain model. However, this style of architecture seems to come at a pretty steep price: there’s a lot of mapping going on between the layers. Is it really worth the price, or is it OK to define data structures that cut across the various layers?

The short answer is that if you cut across the layers, it’s no longer a layered application. However, the price of layering may still be too high.

In this post I’ll examine the problem and the proposed solution and demonstrate why none of them are particularly good. In the end, I’ll provide a pointer going forward.

Proper Layering

To understand the problem with layering, I’ll describe a fairly simple example. Assume that you are building a music service and you’ve been asked to render a top 10 list for the day. It would have to look something like this in a web page:

As part of rending the list, you must color the Movement values accordingly using CSS.

A properly layered architecture would look something like this:

Each layer defines some services and some data-carrying classes (Entities, if you want to stick with the Domain-Driven Design terminology). The Track class is defined by the Domain layer, while the TopTrackViewModel class is defined in the User Interface layer, and so on. If you are wondering about why Track is used to communicate both up and down, this is because the Domain layer should be the most decoupled layer, so the other layers exist to serve it. In fact, this is just a vertical representation of the Ports and Adapters architecture, with the Domain Model sitting in the center.

This architecture is very decoupled, but comes at the cost of much mapping and seemingly redundant repetition. To demonstrate why that is, I’m going to show you some of the code. This is an ASP.NET MVC application, so the Controller is an obvious place to start:

public ViewResult Index()

    var date = DateTime.Now.Date;

    var topTracks = this.trackService.GetTopFor(date);

    return this.View(topTracks);

This doesn’t look so bad. It asks an ITrackService for the top tracks for the day and returns a list of TopTrackViewModel instances. This is the implementation of the track service:

public IEnumerable<TopTrackViewModel> GetTopFor(

    DateTime date)

    var today = DateTime.Now.Date;

    var yesterDay = today - TimeSpan.FromDays(1);

    var todaysTracks =

        this.repository.GetTopFor(today).ToList();

    var yesterdaysTracks =

        this.repository.GetTopFor(yesterDay).ToList();

    var length = todaysTracks.Count;

    var positions = Enumerable.Range(1, length);

    return from tt in todaysTracks.Zip(

                positions, (t, p) =>

                    new { Position = p, Track = t })

            let yp = (from yt in yesterdaysTracks.Zip(

                            positions, (t, p) =>

new

                                    Position = p,

                                    Track = t

})

                        where yt.Track.Id == tt.Track.Id

                        select yt.Position)

                        .DefaultIfEmpty(-1)

                        .Single()

            let cssClass = GetCssClass(tt.Position, yp)

            select new TopTrackViewModel

                Position = tt.Position,

                Name = tt.Track.Name,

                Artist = tt.Track.Artist,

                CssClass = cssClass

};

private static string GetCssClass(

    int todaysPosition, int yesterdaysPosition)

    if (yesterdaysPosition < 0)

        return "new";

    if (todaysPosition < yesterdaysPosition)

        return "up";

    if (todaysPosition == yesterdaysPosition)

        return "same";

    return "down";

While that looks fairly complex, there’s really not a lot of mapping going on. Most of the work is spent getting the top 10 track for today and yesterday. For each position on today’s top 10, the query finds the position of the same track on yesterday’s top 10 and creates a TopTrackViewModel instance accordingly.

Here’s the only mapping code involved:

select new TopTrackViewModel

    Position = tt.Position,

    Name = tt.Track.Name,

    Artist = tt.Track.Artist,

    CssClass = cssClass

};

This maps from a Track (a Domain class) to a TopTrackViewModel (a UI class).

This is the relevant implementation of the repository:

public IEnumerable<Track> GetTopFor(DateTime date)

    var dbTracks = this.GetTopTracks(date);

    foreach (var dbTrack in dbTracks)

        yield return new Track(

            dbTrack.Id,

            dbTrack.Name,

            dbTrack.Artist);

You may be wondering about the translation from DbTrack to Track. In this case you can assume that the DbTrack class is a class representation of a database table, modeled along the lines of your favorite ORM. The Track class, on the other hand, is a proper object-oriented class which protects its invariants:

public class Track

    private readonly int id;

    private string name;

    private string artist;

    public Track(int id, string name, string artist)

        if (name == null)

            throw new ArgumentNullException("name");

        if (artist == null)

            throw new ArgumentNullException("artist");

        this.id = id;

        this.name = name;

        this.artist = artist;

    public int Id

        get { return this.id; }

    public string Name

        get { return this.name; }

set

            if (value == null)

                throw new ArgumentNullException("value");

            this.name = value;

    public string Artist

        get { return this.artist; }

set

            if (value == null)

                throw new ArgumentNullException("value");

            this.artist = value;

No ORM I’ve encountered so far has been able to properly address such invariants – particularly the non-default constructor seems to be a showstopper. This is the reason a separate DbTrack class is required, even for ORMs with so-called POCO support.

In summary, that’s a lot of mapping. What would be involved if a new field is required in the top 10 table? Imagine that you are being asked to provide the release label as an extra column.

A Label column must be added to the database schema and the DbTrack class.
A Label property must be added to the Track class.
The mapping from DbTrack to Track must be updated.
A Label property must be added to the TopTrackViewModel class.
The mapping from Track to TopTrackViewModel must be updated.
The UI must be updated.

That’s a lot of work in order to add a single data element, and this is even a read-only scenario! Is it really worth it?

Cross-Cutting Entities

Is strict separation between layers really so important? What would happen if Entities were allowed to travel across all layers? Would that really be so bad?

Such an architecture is often drawn like this:

Now, a single Track class is allowed to travel from layer to layer in order to avoid mapping. The controller code hasn’t really changed, although the model returned to the View is no longer a sequence of TopTrackViewModel, but simply a sequence of Track instances:

public ViewResult Index()

    var date = DateTime.Now.Date;

    var topTracks = this.trackService.GetTopFor(date);

    return this.View(topTracks);

The GetTopFor method also looks familiar:

public IEnumerable<Track> GetTopFor(DateTime date)

    var today = DateTime.Now.Date;

    var yesterDay = today - TimeSpan.FromDays(1);

    var todaysTracks =

        this.repository.GetTopFor(today).ToList();

    var yesterdaysTracks =

        this.repository.GetTopFor(yesterDay).ToList();

    var length = todaysTracks.Count;

    var positions = Enumerable.Range(1, length);

    return from tt in todaysTracks.Zip(

                positions, (t, p) =>

                    new { Position = p, Track = t })

            let yp = (from yt in yesterdaysTracks.Zip(

                            positions, (t, p) =>

new

                                    Position = p,

                                    Track = t

})

                        where yt.Track.Id == tt.Track.Id

                        select yt.Position)

                        .DefaultIfEmpty(-1)

                        .Single()

            let cssClass = GetCssClass(tt.Position, yp)

            select Enrich(

                tt.Track, tt.Position, cssClass);

private static string GetCssClass(

    int todaysPosition, int yesterdaysPosition)

    if (yesterdaysPosition < 0)

        return "new";

    if (todaysPosition < yesterdaysPosition)

        return "up";

    if (todaysPosition == yesterdaysPosition)

        return "same";

    return "down";

private static Track Enrich(

    Track track, int position, string cssClass)

    track.Position = position;

    track.CssClass = cssClass;

    return track;

Whether or not much has been gained is likely to be a subjective assessment. While mapping is no longer taking place, it’s still necessary to assign a CSS Class and Position to the track before handing it off to the View. This is the responsibility of the new Enrich method:

private static Track Enrich(

    Track track, int position, string cssClass)

    track.Position = position;

    track.CssClass = cssClass;

    return track;

If not much is gained at the UI layer, perhaps the data access layer has become simpler? This is, indeed, the case:

public IEnumerable<Track> GetTopFor(DateTime date)

    return this.GetTopTracks(date);

If, hypothetically, you were asked to add a label to the top 10 table it would be much simpler:

A Label column must be added to the database schema and the Track class.
The UI must be updated.

This looks good. Are there any disadvantages? Yes, certainly. Consider the Track class:

public class Track

    public int Id { get; set; }

    public string Name { get; set; }

    public string Artist { get; set; }

    public int Position { get; set; }

    public string CssClass { get; set; }

It also looks simpler than before, but this is actually not particularly beneficial, as it doesn’t protect its invariants. In order to play nice with the ORM of your choice, it must have a default constructor. It also has automatic properties. However, most insidiously, it also somehow gained the Position and CssClass properties.

What does the Position property imply outside of the context of a top 10 list? A position in relation to what?

Even worse, why do we have a property called CssClass? CSS is a very web-specific technology so why is this property available to the Data Access and Domain layers? How does this fit if you are ever asked to build a native desktop app based on the Domain Model? Or a REST API? Or a batch job?

When Entities are allowed to travel along layers, the layers basically collapse. UI concerns and data access concerns will inevitably be mixed up. You may think you have layers, but you don’t.

Is that such a bad thing, though?

Perhaps not, but I think it’s worth pointing out:

The choice is whether or not you want to build a layered application. If you want layering, the separation must be strict. If it isn’t, it’s not a layered application.

There may be great benefits to be gained from allowing Entities to travel from database to user interface. Much mapping cost goes away, but you must realize that then you’re no longer building a layered application – now you’re building a web application (or whichever other type of app you’re initially building).

Further Thoughts

It’s a common question: how hard is it to add a new field to the user interface?

The underlying assumption is that the field must somehow originate from a corresponding database column. If this is the case, mapping seems to be in the way.

However, if this is the major concern about the application you’re currently building, it’s a strong indication that you are building a CRUD application. If that’s the case, you probably don’t need a Domain Model at all. Go ahead and let your ORM POCO classes travel up and down the stack, but don’t bother creating layers: you’ll be building a monolithic application no matter how hard you try not to.

In the end it looks as though none of the options outlined in this article are particularly good. Strict layering leads to too much mapping, and no mapping leads to monolithic applications. Personally, I’ve certainly written quite a lot of strictly layered applications, and while the separation of concerns was good, I was never happy with the mapping overhead.

At the heart of the problem is the CRUDy nature of many applications. In such applications, complex object graphs are traveling up and down the stack. The trick is to avoid complex object graphs.

Move less data around and things are likely to become simpler. This is one of the many interesting promises of CQRS, and particularly it’s asymmetric approach to data.

To be honest, I wish I had fully realized this when I started writing my book, but when I finally realized what I’d implicitly felt for long, it was to late to change direction. Rest assured that nothing in the book is fundamentally flawed. The patterns etc. still hold, but the examples could have been cleaner if the sample applications had taken a CQRS-like direction instead of strict layering.

Loose Coupling and the Big Picture

Mark Seemann — Thu, 02 Feb 2012 20:37:40 GMT

A common criticism of loosely coupled code is that it’s harder to understand. How do you see the big picture of an application when loose coupling is everywhere? When the entire code base has been programmed against interfaces instead of concrete classes, how do we understand how the objects are wired and how they interact?

In this post, I’ll provide answers on various levels, from high-level architecture over object-oriented principles to more nitty-gritty code. Before I do that, however, I’d like to pose a set of questions you should always be prepared to answer.

My first reaction to that sort of question is: you say loosely coupled code is harder to understand. Harder than what?

If we are talking about a non-trivial application, odds are that it’s going to take some time to understand the code base – whether or not it’s loosely coupled. Agreed: understanding a loosely coupled code base takes some work, but so does understanding a tightly coupled code base. The question is whether it’s harder to understand a loosely coupled code base?

Imagine that I’m having a discussion about this subject with Mary Rowan from my book.

Mary: “Loosely coupled code is harder to understand.”

Me: “Why do you think that is?”

Mary: “It’s very hard to navigate the code base because I always end up at an interface.”

Me: “Why is that a problem?”

Mary: “Because I don’t know what the interface does.”

At this point I’m very tempted to answer Mu. An interfaces doesn’t do anything – that’s the whole point of it. According to the Liskov Substitution Principle (LSP), a consumer shouldn’t have to care about what happens on the other side of the interface.

However, developers used to tightly coupled code aren’t used to think about services in this way. They are used to navigate the code base from consumer to service to understand how the two of them interact, and I will gladly admit this: in principle, that’s impossible to do in a loosely coupled code base. I’ll return to this subject in a little while, but first I want to discuss some strategies for understanding a loosely coupled code base.

Architecture and Documentation

Yes: documentation. Don’t dismiss it. While I agree with Uncle Bob and like-minded spirits that the code is the documentation, a two-page document that outlines the Big Picture might save you from many hours of code archeology.

The typical agile mindset is to minimize documentation because it tends to lose touch with the code base, but even so, it should be possible to maintain a two-page high-level document so that it stays up to date. Consider the alternative: if you have so much architectural churn that even a two-page overview regularly falls behind, then you’re probably having a greater problem than understanding your loosely coupled code base.

Maintaining such a document isn’t adverse to the agile spirit. You’ll find the same advice in Lean Architecture (p. 127). Don’t underestimate the value of such a document.

See the Forest Instead of the Trees

Understanding a loosely coupled code base typically tends to require a shift of mindset.

Recall my discussion with Mary Rowan. The criticism of loose coupling is that it’s difficult to understand which collaborators are being invoked. A developer like Mary Rowan is used to learn a code base by understanding all the myriad concrete details of it. In effect, while there may be ‘classes’ around, there are no abstractions in place. In order to understand the behavior of a user interface element, it’s necessary to also understand what’s happening in the database – and everything in between.

A loosely coupled code base shouldn’t be like that.

The entire purpose of loose coupling is that we should be able to reason about a part (a ‘unit’, if you will) without understanding the whole.

In a tightly coupled code base, it’s often impossible to see the forest for the trees. Although we developers are good at relating to details, a tightly coupled code base requires us to be able to contain the entire code base in our heads in order to understand it. As the size of the code base grows, this becomes increasingly difficult.

In a loosely coupled code base, on the other hand, it should be possible to understand smaller parts in isolation. However, I purposely wrote “should be”, because that’s not always the case. Often, a so-called “loosely coupled” code base violates basic principles of object-oriented design.

RAP

The criticism that it’s hard to see “what’s on the other side of an interface” is, in my opinion, central. It betrays a mindset which is still tightly coupled.

In many code bases there’s often a single implementation of a given interface, so developers can be forgiven if they think about an interface as only a piece of friction that prevents them from reaching the concrete class on the other side. However, if that’s the case with most of the interfaces in a code base, it signifies a violation of the Reused Abstractions Principle (RAP) more than it signifies loose coupling.

Jim Cooper, a reader of my book, put it quite eloquently on the book’s forum:

“So many people think that using an interface magically decouples their code. It doesn't. It only changes the nature of the coupling. If you don't believe that, try changing a method signature in an interface - none of the code containing method references or any of the implementing classes will compile. I call that coupled”

Refactoring tools aside, I completely agree with this statement. The RAP is a test we can use to verify whether or not an interface is truly reusable – what better test is there than to actually reuse your interfaces?

The corollary of this discussion is that if a code base is massively violating the RAP then it’s going to be hard to understand. It has all the disadvantages of loose coupling with few of the benefits. If that’s the case, you would gain more benefit from making it either more tightly coupled or truly loosely coupled.

What does “truly loosely coupled” mean?

LSP

According to the LSP a consumer must not concern itself with “what’s on the other side of the interface”. It should be possible to replace any implementation with any other implementation of the same interface without changing the correctness of the program.

This is why I previously said that in a truly loosely coupled code base, it isn’t ‘hard’ to understand “what’s on the other side of the interface” – it’s impossible. At design-time, there’s nothing ‘behind’ the interface. The interface is what you are programming against. It’s all there is.

Mary has been listening to all of this, and now she protests:

Mary: “At run-time, there’s going to be a concrete class behind the interface.”

Me (being annoyingly pedantic): “Not quite. There’s going to be an instance of a concrete class which the consumer invokes via the interface it implements.”

Mary: “Yes, but I still need to know which concrete class is going to be invoked.”

Me: “Why?”

Mary: “Because otherwise I don’t know what’s going to happen when I invoke the method.”

This type of answer often betrays a much more fundamental problem in a code base.

CQS

Now we are getting into the nitty-gritty details of class design. What would you expect that the following method does?

public List<Order> GetOpenOrders(Customer customer)

The method name indicates that it gets open orders, and the signature seems to back it up. A single database query might be involved, since this looks a lot like a read-operation. A quick glance at the implementation seems to verify that first impression:

public List<Order> GetOpenOrders(Customer customer)

    var orders = GetOrders(customer);

    return (from o in orders

            where o.Status == OrderStatus.Open

            select o).ToList();

Is it safe to assume that this is a side-effect-free method call? As it turns out, this is far from the case in this particular code base:

private List<Order> GetOrders(Customer customer)

    var gw = new CustomerGateway(this.ConnectionString);

    var orders = gw.GetOrders(customer);

    AuditOrders(orders);

    FixCustomer(gw, orders, customer);

    return orders;

The devil is in the details. What does AuditOrders do? And what does FixCustomer do? One method at a time:

private void AuditOrders(List<Order> orders)

    var user = Thread.CurrentPrincipal.Identity.ToString();

    var gw = new OrderGateway(this.ConnectionString);

    foreach (var o in orders)

        var clone = o.Clone();

        var ar = new AuditRecord

            Time = DateTime.Now,

            User = user

};

        clone.AuditTrail.Add(ar);

        gw.Update(clone);

        // We don't want the consumer to see the audit trail.

        o.AuditTrail.Clear();

OK, it turns out that this method actually makes a copy of each and every order and updates that copy, writing it back to the database in order to leave behind an audit trail. It also mutates each order before returning to the caller. Not only does this method result in an unexpected N+1 problem, it also mutates its input, and perhaps even more surprising, it’s leaving the system in a state where the in-memory object is different from the database. This could lead to some pretty interesting bugs.

Then what happens in the FixCustomer method? This:

// Fixes the customer status field if there were orders

// added directly through the database.

private static void FixCustomer(CustomerGateway gw,

    List<Order> orders, Customer customer)

    var total = orders.Sum(o => o.Total);

    if (customer.Status != CustomerStatus.Preferred

        && total > PreferredThreshold)

        customer.Status = CustomerStatus.Preferred;

        gw.Update(customer);

Another potential database write operation, as it turns out – complete with an apology. Now that we’ve learned all about the details of the code, even the GetOpenOrders method is beginning to look suspect. The GetOrders method returns all orders, with the side effect that all orders were audited as having been read by the user, but the GetOpenOrders filters the output. In the end, it turns out that we can’t even trust the audit trail.

While I must apologize for this contrived example of a Transaction Script, it’s clear that when code looks like that, it’s no wonder why developers think that it’s necessary to contain the entire code base in their heads. When this is the case, interfaces are only in the way.

However, this is not the fault of loose coupling, but rather a failure to adhere to the very fundamental principle of Command-Query Separation (CQS). You should be able to tell from the method signature alone whether invoking the method will or will not have side-effects. This is one of the key messages from Clean Code: the method name and signature is an abstraction. You should be able to reason about the behavior of the method from its declaration. You shouldn’t have to read the code to get an idea about what it does.

Abstractions always hide details. Method declarations do too. The point is that you should be able to read just the method declaration in order to gain a basic understanding of what’s going on. You can always return to the method’s code later in order to understand detail, but reading the method declaration alone should provide the Big Picture.

Strictly adhering to CQS goes a long way in enabling you to understand a loosely coupled code base. If you can reason about methods at a high level, you don’t need to see “the other side of the interface” in order to understand the Big Picture.

Stack Traces

Still, even in a loosely coupled code base with great test coverage, integration issues arise. While each class works fine in isolation, when you integrate them, sometimes the interactions between them cause errors. This is often because of incorrect assumptions about the collaborators, which often indicates that the LSP was somehow violated.

To understand why such errors occur, we need to understand which concrete classes are interacting. How do we do that in a loosely coupled code base?

That’s actually easy: look at the stack trace from your error report. If your error report doesn’t include a stack trace, make sure that it’s going to do that in the future.

The stack trace is one of the most important troubleshooting tools in a loosely coupled code base, because it’s going to tell you exactly which classes were interacting when an exception was thrown.

Furthermore, if the code base also adheres to the Single Responsibility Principle and the ideals from Clean Code, each method should be very small (under 15 lines of code). If that’s the case, you can often understand the exact nature of the error from the stack trace and the error message alone. It shouldn’t even be necessary to attach a debugger to understand the bug, but in a pinch, you can still do that.

Tooling

Returning to the original question, I often hear people advocating tools such as IDE add-ins which support navigation across interfaces. Such tools might provide a menu option which enables you to “go to implementation”. At this point it should be clear that such a tool is mainly going to be helpful in code bases that violate the RAP.

(I’m not naming any particular tools here because I’m not interested in turning this post into a discussion about the merits of various specific tools.)

Conclusion

It’s the responsibility of the loosely coupled code base to make sure that it’s easy to understand the Big Picture and that it’s easy to work with. In the end, that responsibility falls on the developers who write the code – not the developer who’s trying to understand it.

SOLID is Append-only

Mark Seemann — Tue, 03 Jan 2012 14:43:47 GMT

SOLID is a set of principles that, if applied consistently, has some surprising effect on code. In a previous post I provided a sketch of what it means to meticulously apply the Single Responsibility Principle. In this article I will describe what happens when you follow the Open/Closed Principle (OCP) to its logical conclusion.

In case a refresher is required, the OCP states that a class should be open for extension, but closed for modification. It seems to me that people often forget the second part. What does it mean?

It means that once implemented, you shouldn’t touch that piece of code ever again (unless you need to correct a bug).

Then how can new functionality be added to a code base? This is still possible through either inheritance or polymorphic recomposition. Since the L in SOLID signifies the Liskov Substitution Principle, SOLID code tends to be based on loosely coupled code composed into an application through copious use of interfaces – basically, Strategies injected into other Strategies and so on (also due to Dependency Inversion Principle). In order to add functionality, you can create new implementations of these interfaces and redefine the application’s Composition Root. Perhaps you’d be wrapping existing functionality in a Decorator or adding it to a Composite.

Once in a while, you’ll stop using an old implementation of an interface. Should you then delete this implementation? What would be the point? At a certain point in time, this implementation was valuable. Maybe it will become valuable again. Leaving it as an potential building block seems a better choice.

Thus, if we think about working with code as a CRUD endeavor, SOLID code can be Created and Read, but never Updated or Deleted. In other words, true SOLID code is append-only code.

Example: Changing AutoFixture’s Number Generation Algorithm

In early 2011 an issue was reported for AutoFixture: Anonymous numbers were created in monotonically increasing sequences, but with separate sequences for each number type:

integers: 1, 2, 3, 4, 5, …

decimals: 1.0, 2.0, 3.0, 4.0, 5.0, …

and so on. However, the person reporting the issue thought it made more sense if all numbers shared a single sequence. After thinking about it a little while, I agreed.

Because the AutoFixture code base is fairly SOLID we decided to leave the old implementations in place and implement the new behavior in new classes.

The old behavior was composed from a set of ISpecimenBuilders. As an example, integers were generated by this class:

public class Int32SequenceGenerator : ISpecimenBuilder

    private int i;

    public int CreateAnonymous()

        return Interlocked.Increment(ref this.i);

    public object Create(object request,

        ISpecimenContext context)

        if (request != typeof(int))

            return new NoSpecimen(request);

        return this.CreateAnonymous();

Similar implementations generated decimals, floats, doubles, etc. Instead of modifying any of these classes, we left them in the code base and created a new ISpecimenBuilder that generates all numbers from a single sequence:

public class NumericSequenceGenerator : ISpecimenBuilder

    private int value;

    public object Create(object request,

        ISpecimenContext context)

        var type = request as Type;

        if (type == null)

            return new NoSpecimen(request);

        return this.CreateNumericSpecimen(type);

    private object CreateNumericSpecimen(Type request)

        var typeCode = Type.GetTypeCode(request);

        switch (typeCode)

            case TypeCode.Byte:

                return (byte)this.GetNextNumber();

            case TypeCode.Decimal:

                return (decimal)this.GetNextNumber();

            case TypeCode.Double:

                return (double)this.GetNextNumber();

            case TypeCode.Int16:

                return (short)this.GetNextNumber();

            case TypeCode.Int32:

                return this.GetNextNumber();

            case TypeCode.Int64:

                return (long)this.GetNextNumber();

            case TypeCode.SByte:

                return (sbyte)this.GetNextNumber();

            case TypeCode.Single:

                return (float)this.GetNextNumber();

            case TypeCode.UInt16:

                return (ushort)this.GetNextNumber();

            case TypeCode.UInt32:

                return (uint)this.GetNextNumber();

            case TypeCode.UInt64:

                return (ulong)this.GetNextNumber();

            default:

                return new NoSpecimen(request);

    private int GetNextNumber()

        return Interlocked.Increment(ref this.value);

Adding a new class in itself has no effect, so in order to recompose the default behavior of AutoFixture, we changed a class called DefaultPrimitiveBuilders by removing the old ISpecimenBuilders like Int32SequenceGenerator and instead adding NumericSequenceGenerator:

yield return new StringGenerator(() =>

    Guid.NewGuid());

yield return new ConstrainedStringGenerator();

yield return new StringSeedRelay();

yield return new NumericSequenceGenerator();

yield return new CharSequenceGenerator();

yield return new RangedNumberGenerator();

// even more builders...

NumericSequenceGenerator is the fourth class being yielded here. Before we added NumericSequenceGenerator, this class instead yielded Int32SequenceGenerator and similar classes. These were removed.

The DefaultPrimitiveBuilders class is part of AutoFixture’s default Facade and is the closest we get to a Composition Root for the library. Recomposing this Facade enabled us to change the behavior of AutoFixture without modifying (other) existing classes.

As Enrico (who implemented this change) points out, the beauty is that the previous behavior is still in the box, and all it takes is a single method call to bring it back:

var fixture = new Fixture().Customize(

    new NumericSequencePerTypeCustomization());

The only class we had to modify was the DefaultPrimitiveBuilders, which is where the object graph is composed. In applications this corresponds to the Composition Root, so even in the face of SOLID code, you still need to modify the Composition Root in order to recompose the application. However, use of a good DI Container and a strong set of conventions can do much to minimize the required editing of such a class.

SOLID versus Refactoring

SOLID is a goal I strive towards in the way I write code and design APIs, but I don’t think I’ve ever written a significant code base which is perfectly SOLID. While I consider AutoFixture a ‘fairly’ SOLID code base, it’s not perfect, and I’m currently performing some design work in order to change some abstractions for version 3.0. This will require changing some of the existing types and thereby violating the OCP.

It’s worth noting that as long as you can stick with the OCP you can avoid introducing breaking changes. A breaking change is also an OCP violation, so adhering to the OCP is more than just an academic exercise – particularly if you write reusable libraries.

Still, while none of my code is perfect and I occasionally have to refactor, I don’t refactor much. By definition, refactoring means violating the OCP, and while I have nothing against refactoring code when it’s required, I much prefer putting myself in a situation where it’s rarely necessary in the first place.

I’ve often been derided for my lack of use of Resharper. When replying that I have little use for Resharper because I write SOLID code and thus don’t do much refactoring, I’ve been ridiculed for being totally clueless. People don’t realize the intimate relationship between SOLID and refactoring. I hope this post has helped highlight that connection.

Testing Container Configurations

Mark Seemann — Wed, 21 Dec 2011 13:25:32 GMT

Here’s a question I often get:

“Should I test my DI Container configuration?”

The motivation for asking mostly seems to be that people want to know whether or not their applications are correctly wired. That makes sense.

A related question I also often get is whether or not a particular container has a self-test feature? In this post I’ll attempt to answer both questions.

Container Self-testing

Some DI Containers have a method you can invoke to make it perform a consistency check on itself. As an example, StructureMap has the AssertConfigurationIsValid method that, according to documentation does “a full environment test of the configuration of [the] container.” It will “try to create every configured instance [...]”

Calling the method is really easy:

container.AssertConfigurationIsValid();

Such a self-test can often be an expensive operation (not only for StructureMap, but in general) because it’s basically attempting to create an instance of each and every Service registered in the container. If the configuration is large, it’s going to take some time, but it’s still going to be faster than performing a manual test of the application.

Two questions remain: Is it worth invoking this method? Why don’t all containers have such a method?

The quick answer is that such a method is close to worthless, which also explains why many containers don’t include one.

To understand the answer, consider the set of all components contained in the container in this figure:

The container contains the set of components IFoo, IBar, IBaz, Foo, Bar, Baz, and Qux so a self-test will try to create a single instance of each of these seven types. If all seven instances can be created, the test succeeds.

All this accomplishes is to verify that the configuration is internally consistent. Even so, an application could require instances of the ICorge, Corge or Grault types which are completely external to the configuration, in which case resolution would fail.

Even more subtly, resolution would also fail whenever the container is queried for an instance of IQux, since this interface isn’t part of the configuration, even though it’s related to the concrete Qux type which is registered in the container. A self-test only verifies that the concrete Qux class can be resolved, but it never attempts to create an instance of the IQux interface.

In short, the fact that a container’s configuration is internally consistent doesn’t guarantee that all services required by an application can be served.

Still, you may think that at least a self-test can constitute an early warning system: if the self-test fails, surely it must mean that the configuration is invalid? Unfortunately, that’s not true either.

If a container is being configured using Auto-registration/Convention over Configuration to scan one or more assemblies and register certain types contained within, chances are that ‘too many’ types will end up being registered – particularly if one or more of these assemblies are reusable libraries (as opposed to application-specific assemblies). Often, the number of redundant types added is negligible, but they may make the configuration internally inconsistent. However, if the inconsistency only affects the redundant types, it doesn’t matter. The container will still be able to resolve everything the current application requires.

Thus, a container self-test method is worthless.

Then how can the container configuration be tested?

Explicit Testing of Container Configuration

Since a container self-test doesn’t achieve the desired goal, how can we ensure that an application can be composed correctly?

One option is to write an automated integration test (not a unit test) for each service that the application requires. Still, if done manually, you run the risk of forgetting to write a test for a specific service. A better option is to come up with a convention so that you can identify all the services required by a specific application, and then write a convention-based test to verify that the container can resolve them all.

Will this guarantee that the application can be correctly composed?

No, it only guarantees that it can be composed – not that this composition is correct.

Even when a composed instance can be created for each and every service, many things may still be wrong:

Composition is just plain wrong:
- Decorators may be missing
- Decorators may have been added in the wrong order
- The wrong services are injected into consumers (this is more likely to happen when you follow the Reused Abstractions Principle, since there will be multiple concrete implementations of each interface)
Configuration values like connection strings and such are incorrect – e.g. while a connection string is supplied to a constructor, it may not contain the correct values.
Even if everything is correctly composed, the run-time environment may prevent the application from working. As an example, even if an injected connection string is correct, there may not be any connection to the database due to network or security misconfiguration.

In short, a Subcutaneous Test or full System Test is the only way to verify that everything is correctly wired. However, if you have good test coverage at the unit test level, a series of Smoke Tests is all that you need at the System Test level because in general you have good reason to believe that all behavior is correct. The remaining question is whether all this correct behavior can be correctly connected, and that tends to be an all-or-nothing proposition.

Conclusion

While it would be possible to write a set of convention-based integration tests to verify the configuration of a DI Container, the return of investment is too low since it doesn’t remove the need for a set of Smoke Tests at the System Test level.

Factory Overload

Mark Seemann — Mon, 19 Dec 2011 13:04:55 GMT

Recently I received a question from Kelly Sommers about good ways to refactor away from Factory Overload. Basically, she’s working in a code base where there’s an explosion of Abstract Factories which seems to be counter-productive. In this post I’ll take a look at the example problem and propose a set of alternatives.

An Abstract Factory (and its close relative Product Trader) can serve as a solution to various challenges that come up when writing loosely coupled code (chapter 6 of my book describes the most common scenarios). However, introducing an Abstract Factory may be a leaky abstraction, so don’t do it blindly. For example, an Abstract Factory is rarely the best approach to address lifetime management concerns. In other words, the Abstract Factory has to make sense as a pure model element.

That’s not the case in the following example.

Problem Statement

The question centers around a code base that integrates with a database closely guarded by DBA police. Apparently, every single database access must happen through a set of very fine-grained stored procedures.

For example, to update the first name of a user, a set of stored procedures exist to support this scenario, depending on the context of the current application user:

User type	Stored procedure	Parameter name
Admin	update_admin_firstname	adminFirstName
Guest	update_guest_firstname	guestFirstName
Regular	update_regular_firstname	regularFirstName
Restricted	update_restricted_firstname	restrictedFirstName

As this table demonstrates, not only is there a stored procedure for each user context, but the parameter name differs as well. However, in this particular case it seems as though there’s a pattern to the names.

If this pattern is consistent, I think the easiest way to address these variations would be to algorithmically build the strings from a couple of templates.

However, this is not the route taken by Kelly’s team, so I assume that things are more complicated than that; apparently, a templated approach is not viable, so for the rest of this article I’m going to assume that it’s necessary to write at least some code to address each case individually.

The current solution that Kelly’s team has implemented is to use an Abstract Factory (Product Trader) to translate the user type into an appropriate IUserFirstNameModifier instance. From the consuming code, it looks like this:

var modifier = factory.Create(UserTypes.Admin);

modifier.Commit("first");

where the factory variable is an instance of the IUserFirstNameModifierFactory interface. This is certainly loosely coupled, but looks like a leaky abstraction. Why is a factory needed? It seems that its single responsibility is to translate a UserTypes instance (an enum) into an IUserFirstNameModifier. There’s a code smell buried here – try to spot it before you read on :)

Proposed Solution

Kelly herself suggests an alternative involving a concrete Builder which can create instances of a single concrete UserFirstNameModifier with or without an implicit conversion:

// Implicit conversion.

UserFirstNameModifier modifier1 =

    builder.WithUserType(UserTypes.Guest);

// Without implicit conversion.

var modifier2 = builder

    .WithUserType(UserTypes.Restricted)

    .Create();

While this may seem to reduce the number of classes involved, it has several drawbacks:

First of all, the Fluent Builder pattern implies that you can forgo invoking any of the WithXyz methods (WithUserType) and just accept all the default values encapsulated in the builder. This again implies that there’s a default user type, which may or may not make sense in that particular domain. Looking at Kelly’s code, UserTypes is an enum (and thus has a default value), so if WithUserType isn’t invoked, the Create method defaults to UserTypes.Admin. That’s a bit too implicit for my taste.
Since all involved classes are now concrete, the proposed solution isn’t extensibile (and by corollary hard to unit test).
The builder is essentially a big switch statement.

Both the current implementation and the proposed solution involves passing an enum as a method parameter to a different class. If you’ve read and memorized Refactoring you should by now have recognized both a code smell and the remedy.

Alternative 1a: Make UserType Polymorphic

The code smell is Feature Envy and a possible refactoring is to replace the enum with a Strategy. In order to do that, an IUserType interface is introduced:

public interface IUserType

    IUserFirstNameModifer CreateUserFirstNameModifier();

Usage becomes as simple as this:

var modifier = userType.CreateUserFirstNameModifier();

Obviously, more methods can be added to IUserType to support other update operations, but care should be taken to avoid creating a Header Interface.

While this solution is much more object-oriented, I’m still not quite happy with it, because apparently, the context is a CQRS style architecture. Since an update operation is essentially a Command, then why model the implementation along the lines of a Query? Both Abstract Factory and Factory Method patterns represent Queries, so it seems redundant in this case. It should be possible to apply the Hollywood Principle here.

Alternative 1b: Tell, Don’t Ask

Why have the user type return an modifier? Why can’t it perform the update itself? The IUserType interface should be changed to something like this:

public interface IUserType

    void CommitUserFirtName(string firstName);

This makes it easier for the consumer to commit the user’s first name because it can be done directly on the IUserType instance instead of first creating the modifier.

It also makes it much easier to unit test the consumer because there’s no longer a mix of Command and Queries within the same method. From Growing Object-Oriented Software we know that Queries should be modeled with Stubs and Commands with Mocks, and if you’ve ever tried mixing the two you know that it’s a sort of interaction that should be minimized.

Alternative 2a: Distinguish by Type

While I personally like alternative 1b best, it may not be practical in all situations, so it’s always valuable to examine other alternatives.

The root cause of the problem is that there’s a lot of stored procedures. I want to reiterate that I still think that the absolutely easiest solution would be to generate a SqlCommand from a string template, but given that this article assumes that this isn’t possible or desirable, it follows that code must be written for each stored procedure.

Why not simply define an interface for each one? As an example, to update the user’s first name in the context of being an ‘Admin’ user, this Role Interface can be used:

public interface IUserFirstNameAdminModifier

    void Commit(string firstName);

Similar interfaces can be defined for the other user types, such as IUserFirstNameRestrictedModifier, IUserFirstNameGuestModifier and so on.

This is a very simple solution; it’s easy to implement, but risks violating the Reused Abstractions Principle (RAP).

Alternative 2b: Distinguish by Generic Type

The problem with introducing interfaces like IUserFirstNameAdminModifier, IUserFirstNameRestrictedModifier, IUserFirstNameGuestModifier etc. is that they differ only by name. The Commit method is the same for all these interfaces, so this seems to violate the RAP. It’d be better to merge all these interfaces into a single interface, which is what Kelly’s team is currently doing. However, the problem with this is that the type carries no information about the role that the modifier is playing.

Another alternative is to turn the modifier interface into a generic interface like this:

public interface IUserFirstNameModifier<T>

    where T : IUserType

    void Commit(string firstName);

The IUserType is a Marker Interface, so .NET purists are not going to like this solution, since the .NET Type Design Guidelines recommend against using Marker Interfaces. However, it’s impossible to constrain a generic type argument against an attribute, so the party line solution is out of the question.

This solution ensures that consumers can now have dependencies on IUserFirstNameModifier<AdminUserType>, IUserFirstNameModifier<RestrictedUserType>, etc.

However, the need for a marker interface gives off another odeur.

Alternative 3: Distinguish by Role

The problem at the heart of alternative 2 is that it attempts to use the type of the interfaces as an indicator of the roles that Services play. It’s seems that making the type distinct works against the RAP, but when the RAP is applied, the type becomes ambiguous.

However, as Ted Neward points out in his excellent series on Multiparadigmatic .NET, the type is only one axis of variability among many. Perhaps, in this case, it may be much easier to use the name of the dependency to communicate its role instead of the type.

Given a single, ambiguous IUserFirstNameModifier interface (just as in the original problem statement), a consumer can distinguish between the various roles of modifiers by their names:

public partial class SomeConsumer

    private readonly IUserFirstNameModifier adminModifier;

    private readonly IUserFirstNameModifier guestModifier;

    public SomeConsumer(

        IUserFirstNameModifier adminModifier,

        IUserFirstNameModifier guestModifier)

        this.adminModifier = adminModifier;

        this.guestModifier = guestModifier;

    public void DoSomething()

        if (this.UseAdmin)

            this.adminModifier.Commit("first");

        else

            this.guestModifier.Commit("first");

Now it’s entirely up to the Composition Root to compose SomeConsumer with the correct modifiers, and while this can be done manually, it’s an excellent case for a DI Container and a bit of Convention over Configuration.

Conclusion

I’m sure that if I’d spent more time analyzing the problem I could have come up with more alternatives, but this post is becoming long enough already.

Of the alternatives I’ve suggested here, I prefer 1b or 3, depending on the exact requirements.

Polymorphic Consistency

Mark Seemann — Wed, 07 Dec 2011 08:40:21 GMT

Asynchronous message passing combined with eventual consistency makes it possible to build very scalable systems. However, sometimes eventual consistency isn’t appropriate in parts of the system, while it’s acceptable in other parts. How can a consistent architecture be defined to fit both ACID and eventual consistency? This article provides an answer.

The case of an online game

Last week I visited Pixel Pandemic, a company that produces browser-based MMORPGs. Since each game world has lots of players who can all potentially interact with each other, scalability is very important.

In traditional line of business applications, eventual consistency is often an excellent fit because the application is a projection of the real world. My favorite example is an inventory system: it models what’s going on in one or more physical warehouses, but the real world is the ultimate source of truth. A warehouse worker might accidentally drop and damage some of the goods, in which case the application must adjust after the fact.

In other words, the information contained within line of business applications tend to lag after the real world. It’s impossible to guarantee that the application is always consistent with the real world, so eventual consistency is a natural fit.

That’s not the case with an online game world. The game world itself is the source of truth, and it must be internally consistent at all times. As an example, in Zombie Pandemic, players fight against zombies and may take damage along the way. Players can heal themselves, but they would prefer (I gather) that the healing action takes place immediately, and not some time in the future where the character might be dead. Similarly, when a player hits a zombie, they’d prefer to apply the damage immediately. (However, I think that even here, eventual consistency might provide some interesting game mechanics, but that’s another discussion.)

While discussing these matters with the nice people in Pixel Pandemic, it turned out that while some parts of the game world have to be internally consistent, it’s perfectly acceptable to use eventual consistency in other cases. One example is the game’s high score table. While a single player should have a consistent view of his or her own score, it’s acceptable if the high score table lags a bit.

At this point it seemed clear that this particular online game could use an appropriate combination of ACID and eventual consistency, and I think this conclusion can be generalized. The question now becomes: how can a consistent architecture encompass both types of consistency?

Problem statement

With the above example scenario in mind the problem statement can be generalized:

Given that an application should apply a mix of ACID and eventual consistency, how can a consistent architecture be defined?

Keep in mind that ACID consistency implies that all writes to a transactional resource must take place as a blocking method call. This seems to be at odds with the concept of asynchronous message passing that works so well with eventual consistency.

However, an application architecture where blocking ACID calls are fundamentally different than asynchronous message passing isn’t really an architecture at all. Developers will have to decide up-front whether or not a given operation is or isn’t synchronous, so the ‘architecture’ offers little implementation guidance. The end result is likely to be a heterogeneous mix of Services, Repositories, Units of Work, Message Channels, etc. A uniform principle will be difficult to distill, and the whole thing threatens to devolve into Spaghetti Code.

The solution turns out to be not at all difficult, but it requires that we invert our thinking a bit. Most of us tend to think about synchronous code first. When we think about code performing synchronous work it seems difficult (perhaps even impossible) to retrofit asynchrony to that model. On the other hand, the converse isn’t true.

Given an asynchronous API, it’s trivial to provide a synchronous, blocking implementation.

Adopting an architecture based on asynchronous message passing (the Pipes and Filters architecture) enables both scenarios. Eventual consistency can be achieved by passing messages around on persistent queues, while ACID consistency can be achieved by handling a message in a blocking call that enlists a (potentially distributed) transaction.

An example seems to be in order here.

Example: keeping score

In the online game world, each player accumulates a score based on his or her actions. From the perspective of the player, the score should always be consistent. When you defeat the zombie boss, you want to see the result in your score right away. That sounds an awful lot like the Player is an Aggregate Root and the score is part of that Entity. ACID consistency is warranted whenever the Player is updated.

On the other hand, each time a score changes it may influence the high score table, but this doesn’t need to be ACID consistent; eventual consistency is fine in this case.

Once again, polymorphism comes to the rescue.

Imagine that the application has a GameEngine class that handles updates in the game. Using an injected IChannel<PointsChangedEvent> it can update the score for a player as simple as this:

/* Lots of other interesting things happen

    * here, like calculating the new score... */

var cmd =

    new ScoreChangedEvent(this.playerId, score);

this.pointsChannel.Send(cmd);

The Send method returns void, so it’s a good example of a naturally asynchronous API. However, the implementation must do two things:

Update the Player Aggregate Root in a transaction
Update the high score table (eventually)

That’s two different types of consistency within the same method call.

The first step to enable this is to employ the trusty old Composite design pattern:

public class CompositeChannel<T> : IChannel<T>

    private readonly IEnumerable<IChannel<T>> channels;

    public CompositeChannel(params IChannel<T>[] channels)

        this.channels = channels;

    public void Send(T message)

        foreach (var c in this.channels)

            c.Send(message);

With a Composite channel it’s possible to compose a polymorphic mix of IChannel<T> implementations, some blocking and some asynchronous.

ACID write

To update the Player Aggregate Root a simple Adapter writes the event to a persistent data store. This could be a relational database, a document database, a REST resource or something else – it doesn’t really matter exactly which technology is used.

public class PlayerStoreChannel :

    IChannel<ScoreChangedEvent>

    private readonly IPlayerStore store;

    public PlayerStoreChannel(IPlayerStore store)

        this.store = store;

    public void Send(ScoreChangedEvent message)

        this.store.Save(message.PlayerId, message);

The important thing to realize is that the IPlayerStore.Save method will be a blocking method call – perhaps wrapped in a distributed transaction. This ensures that updates to the Player Aggregate Root always leave the data store in a consistent state. Either the operation succeeds or it fails during the method call itself.

This takes care of the ACID consistent write, but the application must also update the high score table.

Asynchronous write

Since eventual consistency is acceptable for the high score table, the message can be transmitted over a persistent queue to be picked up by a background process.

A generic class can server as an Adapter over an IQueue abstraction:

public class QueueChannel<T> : IChannel<T>

    private readonly IQueue queue;

    private readonly IMessageSerializer serializer;

    public QueueChannel(IQueue queue,

        IMessageSerializer serializer)

        this.queue = queue;

        this.serializer = serializer;

    public void Send(T message)

        this.queue.Enqueue(

            this.serializer.Serialize(message));

Obvously, the Enqueue method is another void method. In the case of a persistent queue, it’ll block while the message is being written to the queue, but that will tend to be a fast operation.

Composing polymorphic consistency

Now all the building blocks are available to compose both channel implementations into the GameEngine via the CompositeChannel. That might look like this:

var playerConnString = ConfigurationManager

    .ConnectionStrings["player"].ConnectionString;

var gameEngine = new GameEngine(

    new CompositeChannel<ScoreChangedEvent>(

        new PlayerStoreChannel(

            new DbPlayerStore(playerConnString)),

        new QueueChannel<ScoreChangedEvent>(

            new PersistentQueue("messageQueue"),

            new JsonSerializer())));

When the Send method is invoked on the channel, it’ll first invoke a blocking call that ensures ACID consistency for the Player, followed by asynchronous message passing for eventual consistency in other parts of the application.

Conclusion

Even when parts of an application must be implemented in a synchronous fashion to ensure ACID consistency, an architecture based on asynchronous message passing provides a flexible foundation that enables you to polymorphically mix both kinds of consistency in a single method call. From the perspective of the application layer, this provides a consistent and uniform architecture because all mutating actions are modeled as commands end events encapsulated in messages.

TDD improves reusability

Mark Seemann — Thu, 10 Nov 2011 16:55:10 GMT

There’s this meme going around that software reuse is a fallacy. Bollocks! The reuse is a fallacy meme is a fallacy :) To be fair, I’m not claiming that everything can and should be reused, but my claim is that all code produced by Test-Driven Development (TDD) is being reused. Here’s why:

When tests are written first, they act as a kind of REPL. Tests tease out the API of the SUT, as well as its behavior. In this point in the development process, the tests serve as a feedback mechanism. Only later, when the tests and the SUT stabilize, will the tests be repurposed (dare I say ‘reused’?) as regression tests. In other words: over time, tests written during TDD have more than one role:

Feedback mechanism
Regression test

Each test plays one of these roles at a time, but not both.

While the purpose of TDD is to evolve the SUT, the process produces two types of artifacts:

Tests
Production code

Notice how the tests appear before the production code, which is an artifact of the test code.

The unit tests are the first client of the production API.

When the production code is composed into an application, that application becomes the second client, so it reuses the API. This is a very beneficial effect of TDD, and probably one of the main reasons why TDD, if done correctly, produces code of high quality.

A colleague once told me (when referring to scale-out) that the hardest step is to go from one server to two servers, and I’ve later found that principle to apply much more broadly. Generalizing from a single case to two distinct cases is often the hardest step, and it becomes much easier to generalize further from two to an arbitrary number of cases.

This explains why TDD is such an efficient process. Apart from the beneficial side effect of producing a regression test suite, it also ensures that at the time the API goes into production, it’s already being shared (or reused) between at least two distinct clients. If, at a later time, it becomes necessary to add a third client, the hard part is already done.

TDD produces reusable code because the production application reuses the API which were realized by the tests.

Independency

Mark Seemann — Tue, 08 Nov 2011 15:29:05 GMT

Now that my book about Dependency Injection is out, it’s only fitting that I also invert my own dependencies by striking out as an independent consultant/advisor. In the future I’m hoping to combine my writing and speaking efforts, as well as my open source interests, with helping out clients write better code.

If you’d like to get help with Dependency Injection or Test-Driven Development, SOLID, API design, application architecture or one of the other topics I regularly cover here on my blog, I’m available as a consultant worldwide.

When it comes to Windows Azure, I’ll be renewing my alliance with my penultimate employer Commentor, so you can also hire me as part of larger deal with Commentor.

In case you are wondering what happened to my employment with AppHarbor, I resigned from my position there because I couldn’t make it work with all the other things I also would like to do. I still think AppHarbor is a very interesting project, and I wish my former employers the best of luck with their endeavor.

This has been a message from the blog’s sponsor (myself). Soon, regular content will resume.

SOLID concrete

Mark Seemann — Tue, 25 Oct 2011 15:01:15 GMT

Greg Young gave a talk at GOTO Aarhus 2011 titled Developers have a mental disorder, which was (semi-)humorously meant, but still addressed some very real concerns about the cognitive biases of software developers as a group. While I have no intention to provide a complete resume of the talk, Greg said one thing that made me think a bit (more) about SOLID code. To paraphrase, it went something like this:

Developers have a tendency to attempt to solve specific problems with general solutions. This leads to coupling and complexity. Instead of being general, code should be specific.

This sounds correct at first glance, but once again I think that SOLID code offers a solution. Due to the Single Responsibility Principle each SOLID concrete (pardon the pun) class will tend to very specifically address a very narrow problem.

Such a class may implement one (or more) general-purpose interface(s), but the concrete type is specific.

The difference between the generality of an interface and the specificity of a concrete type becomes more and more apparent the better a code base applies the Reused Abstractions Principle. This is best done by defining an API in terms of Role Interfaces, which makes it possible to define a few core abstractions that apply very broadly, while implementations are very specific.

As an example, consider AutoFixture’s ISpecimenBuilder interface. This is a very central interface in AutoFixture (in fact, I don’t even know just how many implementations it has, and I’m currently too lazy to count them). As an API, it has proven to be very generally useful, but each concrete implementation is still very specific, like the CurrentDateTimeGenerator shown here:

public class CurrentDateTimeGenerator : ISpecimenBuilder

    public object Create(object request,

        ISpecimenContext context)

        if (request != typeof(DateTime))

            return new NoSpecimen(request);

        return DateTime.Now;

This is, literally, the entire implementation of the class. I hope we can agree that it’s very specific.

In my opinion, SOLID is a set of principles that can help us keep an API general while each implementation is very specific.

In SOLID code all concrete types are specific.

Checking for exactly one item in a sequence using C# and F#

Mark Seemann — Tue, 11 Oct 2011 14:36:03 GMT

Here’s a programming issue that comes up from time to time. A method takes a sequence of items as input, like this:

public void Route(IEnumerable<string> args)

While the signature of the method may be given, the implementation may be concerned with finding out whether there is exactly one element in the sequence. (I’d argue that this would be a violation of the Liskov Substitution Principle, but that’s another discussion.) By corollary, we might also be interested in the result sets on each side of that single element: no elements and multiple elements.

Let’s assume that we’re required to raise the appropriate event for each of these three cases.

Naïve approach in C#

A naïve implementation would be something like this:

public void Route(IEnumerable<string> args)

    var countCategory = args.Count();

    switch (countCategory)

        case 0:

            this.RaiseNoArgument();

            return;

        case 1:

            this.RaiseSingleArgument(args.Single());

            return;

        default:

            this.RaiseMultipleArguments(args);

            return;

However, the problem with that is that IEnumerable<string> carries no guarantee that the sequence will ever end. In fact, there’s a whole category of implementations that keep iterating forever – these are called Generators. If you pass a Generator to the above implementation, it will never return because the Count method will block forever.

Robust implementation in C#

A better solution comes from the realization that we’re only interested in knowing about which of the three categories the input matches: No elements, a single element, or multiple elements. The last case is covered if we find at least two elements. In other words, we don’t have to read more than at most two elements to figure out the category. Here’s a more robust solution:

public void Route(IEnumerable<string> args)

    var countCategory = args.Take(2).Count();

    switch (countCategory)

        case 0:

            this.RaiseNoArgument();

            return;

        case 1:

            this.RaiseSingleArgument(args.Single());

            return;

        default:

            this.RaiseMultipleArguments(args);

            return;

Notice the inclusion of the Take(2) method call, which is the only difference from the first attempt. This will give us at most two elements that we can then count with the Count method.

While this is better, it still annoys me that it’s necessary with a secondary LINQ call (to the Single method) to extract that single element. Not that it’s particularly inefficient, but it still feels like I’m repeating myself here.

(We could also have converted the Take(2) iterator into an array, which would have enabled us to query its Length property, as well as index into it to get the single value, but it basically amounts to the same work.)

Implementation in F#

In F# we can implement the same functionality in a much more compact manner, taking advantage of pattern matching against native F# lists:

member this.Route args =

    let atMostTwo = args |> Seq.truncate 2 |> Seq.toList

    match atMostTwo with

    | [] -> onNoArgument.Trigger(Unit.Default)

    | [arg] -> onSingleArgument.Trigger(arg)

    | _ -> onMultipleArguments.Trigger(args)

The first thing happening here is that the input is being piped through a couple of functions. The truncate method does the same thing as the Take LINQ method does, and the toList method subsequently converts that sequence of at most two elements into a native F# list.

The beautiful thing about native F# lists is that they support pattern matching, so instead of first figuring out in which category the input belongs, and then subsequently extract the data in the single element case, we can match and forward the element in a single statement.

Why is this important? I don’t know… it’s just satisfying on an aesthetic level :)

Weakly-typed versus Strongly-typed Message Channels

Mark Seemann — Fri, 23 Sep 2011 09:08:53 GMT

Soon after I posted my previous blog post on message dispatching without Service Location I received an email from Jeff Saunders with some great observations. Jeff has been so kind to allow me to quote his email here on the blog, so here it is:

“I enjoyed your latest blog post about message dispatching. I have to ask, though: why do we want weakly-typed messages? Why can't we just inject an appropriate IConsumer<T> into our services - they know which messages they're going to send or receive.

“A really good example of this is ISubject<T> from Rx. It implements both IObserver<T> (a message consumer) and IObservable<T> (a message producer) and the default implementation Subject<T> routes messages directly from its IObserver side to its IObservable side.

“We can use this with DI quite nicely - I have written an example in .NET Pad: http://dotnetpad.net/ViewPaste/woTkGk6_GEq3P9xTVEJYZg#c9,c26,

“The good thing about this is that we now have access to all of the standard LINQ query operators and the new ones added in Rx, so we can use a select query to map messages between layers, for instance.

“This way we get all the benefits of a weakly-typed IChannel interface, with the added advantages of strong typing for our messages and composability using Rx.

“One potential benefit of weak typing that could be raised is that we can have just a single implementation for IChannel, instead of an ISubject<T> for each message type. I don't think this is really a benefit, though, as we may want different propagation behaviour for each message type - there are other implementations of ISubject<T> that call consumers asynchronously, and we could pass any IObservable<T> or IObserver<T> into a service for testing purposes.”

These are great observations and I think that Rx holds much promise in this space. Basically you can say that in CQRS-style architectures we’re already pushing events (and commands) around, so why not build upon what the framework offers?

Even if you find the IObserver<T> interface a bit too clunky with its OnNext, OnError and OnCompleted methods compared to the strongly typed IConsumer<T> interface, the question still remains: why do we want weakly-typed messages?

We don’t, necessarily. My previous post wasn’t meant as a particular endorsement of a weakly typed messaging channel. It was more an observation that I’ve seen many variations of this IChannel interface:

public interface IChannel

    void Send<T>(T message);

The most important thing I wanted to point out was that while the generic type argument may create the illusion that this is a strongly typed method, this is all it is: an illusion. IChannel isn’t strongly typed because you can invoke the Send method with any type of message – and the code will still compile. This is no different than the mechanical distinction between a Service Locator and an Abstract Factory.

Thus, when defining a channel interface I normally prefer to make this explicit and instead model it like this:

public interface IChannel

    void Send(object message);

This achieves exactly the same and is more honest.

Still, this doesn’t really answer Jeff’s question: is this preferable to one or more strongly typed IConsumer<T> dependencies?

Any high-level application entry point that relies on a weakly typed IChannel can get by with a single IChannel dependency. This is flexible, but (just like with Service Locator), it might hide that the client may have (or (d)evolve) too many responsibilities.

If, instead, the client would rely on strongly typed dependencies it becomes much easier to see if/when it violates the Single Responsibility Principle.

In conclusion, I’d tend to prefer strongly typed Datatype Channels instead of a single weakly typed channel, but one shouldn’t underestimate the flexibility of a general-purpose channel either.

Message Dispatching without Service Location

Mark Seemann — Mon, 19 Sep 2011 14:44:47 GMT

Once upon a time I wrote a blog post about why Service Locator is an anti-pattern, and ever since then, I occasionally receive rebuffs from people who agree with me in principle, but think that, still: in various special cases (the argument goes), Service Locator does have its uses.

Most of these arguments actually stem from mistaking the mechanics for the role of a Service Locator. Still, once in a while a compelling argument seems to come my way. One of the most insistent arguments concerns message dispatching – a pattern which is currently gaining in prominence due to the increasing popularity of CQRS, Domain Events and kindred architectural styles.

In this article I’ll first provide a quick sketch of the scenario, followed by a typical implementation based on a ‘Service Locator’, and then conclude by demonstrating why a Service Locator isn’t necessary.

Scenario: Message Dispatching

Appropriate use of message dispatching internally in an application can significantly help decouple the code and make roles explicit. A common implementation utilizes a messaging interface like this one:

public interface IChannel

    void Send<T>(T message);

Personally, I find that the generic typing of the Send method is entirely redundant (not to mention heavily reminiscent of the shape of a Service Locator), but it’s very common and not particularly important right now (but more about that later).

An application might use the IChannel interface like this:

var registerUser = new RegisterUserCommand(

    Guid.NewGuid(),

    "Jane Doe",

    "password",

    "jane@ploeh.dk");

this.channel.Send(registerUser);

// ...

var changeUserName = new ChangeUserNameCommand(

    registerUser.UserId,

    "Jane Ploeh");

this.channel.Send(changeUserName);

// ...

var resetPassword = new ResetPasswordCommand(

    registerUser.UserId);

this.channel.Send(resetPassword);

Obviously, in this example, the channel variable is an injected instance of the IChannel interface.

On the receiving end, these messages must be dispatched to appropriate consumers, which must all implement this interface:

public interface IConsumer<T>

    void Consume(T message);

Thus, each of the command messages in the example have a corresponding consumer:

public class RegisterUserConsumer : IConsumer<RegisterUserCommand>

public class ChangeUserNameConsumer : IConsumer<ChangeUserNameCommand>

public class ResetPasswordConsumer : IConsumer<ResetPasswordCommand>

This certainly is a very powerful pattern, so it’s often used as an argument to prove that Service Locator is, after all, not an anti-pattern.

Message Dispatching using a DI Container

In order to implement IChannel it’s necessary to match messages to their appropriate consumers. One easy way to do this is by employing a DI Container. Here’s an example that uses Autofac to implement IChannel, but any other container would do as well:

private class AutofacChannel : IChannel

    private readonly IComponentContext container;

    public AutofacChannel(IComponentContext container)

        if (container == null)

            throw new ArgumentNullException("container");

        this.container = container;

    public void Send<T>(T message)

        var consumer = this.container.Resolve<IConsumer<T>>();

        consumer.Consume(message);

This class is an Adapter from Autofac’s IComponentContext interface to the IChannel interface. At this point I can always see the “Q.E.D.” around the corner: “look! Service Locator isn’t an anti-pattern after all! I’d like to see you implement IChannel without a Service Locator.”

While I’ll do the latter in just a moment, I’d like to dwell on the DI Container-based implementation for a moment.

Is it simple? Yes.
Is it flexible? Yes, although it has shortcomings.
Would I use it like this? Perhaps. It depends :)
Is it the only way to implement IChannel? No – see the next section.
Does it use a Service Locator? No.

While AutofacChannel uses Autofac (a DI Container) to implement the functionality, it’s not (necessarily) a Service Locator in action. This was the point I already tried to get across in my previous post about the subject: just because its mechanics look like Service Locator it doesn’t mean that it is one. In my implementation, the AutofacChannel class is a piece of pure infrastructure code. I even made it a private nested class in my Composition Root to underscore the point. The container is still not available to the application code, so is never used in the Service Locator role.

One of the shortcomings about the above implementations is that it provides no fallback mechanism. What happens if the container can’t resolve the matching consumer? Perhaps there isn’t a consumer for the message. That’s entirely possible because there are no safeguards in place to ensure that there’s a consumer for every possibly message.

The shape of the Send method enables the client to send any conceivable message type, and the code still compiles even if no consumer exists. That may look like a problem, but is actually an important insight into implementing an alternative IChannel class.

Message Dispatching using weakly typed matching

Consider the IChannel.Send method once again:

void Send<T>(T message);

Despite its generic signature it’s important to realize that this is, in fact, a weakly typed method (at least when used with type inferencing, as in the above example). Equivalently to a bona fide Service Locator, it’s possible for a developer to define a new class (Foo) and send it – and the code still compiles:

this.channel.Send(new Foo());

However, at run-time, this will fail because there’s no matching consumer. Despite the generic signature of the Send method, it contains no type safety. This insight can be used to implement IChannel without a DI Container.

Before I go on I should point out that I don’t consider the following solution intrinsically superior to using a DI Container. However, readers of my book will know that I consider it a very illuminating exercise to try to implement everything with Poor Man’s DI once in a while.

Using Poor Man’s DI often helps unearth some important design elements of DI because it helps to think about solutions in terms of patterns and principles instead of in terms of technology.

However, once I have arrived at an appropriate conclusion while considering Poor Man’s DI, I still tend to prefer mapping it back to an implementation that involves a DI Container.

Thus, the purpose of this section is first and foremost to outline how message dispatching can be implemented without relying on a Service Locator.

While this alternative implementation isn’t allowed to change any of the existing API, it’s a pure implementation detail to encapsulate the insight about the weakly typed nature of IChannel into a similarly weakly typed consumer interface:

private interface IConsumer

    void Consume(object message);

Notice that this is a private nested interface of my Poor Man’s DI Composition Root – it’s a pure implementation detail. However, given this private interface, it’s now possible to implement IChannel like this:

private class PoorMansChannel : IChannel

    private readonly IEnumerable<IConsumer> consumers;

    public PoorMansChannel(params IConsumer[] consumers)

        this.consumers = consumers;

    public void Send<T>(T message)

        foreach (var c in this.consumers)

            c.Consume(message);

Notice that this is another private nested type that belongs to the Composition Root. It loops though all injected consumers, so it’s up to each consumer to decide whether or not to do anything about the message.

A final private nested class bridges the generically typed world with the weakly typed world:

private class Consumer<T> : IConsumer

    private readonly IConsumer<T> consumer;

    public Consumer(IConsumer<T> consumer)

        this.consumer = consumer;

    public void Consume(object message)

        if (message is T)

            this.consumer.Consume((T)message);

This generic class is another Adapter – this time adapting the generic IConsumer<T> interface to the weakly typed (private) IConsumer interface. Notice that it only delegates the message to the adapted consumer if the type of the message matches the consumer.

Each implementer of IConsumer<T> can be wrapped in the (private) Consumer<T> class and injected into the PoorMansChannel class:

var channel = new PoorMansChannel(

    new Consumer<ChangeUserNameCommand>(

        new ChangeUserNameConsumer(store)),

    new Consumer<RegisterUserCommand>(

        new RegisterUserConsumer(store)),

    new Consumer<ResetPasswordCommand>(

        new ResetPasswordConsumer(store)));

So there you have it: type-based message dispatching without a DI Container in sight. However, it would be easy to use convention-based configuration to scan an assembly and register all IConsumer<T> implementations and wrap them in Consumer<T> instances and use this list to compose a PoorMansChannel instance. However, I will leave this as an exercise to the reader (or a later blog post).

My claim still stands

In conclusion, I find that I can still defend my original claim: Service Locator is an anti-pattern.

That claim, by the way, is falsifiable, so I do appreciate that people take it seriously enough by attempting to disprove it. However, until now, I’ve yet to be presented with a scenario where I couldn’t come up with a better solution that didn’t involve a Service Locator.

Keep in mind that a Service Locator is defined by the role it plays – not the shape of the API.

AutoFixture goes Continuous Delivery with Semantic Versioning

Mark Seemann — Tue, 06 Sep 2011 20:34:42 GMT

For the last couple of months I’ve been working on setting up AutoFixture for Continuous Delivery (thanks to the nice people at http://teamcity.codebetter.com/ for supplying the CI service) and I think I’ve finally succeeded. I’ve just pushed some code from my local Mercurial repository, and 5 minutes later the release is live on both the CodePlex site as well as on the NuGet Gallery.

The plan for AutoFixture going forward is to maintain Continuous Delivery and switch the versioning scheme from ad hoc to Semantic Versioning. This means that obviously you’ll see releases much more often, and versions are going to be incremented much more often. Since the previous release the current release incidentally ended at version 2.2.44, but since the versioning scheme has now changed, you can expect to see 2.3, 2.4 etc. in rapid succession.

While I’ve been mostly focused on setting up Continuous Delivery, Nikos Baxevanis and Enrico Campidoglio have been busy writing new features:

Apart from these excellent contributions, other new features are

Added StableFiniteSequenceCustomization
Added [FavorArrays], [FavorEnumerables] and [FavorLists] attributes to xUnit.net extension
Added a Generator<T> class
Added a completely new project/package called Idioms, which contains convention-based tests (more about this later)
Probably some other things I’ve forgotten about…

While you can expect to see version numbers to increase more rapidly and releases to occur more frequently, I’m also beginning to think about AutoFixture 3.0. This release will streamline some of the API in the root namespace, which, I’ll admit, was always a bit haphazard. For those people who care, I have no plans to touch the API in the Ploeh.AutoFixture.Kernel namespace. AutoFixture 3.0 will mainly target the API contained in the Ploeh.AutoFixture namespace itself.

Some of the changes I have in mind will hopefully make the default experience with AutoFixture more pleasant – I’m unofficially thinking about AutoFixture 3.0 as the ‘pit of success’ release. It will also enable some of the various outstanding feature requests.

Feedback is, as usual, appreciated.

Service Locator: roles vs. mechanics

Mark Seemann — Thu, 25 Aug 2011 18:55:12 GMT

It’s time to take a step back from the whole debate about whether or not Service Locator is, or isn’t, an anti-pattern. It remains my strong belief that it’s an anti-pattern, while others disagree. Although everyone is welcome to think differently than me, I’ve noticed that some of the arguments being put forth in defense of Service Locator seem very convincing. However, I believe that in those cases we no longer talk about Service Locator, but something that looks an awful lot like it.

Some APIs are easy to confuse with a ‘real’ Service Locator. It probably doesn’t help that last year I published an article on how to tell the difference between a Service Locator and an Abstract Factory. In this article I may have focused too much on the mechanics of Service Locator, but as Derick Bailey was so kind to point out, this hides the role the API might play.

To repeat that earlier post, a Service Locator looks like this:

public interface IServiceLocator

    T Create<T>(object context);

All Service Locators I’ve seen so far look like that, or some variation thereof, but that doesn’t mean that the relationship is transitive. Just because an API looks like that it doesn’t automatically means that it’s a Service Locator.

If it was, all DI containers would be Service Locators. As an example, here’s Castle Windsor’s Resolve method:

public T Resolve<T>()

Even AutoFixture has an API like that:

MyClass sut = fixture.CreateAnonymous<MyClass>();

It has never been my intention to denounce every single DI container available, as well as my own open source framework. Service Locator is ultimately not identified by the mechanics of its API, but by the role it plays.

A DI container encapsulated in a Composition Root is not a Service Locator – it’s an infrastructure component.

It becomes a Service Locator if used incorrectly: when application code (as opposed to infrastructure code) actively queries a service in order to be provided with required dependencies, then it has become a Service Locator.

Service Locators are spread thinly and pervasively throughout a code base – that is just as much a defining characteristic.

Joining AppHarbor

Mark Seemann — Mon, 01 Aug 2011 14:03:10 GMT

I’m pleased to announce that I’ll be joining AppHarbor as a developer. With my long-standing interest in TDD and OOD as well as my more recent interests in open-source .NET software, distributed source control systems, Continuous Delivery etc. AppHarbor seems like a perfect match for me.

Although AppHarbor is very attractive to me, this has been a difficult decision as Commentor has been a great employer. However, despite great customers I just don’t feel like consulting at the moment. Since Safewhere went out of business I’ve been writing much less code than I’d liked, so when presented with an opportunity to join such a congenial outfit as AppHarbor I had few doubts.

I’ll still be working out of Copenhagen, Denmark, and I also expect to keep up my usual community engagement at home as well as abroad.

Composition Root

Mark Seemann — Thu, 28 Jul 2011 15:22:04 GMT

In my book I describe the Composition Root pattern in chapter 3. This post serves as a summary description of the pattern.

The Constructor Injection pattern is easy to understand until a follow-up question comes up:

Where should we compose object graphs?

It’s easy to understand that each class should require its dependencies through its constructor, but this pushes the responsibility of composing the classes with their dependencies to a third party. Where should that be?

It seems to me that most people are eager to compose as early as possible, but the correct answer is:

As close as possible to the application’s entry point.

This place is called the Composition Root of the application and defined like this:

A Composition Root is a (preferably) unique location in an application where modules are composed together.

This means that all the application code relies solely on Constructor Injection (or other injection patterns), but is never composed. Only at the entry point of the application is the entire object graph finally composed.

The appropriate entry point depends on the framework:

In console applications it’s the Main method
In ASP.NET MVC applications it’s global.asax and a custom IControllerFactory
In WPF applications it’s the Application.OnStartup method
In WCF it’s a custom ServiceHostFactory
etc.

(you can read more about framework-specific Composition Roots in chapter 7 of my book.)

The Composition Root is an application infrastructure component.

Only applications should have Composition Roots. Libraries and frameworks shouldn’t.

The Composition Root can be implemented with Poor Man’s DI, but is also the (only) appropriate place to use a DI Container.

A DI Container should only be referenced from the Composition Root. All other modules should have no reference to the container.

Using a DI Container is often a good choice. In that case it should be applied using the Register Resolve Release pattern entirely from within the Composition Root.

Read more in Dependency Injection in .NET.

SOLID Code isn’t

Mark Seemann — Tue, 07 Jun 2011 13:46:07 GMT

Recently I had an interesting conversation with a developer at my current client, about how the SOLID principles would impact their code base. The client wants to write SOLID code – who doesn’t? It’s a beautiful acronym that fully demonstrates the power of catchy terminology.

However, when you start to outline what it actually means people become uneasy. At the point where the discussion became interesting, I had already sketched my view on encapsulation. However, the client’s current code base is designed around validation at the perimeter. Most of the classes in the Domain Model are actually internal and implicitly trust input.

We were actually discussing Test-Driven Development, and I had already told them that they should only test against the public API of their code base. The discussion went something like this (I’m hoping I’m not making my ‘opponent’ sound dumb, because the real developer I talked to was anything but):

Client: “That would mean that each and every class we expose must validate input!”

Me: “Yes…?”

Client: “That would be a lot of extra work.”

Me: “Would it? Why is that?”

Client: “The input that we deal with consist of complex data structures, and we must validate that all values are present and correct.”

Me: “Assume that input is SOLID as well. This would mean that each input instance can be assumed to be in a valid state because that would be its own responsibility. Given that, what would validation really mean?”

Client: “I’m not sure I understand what you mean…”

Me: “Assuming that the input instance is a self-validating reference type, what could possibly go wrong?”

Client: “The instance might be null…”

Me: “Yes. Anything else?”

Client: “Not that I can think of…”

Me: “Me neither. This means that while you must add more code to implement proper encapsulation, it’s really trivial code. It’s just some Guard Clauses.”

Client: “But isn’t it still gold plating?”

Me: “Not really, because we are designing for change in the general sense. We know that we can’t predict specific change, but I can guarantee you that change requests will occur. Instead of trying to predict specific changes and design variability in those specific places, we simply put interfaces around everything because the cost of doing so is really low. This means that when change does happen, we already have Seams in the right places.”

Client: “How does SOLID help with that?”

Me: “A result of the Single Responsibility Principle is that each self-encapsulated class becomes really small, and there will be a lot of them.”

Client: “Lots of classes… I’m not sure I’m comfortable with that. Doesn’t it make it much harder to find what you need?”

Me: “I don’t think so. Each class is very small, so although you have many of them, understanding what each one does is easy. In my experience this is a lot easier than trying to figure out what a big class with thousands of lines of code does. When you have few big classes, your object model might look something like this:”

“There’s a few objects and they kind of fit together to form the overall picture. However, if you need to change something, you’ll need to substantially change the shape of each of those objects. That’s a lot of work, and this is why such an object design isn’t particularly adaptable to change.

“With SOLID, on the other hand, you have lots of small-grained objects which you can easily re-arrange to match new requirements:”

And that’s when it hit me: SOLID code isn’t really solid at all. I’m not a material scientist, but to me a solid indicates a rigid structure. In essence a structure where the particles are tightly locked to each other and can’t easily move about.

However, when thinking about SOLID code, it actually helps to think about it more like a liquid (although perhaps a rather viscous one). Each class has much more room to maneuver because it is small and fits together with other classes in many different ways. It’s clear that when you push an analogy too far, it breaks apart.

Still, a closing anecdote is appropriate…

My (then) three-year old son one day handed me a handful of Duplo bricks and asked me to build him a dragon. If you’ve ever tried to build anything out of Duplo you’ll know that the ‘resolution’ of the bricks is rather coarse-grained. Given that ‘a handful’ for a three-year old isn’t a lot of bricks, this was quite a challenge. Fortunately, I had an appreciative audience with quite a bit of imagination, so I was able to put the few bricks together in a way that satisfied my son.

Still, building a dragon of comparable size out of Lego bricks is much easier because the bricks have a much finer ‘resolution’. SOLID code is more comparable to Lego than Duplo.

At the Boundaries, Applications are Not Object-Oriented

Mark Seemann — Tue, 31 May 2011 13:27:11 GMT

My recent series of blog posts about Poka-yoke Design generated a few responses (I would have been disappointed had this not been the case). Quite a few of these reactions relate to various serialization or translation technologies usually employed at application boundaries: Serialization, XML (de)hydration, UI validation, etc. Note that such translation happens not only at the perimeter of the application, but also at the persistence layer. ORMs are also a translation mechanism.

Common to most of the comments is that lots of serialization technologies require the presence of a default constructor. As an example, the XmlSerializer requires a default constructor and public writable properties. Most ORMs I’ve investigated seem to have the same kind of requirements. Windows Forms and WPF Controls (UI is also an application boundary) also must have default constructors. Doesn’t that break encapsulation? Yes and no.

Objects at the Boundary

It certainly would break encapsulation if you were to expose your (domain) objects directly at the boundary. Consider a simple XML document like this one:

<name>

  <firstName>Mark</firstName>

  <lastName>Seemann</lastName>

</name>

Whether or not we have formal contract (XSD) or not, we might stipulate that both the firstName and lastName elements are required. However, despite such a contract, I can easily create a document that breaks it:

<name>

  <firstName>Mark</firstName>

</name>

We can’t enforce the contract as there’s no compilation step involved. We can validate input (and output), but that’s a different matter. Exactly because there’s no enforcement it’s very easy to create malformed input. The same argument can be made for UI input forms and any sort of serialized byte sequence. This is why we must treat all input as suspect.

This isn’t a new observation at all. In Patterns of Enterprise Application Architecture, Martin Fowler described this as a Data Transfer Object (DTO). However, despite the name we should realize that DTOs are not really objects at all. This is nothing new either. Back in 2004 Don Box formulated the Four Tenets of Service Orientation. (Yes, I know that they are not in vogue any more and that people wanted to retire them, but some of them still make tons of sense.) Particularly the third tenet is germane to this particular discussion:

Services share schema and contract, not class.

Yes, and that means they are not objects. A DTO is a representation of such a piece of data mapped into an object-oriented language. That still doesn’t make them objects in the sense of encapsulation. It would be impossible. Since all input is suspect, we can hardly enforce any invariants at all.

Often, as Craig Stuntz points out in a comment to one of my previous posts, even if the input is invalid, we want to capture what we did receive in order to present a proper error message (this argument also applies on machine-to-machine boundaries). This means that any DTO must have very weak invariants (if any at all).

DTOs don’t break encapsulation because they aren’t objects at all.

Don’t be fooled by your tooling. The .NET framework very, very much wants you to treat DTOs as objects. Code generation ensues.

However, the strong typing provided by such auto-generated classes gives a false sense of security. You may think that you get rapid feedback from the compiler, but there are many possible ways you can get run-time errors (most notably when you forget to update the auto-generated code based on new schema versions).

An even more problematic result of representing input and output as objects is that it tricks lots of developers into dealing with them as though they represent the real object model. The result is invariably an anemic domain model.

More and more, this line of reasoning is leading me towards the conclusion that the DTO mental model that we have gotten used to over the last ten years is a dead end.

What Should Happen at the Boundary

Given that we write write object-oriented code and that data at the boundary is anything but object-oriented, how do we deal with it?

One option is to stick with what we already have. To bridge the gap we must then develop translation layers that can translate the DTOs to properly encapsulated domain objects. This is the route I take with the samples in my book. However, this is a solution that more and more I’m beginning to think may not be the best. It has issues with maintainability. (Incidentally, that’s the problem with writing a book: at the time you’re done, you know so much more than you did when you started out… Not that I’m denouncing the book – it’s just not perfect…)

Another option is to stop treating data as objects and start treating it as the structured data that it really is. It would be really nice if our programming language had a separate concept of structured data… Interestingly, while C# has nothing of the kind, F# has tons of ways to model data structures without behavior. Perhaps that’s a more honest approach to dealing with data… I will need to experiment more with this…

A third option is to look towards dynamic types. In his article Cutting Edge: Expando Objects in C# 4.0, Dino Esposito outlines a dynamic approach towards consuming structured data that shortcuts auto-generated code and provides a lightweight API to structured data. This also looks like a promising approach… It doesn’t provide compile-time feedback, but that’s only a false sense of security anyway. We must resort to unit tests to get rapid feedback, but we’re all using TDD already, right?

In summary, my entire series about encapsulation relates to object-oriented programming. Although there are lots of technologies available to represent boundary data as ‘objects’, they are false objects. Even if we use an object-oriented language at the boundary, the code has nothing to do with object orientation. Thus, the Poka-yoke Design rules don’t apply there.

Now go back and reread this post, but replace ‘DTO’ with ‘Entity’ (or whatever your ORM calls its representation of a relational table row) and you should begin to see the contours of why ORMs are problematic.

Design Smell: Default Constructor

Mark Seemann — Mon, 30 May 2011 13:02:02 GMT

This post is the fifth in a series about Poka-yoke Design – also known as encapsulation.

Default constructors are code smells. There you have it. That probably sounds outrageous, but consider this: object-orientation is about encapsulating behavior and data into cohesive pieces of code (classes). Encapsulation means that the class should protect the integrity of the data it encapsulates. When data is required, it must often be supplied through a constructor. Conversely, a default constructor implies that no external data is required. That’s a rather weak statement about the invariants of the class.

Please be aware that this post represents a smell. This indicates that whenever a certain idiom or pattern (in this case a default constructor) is encountered in code it should trigger further investigation.

As I will outline below, there are several scenarios where default constructors are perfectly fine, so the purpose of this blog post is not to thunder against default constructors. It’s to provide food for thought.

If you have read my book you will know that Constructor Injection is the dominating DI pattern exactly because it statically advertises dependencies and protects the integrity of those dependencies by guaranteeing that an initialized consumer is always in a consistent state. This is fail-safe design because the compiler can enforce the relationship, thus providing rapid feedback.

This principle extends far beyond DI. In a previous post I described how a constructor with arguments statically advertises that the argument is required:

public class Fragrance : IFragrance

    private readonly string name;

    public Fragrance(string name)

        if (name == null)

            throw new ArgumentNullException("name");

        this.name = name;

    public string Spread()

        return this.name;

The Fragrance class protects the integrity of the name by requiring it through the constructor. Since this class requires the name to implement its behavior, requesting it through the constructor is the correct thing to do. A default constructor would not have been fail-safe, since it would introduce a temporal coupling.

Consider that objects are supposed to be containers of behavior and data. Whenever an object contains data, the data must be encapsulated. In the (very common) case where no meaningful default value can be defined, the data must be provided via the constructor. Thus, default constructors might indicate that encapsulation is broken.

When are Default Constructors OK?

There are still scenarios where default constructors are in order (I’m sure there are more than those listed here).

If a default constructor can assign meaningful default values to all contained fields a default constructor still protects the invariants of the class. As an example, the default constructor of UriBuilder initializes its internal values to a consistent set that will build the Uri http://localhost unless one or more of its properties are subsequently manipulated. You may agree or disagree with this default behavior, but it’s consistent and so encapsulation is preserved.
If a class contains no data obviously there is no data to protect. This may be a symptom of the Feature Envy code smell, which is often evidenced by the class in question being a concrete class.
- If such a class can be turned into a static class it’s a certain sign of Feature Envy.
- If, on the other hand, the class implements an interface, it might be a sign that it actually represents pure behavior.

A class that represents pure behavior by implementing an interface is not necessarily a bad thing. This can be a very powerful construct.

In summary, a default constructor should be a signal to stop and think about the invariants of the class in question. Does the default constructor sufficiently guarantee the integrity of the encapsulated data? If so, the default constructor is appropriate, but otherwise it’s not. In my experience, default constructors tend to be the exception rather than the rule.

Design Smell: Redundant Required Attribute

Mark Seemann — Fri, 27 May 2011 13:21:06 GMT

This post is the fourth in a series about Poka-yoke Design – also known as encapsulation.

Recently I saw this apparently enthusiastic tweet reporting from some Microsoft technology event:

[Required] attribute in code automatically creates a non-nullable entry in DB and validation in the webpage – nice […]

I imagine that it must look something like this:

public class Smell

    [Required]

    public int Id { get; set; }

Every time I see something like this I die a little inside. If you already read my previous posts it should by now be painfully clear why this breaks encapsulation. Despite the [Required] attribute there’s no guarantee that the Id property will ever be assigned a value. The attribute is just a piece of garbage making a claim it can’t back up.

Code like that is not fail-safe.

I understand that the attribute mentioned in the above tweet is intended to signal to some tool (probably EF) that the property must be mapped to a database schema as non-nullable, but it’s still redundant. Attributes are not the correct way to make a statement about invariants.

Improved Design

The [Required] attribute is redundant because there’s a much better way to state that a piece of data is required. This has been possible since .NET 1.0. Here’s the Poka-yoke version of that same statement:

public class Fragrance

    private readonly int id;

    public Fragrance(int id)

        this.id = id;

    public int Id

        get { return this.id; }

This simple structural design ensures that the ID truly is required (and if the ID can only be positive a Guard Clause can be added). An instance of Fragrance can only be created with an ID. Since this is a structural construction, the compiler can enforce the requirement, giving us rapid feedback.

I do realize that the [Required] attribute mentioned above is intended to address the challenge of mapping objects to relational data and rendering, but instead of closing the impedance mismatch gap, it widens it. Instead of introducing yet another redundant attribute the team should have made their tool understand simple idioms for encapsulation like the one above.

This isn’t at all hard to do. As an example, DI Containers thrive on structural information encoded into constructors (this is called Auto-wiring). The team behind the [Required] attribute could have done that as well. The [Required] attribute is a primitive and toxic hack.

This is the major reason I never expect to use EF. It forces developers to break encapsulation, which is a principle upon which I refuse to compromise.

Code Smell: Automatic Property

Mark Seemann — Thu, 26 May 2011 13:33:13 GMT

This post is the third in a series about Poka-yoke Design – also known as encapsulation.

Automatic properties are one of the most redundant features of C#. I know that some people really love them, but they address a problem you shouldn’t have in the first place.

I totally agree that code like this looks redundant:

private string name;

public string Name

    get { return this.name; }

    set { this.name = value; }

However, the solution is not to write this instead:

public string Name { get; set; }

The problem with the first code snippet isn’t that it contains too much ceremony. The problem is that it breaks encapsulation. In fact

“[…] getters and setters do not achieve encapsulation or information hiding: they are a language-legitimized way to violate them.”

James O. Coplien & Gertrud Bjørnvig. Lean Architecture. Wiley. 2010. p. 134.

While I personally think that properties do have their uses, I very rarely find use for automatic properties. They are never appropriate for reference types, and only rarely for value types.

Code Smell: Automatic Reference Type Property

First of all, let’s consider the very large set of properties that expose a reference type.

In the case of reference types, null is a possible value. However, when we think about Poka-yoke design, null is never an appropriate value because it leads to NullReferenceExceptions. The Null Object pattern provides a better alternative to deal with situations where a value might be undefined.

In other words, an automatic property like the Name property above is never appropriate. The setter must have some kind of Guard Clause to protect it against null (and possibly other invalid values). Here’s the most fundamental example:

private string name;

public string Name

    get { return this.name; }

set

        if (value == null)

            throw new ArgumentNullException("value");

        this.name = value;

As an alternative, a Guard Clause could also check for null and provide a default Null Object in the cases where the assigned value is null:

private string name;

public string Name

    get { return this.name; }

set

        if (value == null)

            this.name = "";

            return;

        this.name = value;

However, this implementation contains a POLA violation because the getter sometimes returns a different value than what was assigned. It’s possible to fix this problem by adding an associated boolean field indicating whether the name was assigned null so that null can be returned from the setter in this special case, but that leads to another code smell.

Code Smell: Automatic Value Type Property

If the type of the property is a value type, the case is less clear-cut because value types can’t be null. This means that a Null Guard is never appropriate. However, directly consuming a value type may still be inappropriate. In fact, it’s only appropriate if the class can meaningfully accept and handle any value of that type.

If, for example, the class can really only handle a certain subset of all possible values, a Guard Clause must be introduced. Consider this example:

public int RetryCount { get; set; }

This property might be used to set the appropriate number or retries for a given operation. The problem with using an automatic property is that it’s possible to assign a negative value to it, and that wouldn’t make any sense. One possible remedy is to add a Guard Clause:

private int retryCount;

public int RetryCount

    get { return this.retryCount; }

set

        if (value < 0)

            throw new ArgumentOutOfRangeException();

        this.retryCount = value;

However, in many cases, exposing a primitive property is more likely to be a case of Primitive Obsession.

Improved Design: Guard Clause

As I described above, the most immediate fix for automatic properties is to properly implement the property with a Guard Clause. This ensures that the class’ invariants are properly encapsulated.

Improved Design: Value Object Property

When the automatic property is a value type, a Guard Clause may still be in order. However, when the property is really a symptom of Primitive Obsession, a better alternative is to introduce a proper Value Object.

Consider, as an example, this property:

public int Temperature { get; set; }

This is bad design for a number of reasons. It doesn’t communicate the unit of measure and allows unbounded values to be assigned. What happens if –100 is assigned? If the unit of measure is Celcius it should succeed, although in the case when it’s Kelvin, it should fail. No matter the unit of measure, attempting to assign int.MinValue should fail.

A more robust design can be had if we introduce a new Temperature type and change the property to have that type. Apart from protection of invariants it would also encapsulate conversion between different temperature scales.

However, if that Value Object is implemented as a reference type the situation is equivalent to the situation described above, and a Null Guard is necessary. Only in the case where the Value Object is implemented as a value type is an anonymous property appropriate.

The bottom line is that automatic properties are rarely appropriate. In fact, they are only appropriate when the type of the property is a value type and all conceivable values are allowed. Since there are a few cases where automatic properties are appropriate their use can’t be entirely dismissed, but it should be treated as warranting further investigation. It’s a code smell, not an anti-pattern.

On a different note properties also violate the Law of Demeter, but that’s the topic of a future blog post…

Design Smell: Primitive Obsession

Mark Seemann — Wed, 25 May 2011 15:03:31 GMT

This post is the second in a series about Poka-yoke Design – also known as encapsulation.

Many classes have a tendency to consume or expose primitive values like integers and strings. While such primitive types exist on any platform, they tend to lead to procedural code. Furthermore they often break encapsulation by allowing invalid values to be assigned.

This problem has been addressed many times before. Years ago Jimmy Bogard provided an excellent treatment of the issue, as well as guidance on how to resolve it. In relation to AutoFixture I also touched upon the subject some time ago. As such, the current post is mostly a placeholder.

However, it’s worth noting that both Jimmy’s and my own post address the concern that strings and integers do not sufficiently encapsulate the concepts of Zip codes and phone numbers.

When a Zip code is represented as a string it’s possible to assign values such as null, string.Emtpy, “foo”, very long strings, etc. Jimmy’s ZipCode class encapsulates the concept by guaranteeing that an instance can only be successfully created with a correct value.
When a Danish phone number is represented as an integer it’s possible to assign values such as –98, 0, int.MaxValue, etc. Once again the DanishPhoneNumber class from the above example encapsulates the concept by guaranteeing that an instance can only be successfully created with a correct value.

Encapsulation is broken unless the concept represented by a primitive value can truly take any of the possible values of the primitive type. This is rarely the case.

Design Smell:

A class consumes a primitive type. However, further analysis shows that not all possible values of the type are legal values.

Improved Design:

Encapsulate the primitive value in a Value Object that contains appropriate Guard Clauses etc. to guarantee that only valid instances are possible.

Primitives tend to not be fail-safe, but encapsulated Value Objects are.

Design Smell: Temporal Coupling

Mark Seemann — Tue, 24 May 2011 14:00:42 GMT

This post is the first in a series about Poka-yoke Design – also known as encapsulation.

A common problem in API design is temporal coupling, which occurs when there’s an implicit relationship between two, or more, members of a class requiring clients to invoke one member before the other. This tightly couples the members in the temporal dimension.

The archetypical example is the use of an Initialize method, although copious other examples can be found – even in the BCL. As an example, this usage of EndpointAddressBuilder compiles, but fails at run-time:

var b = new EndpointAddressBuilder();

var e = b.ToEndpointAddress();

It turns out that at least an URI is required before an EndpointAddress can be created. The following code compiles and succeeds at run-time:

var b = new EndpointAddressBuilder();

b.Uri = new UriBuilder().Uri;

var e = b.ToEndpointAddress();

The API provides no hint that this is necessary, but there’s a temporal coupling between the Uri property and the ToEndpointAddress method.

In the rest of the post I will provide a more complete example, as well as a guideline to improve the API towards Poka-yoke Design.

Smell Example

This example describes a more abstract code smell, exhibited by the Smell class. The public API looks like this:

public class Smell

    public void Initialize(string name)

    public string Spread()

Semantically the name of the Initialize method is obviously a clue, but on a structural level this API gives us no indication of temporal coupling. Thus, code like this compiles, but throws an exception at run-time:

var s = new Smell();

var n = s.Spread();

It turns out that the Spread method throws an InvalidOperationException because the Smell has not been initialized with a name. The problem with the Smell class is that it doesn’t properly protect its invariants. In other words, encapsulation is broken.

To fix the issue the Initialize method must be invoked before the Spread method:

var sut = new Smell();

sut.Initialize("Sulphur");

var n = sut.Spread();

While it’s possible to write unit tests that explore the behavior of the Smell class, it would be better if the design was improved to enable the compiler to provide feedback.

Improvement: Constructor Injection

Encapsulation (Poka-yoke style) requires that the class can never be in an inconsistent state. Since the name of the smell is required, a guarantee that it is always available must be built into the class. If no good default value is available, the name must be requested via the constructor:

public class Fragrance : IFragrance

    private readonly string name;

    public Fragrance(string name)

        if (name == null)

            throw new ArgumentNullException("name");

        this.name = name;

    public string Spread()

        return this.name;

This effectively guarantees that the name is always available in all instances of the class. There are also positive side effects:

The cyclomatic complexity of the class has been reduced
The class is now immutable, and thereby thread-safe

However, there are times when the original version of the class implements an interface that causes the temporal coupling. It might have looked like this:

public interface ISmell

    void Initialize(string name);

    string Spread();

In many cases the injected value (name) is unknown until run-time, in which case straight use of the constructor seems prohibitive – after all, the constructor is an implementation detail and not part of the loosely coupled API. When programming against an interface it’s not possible to invoke the constructor.

There’s a solution for that as well.

Improvement: Abstract Factory

To decouple the methods in the ISmell (ha ha) interface the Initialize method can be moved to a new interface. Instead of mutating the (inconsistent) state of a class, the Create method (formerly known as Initialize) returns a new instance of the IFragrance interface:

public interface IFragranceFactory

    IFragrance Create(string name);

The implementation is straightforward:

public class FragranceFactory : IFragranceFactory

    public IFragrance Create(string name)

        if (name == null)

            throw new ArgumentNullException("name");

        return new Fragrance(name);

This enables encapsulation because both the FragranceFactory and Fragrance classes protect their invariants. They can never be in an inconsistent state. A client previously interacting with the ISmell interface can use the IFragranceFactory/IFragrance combination to achieve the same funcionality:

var f = factory.Create(name);

var n = f.Spread();

This is better because improper use of the API can now be detected by the compiler instead of at run-time. An interesting side-effect by moving towards a more statically declared interaction structure is that classes tend towards immutability. Immutable classes are automatically thread-safe, which is an increasingly important trait in the (relatively) new multi-core era.

Poka-yoke Design: From Smell to Fragrance

Mark Seemann — Tue, 24 May 2011 13:57:39 GMT

Encapsulation is one of the most misunderstood aspects of object-oriented programming. Most people seem to think that the related concept of information hiding simply means that private fields should be exposed by public properties (or getter/setter methods in languages that don’t have native properties).

Have you ever wondered what’s the real benefit to be derived from code like the following?

private string name;

public string Name

    get { return this.name; }

    set { this.name = value; }

This feels awfully much like redundant code to me (and automatic properties are not the answer – it’s just a compiler trick that still creates private backing fields). No information is actually hidden. Derick Bailey has a good piece on why this view of encapsulation is too narrow, so I’m not going to reiterate all his points here.

So then what is encapsulation?

The whole point of object-orientation is to produce cohesive pieces of code (classes) that solve given problems once and for all, so that programmers can use those classes without having to learn about the intricate details of the implementations.

This is what encapsulation is all about: exposing a solution to a problem without requiring the consumer to fully understand the problem domain.

This is what all well-designed classes do.

You don’t have to know the intricate details of TDS to use ADO.NET against SQL Server.
You don’t have to know the intricate details of painting on the screen to use WPF or Windows Forms.
You don’t have to know the intricate details of Reflection to use a DI Container.
You don’t have to know how to efficiently sort a list in order to efficiently sort a list in .NET.
Etc.

What makes encapsulation so important is exactly this trait. The class must hide the information it encapsulates in order to protect it against ‘naïve’ users. Wikipedia has this to say:

Hiding the internals of the object protects its integrity by preventing users from setting the internal data of the component into an invalid or inconsistent state.

Keep in mind that users are expected to not fully understand the internal implementation of a class. This makes it obvious what encapsulation is really about:

Encapsulation is a fail-safe mechanism.

By corollary, encapsulation does not mean hiding complexity. Whenever complexity is hidden (as is the case for Providers) feedback time increases. Rapid feedback is much preferred, so delaying feedback is not desirable if it can be avoided.

Encapsulation is not about hiding complexity, but conversely exposing complexity in a fail-safe manner.

In Lean this is known as Poka-yoke, so I find it only fitting to think about encapsulation as Poka-yoke Design: APIs that make it as hard as possible to do the wrong thing. Considering that compilation is the cheapest feedback mechanism, it’s preferable to design APIs so that the code can only compile when classes are used correctly.

In a series of blog posts I will look at various design smells that break encapsulation, as well as provide guidance on how to improve the design to make it safer, thus going from smell to fragrance.

Postscript: At the Boundaries, Applications are Not Object-Oriented

Tennis Kata with immutable types and a cyclomatic complexity of 1

Mark Seemann — Mon, 16 May 2011 11:01:00 GMT

Recently I had the inclination to do the Tennis Kata a couple of times. The first time I saw it I thought it wasn’t terribly interesting as an exercise in C# development. It would basically just be an application of the State pattern, so I decided to make it a bit more interesting. More or less by intuition I decided to give myself the following constraints:

All types must be immutable
All members must have a cyclomatic complexity of 1

Now that’s more interesting :)

Given these constraints, what would be the correct approach? Given that this is a finite state machine with a fixed number of states, the Visitor pattern will be a good match.

Each player’s score can be modeled as a Value Object that can be one of these types:

ZeroPoints
FifteenPoints
ThirtyPoints
FortyPoints
AdvantagePoint
GamePoint

All of these classes implement the IPoints interface:

public interface IPoints

    IPoints Accept(IPoints visitor);

    IPoints LoseBall();

    IPoints WinBall(IPoints opponentPoints);

    IPoints WinBall(AdvantagePoint opponentPoints);

    IPoints WinBall(FortyPoints opponentPoints);

The interesting insight here is that until the opponent's score reaches FortyPoints nothing special happens. Those states can be effectively collapsed into the WinBall(IPoints) method. However, when the opponent either has FortyPoints or AdvantagePoint, special things happen, so IPoints has specialized methods for those cases. All implementations should use double dispatch to invoke the correct overload of WinBall, so the Accept method must be implemented like this:

public IPoints Accept(IPoints visitor)

    return visitor.WinBall(this);

That’s the core of the Visitor pattern in action. When the implementer of the Accept method is either FortyPoints or AdvantagePoint, the specialized overload will be invoked.

It’s now possible to create a context around a pair of IPoints (called a Game) to implement a method to register that Player 1 won a ball:

public Game PlayerOneWinsBall()

    var newPlayerOnePoints = this.PlayerTwoScore

        .Accept(this.PlayerOneScore);

    var newPlayerTwoPoints =

        this.PlayerTwoScore.LoseBall();

    return new Game(

        newPlayerOnePoints, newPlayerTwoPoints);

A similar method for player two simply reverses the roles. (I’m currently reading Lean Architecture, but have yet to reach the chapter on DCI. However, considering what I’ve already read about DCI, this seems to fit the bill pretty well… although I might be wrong on that account.)

The context calculates new scores for both players and returns the result as a new instance of the Game class. This keeps the Game and IPoints implementations immutable.

The new score for the winner depends on the opponent’s score, so the appropriate overload of WinBall should be invoked. The Visitor implementation makes it possible to pick the right overload without resorting to casts and if statements. As an example, the FortyPoints class implements the three WinBall overloads like this:

public IPoints WinBall(IPoints opponentPoints)

    return new GamePoint();

public IPoints WinBall(FortyPoints opponentPoints)

    return new AdvantagePoint();

public IPoints WinBall(AdvantagePoint opponentPoints)

    return this;

It’s also important to correctly implement the LoseBall method. In most cases, losing a ball doesn’t change the current state of the loser, in which case the implementation looks like this:

public IPoints LoseBall()

    return this;

However, when the player has advantage and loses the ball, he or she loses the advantage, so for the AdvantagePoint class the implementation looks like this:

public IPoints LoseBall()

    return new FortyPoints();

To keep things simple I decided to implicitly model deuce as both players having FortyPoints, so there’s not explicit Deuce class. Thus, AdvantagePoint returns FortyPoints when losing the ball.

Using the Visitor pattern it’s possible to keep the cyclomatic complexity at 1. The code has no branches or loops. It’s immutable to boot, so a game might look like this:

[Fact]

public void PlayerOneWinsAfterHardFight()

    var game = new Game()

        .PlayerOneWinsBall()

        .PlayerOneWinsBall()

        .PlayerOneWinsBall()

        .PlayerTwoWinsBall()

        .PlayerTwoWinsBall()

        .PlayerTwoWinsBall()

        .PlayerTwoWinsBall()

        .PlayerOneWinsBall()

        .PlayerOneWinsBall()

        .PlayerOneWinsBall();

    Assert.Equal(new GamePoint(), game.PlayerOneScore);

    Assert.Equal(new FortyPoints(), game.PlayerTwoScore);

In case you’d like to take a closer look at the code I’m attaching it to this post. It was driven completely by using the AutoFixture.Xunit extension, so if you are interested in idiomatic AutoFixture code it’s also a good example of that.

TennisKata.zip (3.09 MB)

Generic unit testing with xUnit.net

Mark Seemann — Mon, 09 May 2011 12:37:17 GMT

Generics in .NET are wonderful, but sometimes when doing Test-Driven Development against a generic class I’ve felt frustrated because I’ve been feeling that dropping down to the lowest common denominator and testing against, say, Foo<object> doesn’t properly capture the variability inherent in generics. On the other hand, writing the same test for five different types of T have seemed too wasteful (not to mention boring) to bother with.

That’s until it occurred to me that in xUnit.net (and possibly other unit testing frameworks) I can define a generic test class. As an example, I wanted to test-drive a class with this class definition:

public class Interval<T>

Instead of writing a set of tests against Interval<object> I rather wanted to write a set of tests against a representative set of T. This is so easy to do that I don’t know why I haven’t thought of it before. I simply declared the test class itself as a generic class:

public abstract class IntervalFacts<T>

The reason I declared the class as abstract is because that effectively prevents the test runner from trying to run the test methods directly on the class. That would fail because T is still open. However, it enabled me to write tests like this:

[Theory, AutoCatalogData]

public void MinimumIsCorrect(IComparable<T> first,

    IComparable<T> second)

    var sut = new Interval<T>(first, second);

    IComparable<T> result = sut.Minimum;

    Assert.Equal(result, first);

In this test, I also use AutoFixture’s xUnit.net extension, but that’s completely optional. You might as well just write an old-fashioned unit test, but then you’ll need a SUT Factory that can resolve generics. If you don’t use AutoFixture any other (auto-mocking) container will do, and if you don’t use one of those, you can define a Factory Method that creates appropriate instances of T (and, in this particular case, instances of IComparable<T>).

In the above example I used a [Theory], but I might as well have been using a [Fact] as long as I had a container or a Factory Method to create the appropriate instances.

The above test doesn’t execute in itself because the owning class is abstract. I needed to declare an appropriate set of constructed types for which I wanted the test to run. To do that, I defined the following test classes:

public class DecimalIntervalFacts : IntervalFacts<decimal> { }

public class StringIntervalFacts : IntervalFacts<string> { }

public class DateTimeIntervalFacts : IntervalFacts<DateTime> { }

public class TimSpanIntervalFacts : IntervalFacts<TimeSpan> { }

The only thing these classes do is to each pick a particular type for T. However, since they are concrete classes with test methods, the test runner will pick up the test cases and execute them. This means that the single unit test I wrote above is now being executed four times – one for each constructed type.

It’s even possible to specialize the generic class and add more methods to a single specialized class. As a sanity check I wanted to write a set of tests specifically against Interval<int>, so I added this class as well:

public class Int32IntervalFacts : IntervalFacts<int>

    [Theory]

    [InlineData(0, 0, 0, true)]

    [InlineData(-1, 1, -1, true)]

    [InlineData(-1, 1, 0, true)]

    [InlineData(-1, 1, 1, true)]

    [InlineData(-1, 1, -2, false)]

    [InlineData(-1, 1, 2, false)]

    public void Int32ContainsReturnsCorrectResult(

        int minimum, int maximum, int value,

        bool expectedResult)

        var sut = new Interval<int>(minimum, maximum);

        var result = sut.Contains(value);

        Assert.Equal(expectedResult, result);

    // More tests...

When added as an extra class in addition to the four ‘empty’ concrete classes above, it now causes each generic method to be executed five times, whereas the above unit test is only executed for the Int32IntervalFacts class (on the other hand it’s a parameterized test, so the method is actually executed six times).

It’s also possible to write parameterized tests in the generic test class itself:

[Theory]

[InlineData(-1, -1, false)]

[InlineData(-1, 0, true)]

[InlineData(-1, 1, true)]

[InlineData(0, -1, false)]

[InlineData(0, 0, true)]

[InlineData(0, 1, true)]

[InlineData(1, -1, false)]

[InlineData(1, 0, false)]

[InlineData(1, 1, false)]

public void ContainsReturnsCorrectResult(

    int minumResult, int maximumResult,

    bool expectedResult)

    // Test method body

Since this parameterized test in itself has 9 variations and is declared by IntervalFacts<T> which now has 5 constructed implementers, this single test method will be executed 9 x 5 = 45 times!

Not that the the number of executed tests in itself is any measure of the quality of the test, but I do appreciate the ability to write generic unit tests against generic types.

AutoFixture 2.1

Mark Seemann — Mon, 02 May 2011 18:34:52 GMT

Since I announced AutoFixture 2.1 beta 1 no issues have been reported, so I’ve now promoted the release to the official 2.1 release. This means that if you already downloaded AutoFixture 2.1 beta 1, you already have the 2.1 binaries. If not, you can head over to the release page to get it.

The NuGet packages will soon be available.

Update (2011.5.4): The NuGet packages are now available.

Windows Azure migration smell: SQL Server over-utilization

Mark Seemann — Mon, 02 May 2011 12:23:49 GMT

Recently I partook in a Windows Azure migration workshop, helping developers from existing development organizations port their applications to Windows Azure. Once more an old design smell popped up: SQL Server over-utilization. This ought to be old news to anyone with experience designing software on the Wintel stack, but apparently it bears repetition:

Don’t put logic in your database. SQL Server should be used only for persistent storage of data.

(Yes: this post is written in 2011…)

Many years ago I heard that role described as a ‘bit bucket’ – you put in data and pull it out again, and that’s all you do. No fancy stored procedures or functions or triggers.

Why wouldn’t we want to use the database if we have one? Scalability is the answer. SQL Server doesn’t scale horizontally. You can’t add more servers to take the load off a database server (well, some of my old colleagues will argue that this is possible with Oracle, and that may be true, but with SQL Server it’s impossible).

Yes, we can jump through hoops like partitioning and splitting the database up into several smaller databases, but it still doesn’t give us horizontal scalability. SQL Server is a bottleneck in any system in which it takes part.

How is this relevant to Windows Azure? It’s relevant for two important reasons:

There’s an upper size limit on SQL Azure. Currently that size limit is 50 GB, and while it’s likely to grow in the future, there’s going to be a ceiling for a long time.
You can’t fine tune the hardware for performance. The server runs on virtual hardware.

Development organizations that rely heavily on the database for execution of logic often need expensive hardware and experienced DBAs to squeeze extra performance out of the database servers. Such people know that write-intensive/append-only tables work best with one type of RAID, while read-intensive tables are better hosted on other file groups on different disks with different RAID configurations.

With SQL Azure you can just forget about all that.

The bottom line is that there are fundamental rules for software development that you must follow if you want to be able to successfully migrate to Windows Azure. I previously described an even simpler sanity check you should perform, but after that you should take a good look at your database.

The best solution is if you can completely replace SQL Server with Azure’s very scalable storage services, but those come with their own set of challenges.

Feedback mechanisms and tradeoffs

Mark Seemann — Fri, 29 Apr 2011 13:02:14 GMT

Rapid feedback is one of the cornerstones of agile development. The faster we can get feedback, the less it costs to correct errors. Unit testing is one of the ways to get feedback, but not the only one. Each way we can get feedback comes with its own advantages and disadvantages.

In my experience there’s a tradeoff between the cost of setting up a feedback mechanism and the level of confidence we can get from it. This is quite intuitive to most people, but I’ve rarely seen it explicitly described. The purpose of this post is to explicitly describe and relate those different mechanisms.

Compilation

In compiled languages, compilation provides the first level of feedback. I think a lot of people don’t think about this as feedback as (for compiled languages) it’s a necessary step before the code can be executed.

The level of confidence may not be very high – we tend to laugh at statements like ‘if it compiles, it works’. However, the compiler still catches a lot of mistakes. Think about it: does your code always compile, or do you sometimes get compilation errors? Do you sometimes try to compile your code just to see if it’s possible? I certainly do, and that’s because the compiler is always available, and it’s the first and fastest level of feedback we get.

Code can be designed to take advantage of this verification step. Constructor Injection, for example, ensures that we can’t create a new instance of a class without supplying it with its required dependencies.

It’s also interesting to note that anecdotal evidence seems to suggest that unit testing is more prevalent for interpreted languages. That makes a lot of sense, because as developers we need feedback as soon as possible, and if there’s no compiler we must reach for the next level of feedback mechanism.

Static code analysis

The idea of static code analysis isn’t specific to .NET, but in certain versions of Visual Studio we have Code Analysis (which is also available as FxCop). Static code analysis is a step up from compilation – not only is code checked for syntactical correctness, but it’s also checked against a set of known anti-patterns and idioms.

Static code analysis is encapsulated expert knowledge, yet surprisingly few people use it. I think part of the reason for this is because the ratio of time against confidence isn’t as compelling as with other feedback mechanism. It takes some time to run the analysis, but like compilation the level of confidence gained from getting a clean result is not very high.

Personally, I use static code analysis once in a while (e.g. before checking in code to the default branch), but not as often as other feedback mechanisms. Still, I think this type of feedback mechanism is under-utilized.

Unit testing

Running a unit test suite is one of the most efficient ways to gain rapid feedback. The execution time is often comparable to running static code analysis while the level of confidence is much higher.

Obviously a successful unit test execution is no guarantee that the final application works as intended, but it’s a much better indicator than the two previous mechanisms. When presented with the choice of using either static code analysis or unit tests, I prefer unit tests every time because the confidence level is much higher.

If you have sufficiently high code coverage I’d say that a successful unit test suite is enough confidence to check in code and let continuous integration take care of the rest.

Keep in mind that continuous integration and other types of automated builds are feedback mechanisms. If you institute rules where people are ‘punished’ for checking in code that breaks the build, you effectively disable the automated build as a source of feedback.

Thus, the rest of these feedback mechanisms should be used rarely (if at all) on developer work stations.

Integration testing

Integration testing comes in several sub-categories. You can integrate multiple classes from within the same library, or integrate multiple libraries while still using Test Doubles instead of out-of-process resources. At this level, the cost/confidence ratio is comparable to unit testing.

Subcutaneous testing

A more full level of integration testing comes when all resources are integrated, but the tests are still driven by code instead of through the UI. While this gives a degree of confidence that is close to what you can get from a full systems test, the cost of setting up the entire testing environment is much higher. In many cases I consider this the realm of a dedicated testing department, as it’s often a full-time job to maintain the suite of automation tools that enable such tests – particularly if we are talking about distributed systems.

System testing

This is a test of the full system, often driven through the UI and supplemented with manual testing (such as exploratory testing). This provides the highest degree of confidence, but comes with a very high cost. It’s often at this level we find formal acceptance tests.

The time before we can get feedback at this level is often considerable. It may take days or even weeks or months.

Understand the cost/confidence ratio

The purpose of this post has been to talk about different ways we can get feedback when developing software. If we could get instantaneous feedback with guaranteed confidence it would be easy to choose, but as this is not the case we must understand the benefits and drawbacks of each mechanism.

It’s important to realize that there are many mechanisms, and that we can combine them in a staggered approach where we start with fast feedback (like the compiler) with a low degree of confidence and then move through successive stages that each provide a higher level of confidence.

Provider is not a pattern

Mark Seemann — Wed, 27 Apr 2011 12:14:52 GMT

Developers exposed to ASP.NET are likely to be familiar with the so-called Provider pattern. You see it a lot in that part of the BCL: Role Provider, Membership Provider, Profile Provider, etc. Lots of text has already been written about Providers, but the reason I want to add yet another blog post on the topic is because once in a while I get the question on how it relates to Dependency Injection (DI).

Is Provider a proper way to do DI?

No, it has nothing to do with DI, but as it tries to mimic loose coupling I can understand the confusion.

First things first. Let’s start with the name. Is it a pattern at all? Regular readers of this blog may get the impression that I’m fond of calling everything and the kitchen sink an anti-pattern. That’s not true because I only make that claim when I’m certain I can hold that position, so I’m not going to denounce Provider as an anti-pattern. On the contrary I will make the claim that Provider is not a pattern at all.

A design pattern is not invented – it’s discovered as a repeated solution to a commonly recurring problem. Providers, on the other hand, were invented by Microsoft, and I’ve rarely seen them used outside their original scope. Secondly I’d also dispute that they solve anything.

That aside, however, I want to explain why Provider is bad design:

It uses the Constrained Construction anti-pattern
It hides complexity
It prevents proper lifetime management
It’s not testable

In the rest of this post I will explain each point in detail, but before I do that we need an example to look at. The old OrderProcessor example suffices, but instead of injecting IOrderValidator, IOrderCollector, and IOrderShipper this variation uses Providers to provide instances of the Services:

public SuccessResult Process(Order order)

    IOrderValidator validator =

        ValidatorProvider.Validator;

    bool isValid = validator.Validate(order);

    if (isValid)

        CollectorProvider.Collector.Collect(order);

        ShipperProvider.Shipper.Ship(order);

    return this.CreateStatus(isValid);

The ValidatorProvider uses the configuration system to create and return an instance of IOrderValidator:

public static IOrderValidator Validator

get

        var section =

            OrderValidationConfigurationSection

                .GetSection();

        var typeName = section.ValidatorTypeName;

        var type = Type.GetType(typeName, true);

        var obj = Activator.CreateInstance(type);

        return (IOrderValidator)obj;

There are lots of details I omitted here. I could have saved the reference for later use instead of creating a new instance each time the property is accessed. In that case I would also have had to make the code thread-safe, so I decided to skip that complexity. The code could also be more defensive, but I’m sure you get the picture.

The type name is defined in the app.config file like this:

<orderValidation

  type="Ploeh.Samples.OrderModel.UnitTest.TrueOrderValidator,

        Ploeh.Samples.OrderModel.UnitTest" />

Obviously, CollectorProvider and ShipperProvider follow the same… blueprint.

This should be well-known to most .NET developers, so what’s wrong with this model?

Constrained Construction

In my book’s chapter on DI anti-patterns I describe the Constrained Construction anti-pattern. Basically it occurs every time there’s an implicit constraint on the constructor of an implementer. In the case of Providers the constraint is that each implementer must have a default constructor. In the example the culprit is this line of code:

var obj = Activator.CreateInstance(type);

This constrains any implementation of IOrderValidator to have a default constructor, which obviously means that the most fundamental DI pattern Constructor Injection is out of the question.

Variations of the Provider idiom is to supply an Initialize method with a context, but this creates a temporal coupling while still not enabling us to inject arbitrary Services into our implementations. I’m not going to repeat six pages of detailed description of Constrained Construction here, but the bottom line is that you can’t fix it – you have to refactor towards true DI – preferably Constructor Injection.

Hidden complexity

Providers hide the complexity of their implementations. This is not the same as encapsulation. Rather it’s a dishonest API and the problem is that it just postpones the moment when you discover how complex the implementation really is.

When you implement a client and use code like the following everything looks deceptively simple:

IOrderValidator validator =

    ValidatorProvider.Validator;

However, if this is the only line of code you write it will fail, but you will not notice until run-time. Check back to the implementation of the Validator property if you need to refresh the implementation: there’s a lot of things that can go wrong here:

The appropriate configuration section is not available in the app.config file.
The ValidatorTypeName is not provided, or is null, or is malformed.
The ValidatorTypeName is correctly formed, but the type in question cannot be located by Fusion.
The Type doesn’t have a default constructor. This is one of the other problems of Constrained Construction: it can’t be statically enforced because a constructor is not part of an abstraction’s API.
The created type doesn’t implement IOrderValidator.

I’m sure I even forgot a thing or two, but the above list is sufficient for me. None of these problems are caught by the compiler, so you don’t discover these issues until you run an integration test. So much for rapid feedback.

I don’t like APIs that lie about their complexity.

Hiding complexity does not make an API easier to use; it makes it harder.

An API that hides necessary complexity makes it impossible to discover problems at compile time. It simply creates more friction.

Lifetime management issues

A Provider exerts too much control over the instances it creates. This is a variation of the Control Freak anti-pattern (also from my book). In the current implementation the Validator property totally violates the Principle of least surprise since it returns a new instance every time you invoke the getter. I did this to keep the implementation simple (this is, after all, example code), but a more normal implementation would reuse the same instance every time.

However, reusing the same instance every time may be problematic in a multi-threaded context (such as a web application) because you’ll need to make sure that the implementation is thread-safe. Often, we’d much prefer to scope the lifetime of the Service to each HTTP request.

HTTP request scoping can be built into the Provider, but then it would only work in web applications. That’s not very flexible.

What’s even more problematic is that once we move away from the Singleton lifestyle (not to be confused with the Singleton design pattern) we may have a memory leak at hand, since the implementation may implement IDisposable. This can be solved by adding a Release method to each Provider, but now we are moving so far into DI Container territory that I find it far more reasonable to just use proper DI instead of trying to reinvent the wheel.

Furthermore, the fact that each Provider owns the lifetime of the Service it controls makes it impossible to share resources. What if the implementation we want to use implements several Role Interfaces each served up by a different Provider? We might want to use that common implementation to share or coordinate state across different Services, but that’s not possible because we can’t share an instance across multiple providers.

Even if we configure all Providers with the same concrete class, each will instantiate and serve its own separate instance.

Testability

The Control Freak also impacts testability. Since a Provider creates instances of interfaces based on XML configuration and Activator.CreateInstance, there’s no way to inject a dynamic mock.

It is possible to use hard-coded Test Doubles such as Stubs or Fakes because we can configure the XML with their type names, but even a Spy is problematic because we’ll rarely have an object reference to the Test Double.

In short, the Provider idiom is not a good approach to loose coupling. Although Microsoft uses it in some of their products, it only leads to problems, so there’s no reason to mimic it. Instead, use Constructor Injection to create loosely coupled components and wire them in the application’s Composition Root using the Register Resolve Release pattern.

AutoFixture 2.1 beta 1

Mark Seemann — Tue, 19 Apr 2011 14:05:11 GMT

It gives me great pleasure to announce that AutoFixture 2.1 beta 1 is now available for download. Compared to version 2.0 this release mostly contains added features as well as a few bug fixes. The release page contains a list of the new features.

The general availability of beta 1 of AutoFixture 2.1 marks the beginning of a trial period. If no new issues are reported within the next few weeks, a final version 2.1 will be released. If too many issues are reported, a new beta version may be necessary.

Please report any issues you find.

NuGet packages will follow the RTW version.

Constructor strategies for AutoFixture

Mark Seemann — Tue, 19 Apr 2011 06:59:19 GMT

When AutoFixture creates complex objects it invokes the constructors of the types in question. When a class exposes more than one constructor, the default behavior is to pick the constructor with the fewest number of arguments. This is the exact opposite of most DI Containers that select the greediest constructor.

For a DI Container it makes more sense to select the greediest constructor because that maximizes the chance that all dependencies are properly being auto-wired.

The reason that AutoFixture’s default behavior is different is that it maximizes the chance that an object graph can be created at all. If a convenience overload is available, this gives AutoFixture a better chance to compose the object graph.

This works well until a class comes along and introduces the wrong kind of ambiguity. Consider this case of Bastard Injection (Dependency Injection in .NET, section 5.2):

public class Bastard

    private readonly IFoo foo;

    public Bastard()

        : this(new DefaultFoo())

    public Bastard(IFoo foo)

        if (foo == null)

            throw new ArgumentNullException("foo");

        this.foo = foo;

    public IFoo Foo

        get { return this.foo; }

By default AutoFixture will use the default constructor which means that the Foo will always be the instance of DefaultFoo owned by the Bastard class itself. This is problematic if we wish to inject and freeze a Test Double because even if we freeze an IFoo instance, it will never be injected because the default constructor is being invoked.

var fixture = new Fixture();

fixture.Register<IFoo>(

    fixture.CreateAnonymous<DummyFoo>);

var b = fixture.CreateAnonymous<Bastard>();

Assert.IsAssignableFrom<DefaultFoo>(b.Foo);

As the above unit test demonstrates, even though the Register method call defines a mapping from IFoo to DummyFoo, the Foo property is an instance of DefaultFoo. The DummyFoo instance is never injected into the Bastard instance since the default constructor is used.

Your first reaction in such a case should be to get rid of all convenience constructors to make the the class’ constructor unambiguous. However, it’s also possible to change AutoFixture’s behavior.

The following is a description of a feature that will be a available in AutoFixture 2.1. It’s not available in AutoFixture 2.0, but is already available in the code repository. Thus, if you can’t wait for AutoFixture 2.1 you can download the source and build it.

As always, AutoFixture’s very extensible interface makes it possible to change this behavior. Constructor selection is guided by an interface called IConstructorQuery, and while ModestConstructorQuery is the default implementation, there’s also an implementation called GreedyConstructorQuery.

To change the behavior specifically for the Bastard class the Fixture instance must be customized. The following unit test demonstrates how to do that.

var fixture = new Fixture();

fixture.Customize<Bastard>(c => c.FromFactory(

    new ConstructorInvoker(

        new GreedyConstructorQuery())));

fixture.Register<IFoo>(

    fixture.CreateAnonymous<DummyFoo>);

var b = fixture.CreateAnonymous<Bastard>();

Assert.IsAssignableFrom<DummyFoo>(b.Foo);

Notice that the only difference from before is an additional call to the Customize method where Bastard is modified to use greedy constructor selection. This changes the factory for the Bastard type, but not for any other types.

If you’d rather prefer to completely change the overall constructor selection behavior for AutoFixture you can add the GreedyConstructorQuery wrapped in a ConstructorInvoker to the Fixture’s Customizations:

var fixture = new Fixture();

fixture.Customizations.Add(

    new ConstructorInvoker(

        new GreedyConstructorQuery()));

fixture.Register<IFoo>(

    fixture.CreateAnonymous<DummyFoo>);

var b = fixture.CreateAnonymous<Bastard>();

Assert.IsAssignableFrom<DummyFoo>(b.Foo);

In this unit test, the only change from the previous is that instead of assigning the GreedyConstructorQuery specifically to Bastard, it’s now assigned as the new default strategy. All specimens created by AutoFixture will be created by invoking their most greedy constructor.

As always I find the default behavior more attractive, but the option to change behavior is there if you need it.

Enumerables are dynamic–also in AutoFixture

Mark Seemann — Mon, 18 Apr 2011 13:22:29 GMT

I just got a question about AutoFixture’s way of dealing with enumerables, and since I suspect this is something that might surprise a few people I found it reasonable to answer in a blog post.

In short, this unit test succeeds:

var fixture = new Fixture();

var expected = fixture.CreateMany<string>();

Assert.False(expected.SequenceEqual(expected));

If this doesn’t surprise you, then read the assertion again. The sequence is expected to not equal itself!

This behavior is by design.

(I’ve always wanted to write that.) The reason is that the return type of the CreateMany method is IEnumerable<T>, and that interface makes no guarantee that it will return the same sequence every time you iterate over it. The implementation may be a Generator.

According to its principle of Constrained Non-determinism, AutoFixture goes to great lengths to ensure that since IEnumerable<T> might be non-deterministic, it will be. This can be very useful in flushing out incorrect assumptions made by the SUT.

This behavior is carried forward by the MultipleCustomization. This unit test also succeeds:

var fixture = new Fixture()

    .Customize(new MultipleCustomization());

var expected =

    fixture.CreateAnonymous<IEnumerable<string>>();

Assert.False(expected.SequenceEqual(expected));

The behavior is the same because with the MultipleCustomization IEnumerable<T> acts as a relationship type. The class responsible for this behavior is called FiniteSequenceRelay, but AutoFixture 2.1 will also ship with an alternative StableFiniteSequenceRelay which wraps the sequence in a List<T>.

To change the default behavior you can add the StableFiniteSequenceRelay to a Fixture’s customizations:

var fixture = new Fixture();

var stableRelay = new StableFiniteSequenceRelay();

fixture.Customizations.Add(stableRelay);

var expected =

    fixture.CreateMany<string>();

Assert.True(expected.SequenceEqual(expected));

The above unit test succeeds. Notice that the assertion now verifies that the sequence of strings is equal to itself.

Just like MultipleCustomization the StableFiniteSequenceRelay class will be available in AutoFixture 2.1, but is not availale in 2.0.

As always, it’s best to encapsulate this behavior change into a Customization:

public class StableFiniteSequenceCustomization :

    ICustomization

    public void Customize(IFixture fixture)

        var stableRelay =

            new StableFiniteSequenceRelay();

        fixture.Customizations.Add(stableRelay);

This makes it easier to bundle it with the MultipleCustomization if we want all the other benefits of conventions for multiples:

public class StableMultipeCustomization :

    CompositeCustomization

    public StableMultipeCustomization()

        : base(

            new StableFiniteSequenceCustomization(),

            new MultipleCustomization())

With the StableMultipleCustomization the following unit test now passes:

var fixture = new Fixture()

    .Customize(new StableMultipeCustomization());

var expected =

    fixture.CreateAnonymous<IEnumerable<string>>();

Assert.True(expected.SequenceEqual(expected));

I still prefer the default behavior for its potential to act as an early warning system, but as I realize that this behavior may be problematic in some scenarios, the StableFiniteSequenceRelay provides an easy way to change that behavior.

Update (2011.8.10): StableFiniteSequenceCustomization is now part of AutoFixture and will be available in AutoFixture 2.2.

MSDN Magazine article about CQRS on Windows Azure

Mark Seemann — Tue, 05 Apr 2011 19:52:57 GMT

My latest MSDN Magazine article, this time about CQRS on Windows Azure, is now available at the April MSDN Magazine web site.

It’s mostly meant as an introduction to CQRS as well as containing some tips and tricks that are specific to applying CQRS on Windows Azure.

As an added bonus the code sample download contains lots of idiomatic unit tests written with AutoFixture’s xUnit.net extensions, so if you’d like to see the result of my TDD work with AutoFixture, there’s a complete code base to look at there.

Commands are Composable

Mark Seemann — Tue, 22 Mar 2011 13:09:25 GMT

A few months back I wrote a (somewhat theoretical) post on composable interfaces. A major point of that post was that Role Interfaces with a single Command method (i.e. a method that returns no value) is a very versatile category of abstraction.

Some of my readers asked for examples, so in this post I will provide a few. Consider this interface that fits the above description:

public interface IMessageConsumer<T>

    void Consume(T message);

This is a very common type of interface you will tend to encounter a lot in distributed, message-based architectures such as CQRS or Udi Dahan’s view of SOA. Some people would call it a message subscriber instead…

In the rest of this post I will examine how we can create compositions out of the IMessageConsumer<T> interface using (in order of significance) Decorator, Null Object, Composite, and other well-known programming constructs.

Decorator

Can we create a meaningful Decorator around the IMessageConsumer<T> interface? Yes, that’s easy – I’ve earlier provided various detailed examples of Decorators, so I’m not going to repeat them here.

I’ve yet to come up with an example of an interface that prevents us from applying a Decorator, so it’s a valid falsifiable claim that we can always Decorate an interface. However, I have yet to prove that this is true, so until now we’ll have to call it a conjecture.

However, since it’s so easy to apply a Decorator to an interface, it’s not a particularly valuable trait when evaluating the composability of an interface.

Null Object

It can be difficult to implement the Null Object pattern when the method(s) in question return a value, but for Commands it’s easy:

public class NullMessageConsumer<T> : IMessageConsumer<T>

    public void Consume(T message)

The implementation simply ignores the input and does nothing.

Once again my lack of formal CS education prevents me from putting forth a formal proof, but I strongly suspect that it’s always possibly to apply the Null Object pattern to a Command (keep in mind that out parameters count as output, so any interface with one or more of these are not Commands).

It’s often valuable to be able to use a Null Object, but the real benefit comes when we can compose various implementations together.

Composite

To be truly composable, an interface should make it possible to create various concrete implementations that each adhere to the Single Responsibility Principle and then compose those together in a complex implementation. A Composite is a general-purpose implementation of this concept, and it’s easy to create a Composite out of a Command:

public class CompositeMessageConsumer<T> :

    IMessageConsumer<T>

    private readonly IEnumerable<IMessageConsumer<T>>

        consumers;

    public CompositeMessageConsumer(

        params IMessageConsumer<T>[] consumers)

        if (consumers == null)

            throw new ArgumentNullException("consumers");

        this.consumers = consumers;

    public IEnumerable<IMessageConsumer<T>> Consumers

        get { return this.consumers; }

    #region IMessageConsumer<T> Members

    public void Consume(T message)

        foreach (var consumer in this.Consumers)

            consumer.Consume(message);

    #endregion

The implementation of the Consume method simply loops over each composed IMessageConsumer<T> and invokes its Consume method.

I can, for example, implement a sequence of actions that will take place by composing the individual concrete implementations. First we have a guard that protects against invalid messages, followed by a consumer that writes the message to a persistent store, completed by a consumer that raises a Domain Event that the reservation request was accepted.

var c = new CompositeMessageConsumer<MakeReservationCommand>(

    guard,

    writer,

    acceptRaiser);

Consumers following the Liskov Substitution Principle will not notice the difference, as all they will see is an implementation of IMessageConsumer<MakeReservationCommand>.

More advanced programming constructs

The Composite pattern only describes a single, general way to compose implementations, but with a Command interface we can do more. As Domain-Driven Design explains, a successful interface is often characterized by making it possible to apply well-known arithmetic or logical operators. As an example, in the case of the IMessageConsumer<T> interface, we can easily mimic the well-known ?! ternary operator from C#:

public class ConditionalMessageConsumer<T> :

    IMessageConsumer<T>

    private Func<T, bool> condition;

    private IMessageConsumer<T> first;

    private IMessageConsumer<T> second;

    public ConditionalMessageConsumer(

        Func<T, bool> condition,

        IMessageConsumer<T> first,

        IMessageConsumer<T> second)

        if (condition == null)

            throw new ArgumentNullException("condition");

        if (first == null)

            throw new ArgumentNullException("first");

        if (second == null)

            throw new ArgumentNullException("second");

        this.condition = condition;

        this.first = first;

        this.second = second;

    public void Consume(T message)

        (this.condition(message) ? this.first : this.second)

            .Consume(message);

This is more verbose than the ?! operator because C# doesn’t allow us to define operator overloads for interfaces, but apart from that, it does exactly the same thing. Notice particularly that the Consume method uses the ?! operator to select among the two alternatives, and then subsequently invokes the Consume method on the selected consumer.

We can use the ConditionalMessageConsumer to define branches in the consumption of messages. As an example, we can encapsulate the previous CompositeMessageConsumer<MakeReservationCommand> into a conditional branch like this:

var consumer =

    new ConditionalMessageConsumer<MakeReservationCommand>(

        guard.HasCapacity, c, rejectRaiser);

Notice that I use the method group syntax to supply the condition delegate. If the HasCapacity method returns true, the previous composite (c) is being invoked, but if the result is false we instead use a consumer that raises the Domain Event that the reservation request was rejected.

Concluding thoughts

Apart from the direct purpose of providing examples of the immensely powerful composition options a Command interface provides I want to point out a couple of things:

Each of the design pattern implementations (Null Object, Composite – even Conditional) are generic. This is a strong testament to the power of this particular abstraction.
The dynamic mocks I’m familiar with (Moq, Rhino Mocks) will by default try to create Null Object implementations for interfaces without explicit setups. Since it’s trivial to implement a Null Command, they just emit them by default. If you use an AutoMocking Container with your unit tests, you can refactor to your heart’s content, adding and removing dependencies as long as they are Command interfaces, and your testing infrastructure will just take care of things for you. It’ll just work.
Did you notice that even with these few building blocks we have implemented a large part of a sequential workflow engine? We can execute consumers in sequence as well as branch between different sequences. Obviously, more building blocks are needed to make a full-blown workflow engine, but not that many. I’ll leave the rest as an exercise to the reader :)

As I originally sketched, a Command interface is the ultimate in composability. To illustrate, the application from where I took the above examples is a small application with 48 types (classes and interfaces) in the production code base (that is, excluding unit tests). Of these, 9 are implementations of the IMessageConsumer<T> interface. If we also count the interface itself, it accounts for more than 20 percent of the code base. According to the Reused Abstractions Principle (RAP) I consider this a very successful abstraction.

Encapsulating AutoFixture Customizations

Mark Seemann — Fri, 18 Mar 2011 12:51:08 GMT

AutoFixture is designed around the 80-20 principle. If your code is well-designed I’d expect a default instance of Fixture to be able to create specimens of your classes without too much trouble. There are cases where AutoFixture needs extra help:

If a class consumes interfaces a default Fixture will not be able to create it. However, this is easily fixed through one of the AutoMocking Customizations.
If an API has circular references, Fixture might enter an infinite recursion, but you can easily customize it to cut off one the references.
Some constructors may only accept arguments that don’t fit with the default specimens created by Fixture. There are ways to deal with that as well.

I could keep on listing examples, but let’s keep it at that. The key assumption underlying AutoFixture is that these special cases are a relatively small part of the overall API you want to test – preferably much less than 20 percent.

Still, to address those special cases you’ll need to customize a Fixture instance in some way, but you also want to keep your test code DRY.

As the popularity of AutoFixture grows, I’m getting more and more glimpses of how people address this challenge: Some derive from Fixture, others create extension methods or other static methods, while others again wrap creation of Fixture instances in Factories or Builders.

There really is no need to do that. AutoFixture has an idiomatic way to encapsulate Customizations. It’s called… well… a Customization, which is just another way to say that there’s an ICustomization interface that you can implement. This concept corresponds closely to the modularization APIs for several well-known DI Containers. Castle Windsor has Installers, StructureMap has Registries and Autofac has Modules.

The ICustomization interface is simple and has a very gentle learning curve:

public interface ICustomization

    void Customize(IFixture fixture);

Anything you can do with a Fixture instance you can also do with the IFixture instance passed to the Customize method, so this is the perfect place to encapsulate common Customizations to AutoFixture. Note that the AutoMocking extensions as well as several other optional behaviors for AutoFixture are already defined as Customizations.

Using a Customization is also easy:

var fixture = new Fixture()

    .Customize(new DomainCustomization());

You just need to invoke the Customize method on the Fixture. That’s no more difficult than calling a custom Factory or extension method – particularly if you also use a Visual Studio Code Snippet.

When I start a new unit testing project, one of the first things I always do is to create a new ‘default’ customization for that project. It usually doesn’t take long before I need to tweak it a bit – if nothing else, then for adding the AutoMoqCustomization. To apply separation of concerns I encapsulate each Customization in its own class and compose them with a CompositeCustomization:

public class DomainCustomization : CompositeCustomization

    public DomainCustomization()

        : base(

            new AutoMoqCustomization(),

            new FuncCustomization())

Whenever I need to make sweeping changes to my Fixtures I can simply modify DomainCustomization or one of the Customizations it composes.

In fact, these days I rarely explicitly create new Fixture instances, but rather encapsulate them in a custom AutoDataAttribute like this:

public class AutoDomainDataAttribute : AutoDataAttribute

    public AutoDomainDataAttribute()

        : base(new Fixture()

            .Customize(new DomainCustomization()))

This means that I can reuse the DomainCustomization across normal, imperative unit tests as well as the declarative, xUnit.net-powered data theories I normally prefer:

[Theory, AutoDomainData]

public void CanReserveReturnsTrueWhenQuantityIsEqualToRemaining(

    Capacity sut, Guid id)

    var result = sut.CanReserve(sut.Remaining, id);

    Assert.True(result);

Using Customizations to encapsulate your own specializations makes it easy to compose and manage them in an object-oriented fashion.

Resolving closed types with MEF

Mark Seemann — Mon, 14 Mar 2011 20:49:11 GMT

A while back I posed the challenge of resolving closed types with MEF. I received some responses, but I also wanted to provide an alternative outline for a solution. In case you don’t remember the problem statement, it revolved around using the Managed Extensibility Framework (MEF) to compose classes in those cases where it’s impossible to annotate those classes with the MEF attributes. In the given example I want to compose the Mayonnaise class from EggYolk and OliveOil, but all three classes are sealed and cannot be recompiled.

As I describe in my book, a general solution to this type of problem is to create a sort of adapter the exports the closed type via a read-only attribute, like these EggYolkAdapter and MayonnaiseAdapter classes (the OliveOilAdapter looks just like the EggYolkAdapter):

public class EggYolkAdapter

    private readonly EggYolk eggYolk;

    public EggYolkAdapter()

        this.eggYolk = new EggYolk();

    [Export]

    public virtual EggYolk EggYolk

        get { return this.eggYolk; }

public class MayonnaiseAdapter

    private readonly Mayonnaise mayo;

    [ImportingConstructor]

    public MayonnaiseAdapter(

        EggYolk yolk, OliveOil oil)

        if (yolk == null)

            throw new ArgumentNullException("yolk");

        if (oil == null)

            throw new ArgumentNullException("oil");

        this.mayo = new Mayonnaise(yolk, oil);

    [Export]

    public virtual Mayonnaise Mayonnaise

        get { return this.mayo; }

Doing it like this is always possible, but if you have a lot of types that you need to compose, it becomes tedious having to define a lot of similar adapters. Fortunately, we can take it a step further and generalize the idea of a MEF adapter to a small set of generic classes.

The EggYolkAdapter can be generalized as follows:

public class MefAdapter<T> where T : new()

    private readonly T export;

    public MefAdapter()

        this.export = new T();

    [Export]

    public virtual T Export

        get { return this.export; }

Notice that I’ve more or less just replaced the EggYolk class with a type argument (T). However, I also had to add the generic new() constraint, which is often quite restrictive. However, to support a type like Mayonnaise, I can create another, similar generic MEF adapter like this:

public class MefAdapter<T1, T2, TResult>

    private readonly static Func<T1, T2, TResult> createExport =

        FuncFactory.Create<T1, T2, TResult>();

    private readonly TResult export;

    [ImportingConstructor]

    public MefAdapter(T1 arg1, T2 arg2)

        this.export = createExport(arg1, arg2);

    [Export]

    public virtual TResult Export

        get { return this.export; }

The major difference from the simple MefAdapter<T> is that we need slightly more complicated code to invoke the constructor of TResult, which is expected to take two constructor arguments of types T1 and T2. This work is delegated to a FuncFactory that builds and compiles the appropriate delegate using an expression tree:

internal static Func<T1, T2, TResult>

    Create<T1, T2, TResult>()

    var arg1Exp =

        Expression.Parameter(typeof(T1), "arg1");

    var arg2Exp =

        Expression.Parameter(typeof(T2), "arg2");

    var ctorInfo =

        typeof(TResult).GetConstructor(new[]

            typeof(T1),

            typeof(T2)

});

    var ctorExp =

        Expression.New(ctorInfo, arg1Exp, arg2Exp);

    return Expression.Lambda<Func<T1, T2, TResult>>(

        ctorExp, arg1Exp, arg2Exp).Compile();

With a couple of MEF adapters, I can now compose a MEF Catalog almost like I can with a real DI Container, and resolve the Mayonnaise class:

var catalog = new TypeCatalog(

    typeof(MefAdapter<OliveOil>),

    typeof(MefAdapter<EggYolk>),

    typeof(MefAdapter<EggYolk, OliveOil, Mayonnaise>)

);

var container = new CompositionContainer(catalog);

var mayo = container.GetExportedValue<Mayonnaise>();

If you want to change the Creation Policy to NonShared, you can derive from the MefAdapter classes and annotate them with [PartCreationPolicy] attributes.

I’d never voluntarily choose to use MEF like this, but if I was stuck with MEF in a project and had to use it like a DI Container, I’d do something like this.

Compose object graphs with confidence

Mark Seemann — Fri, 04 Mar 2011 11:15:10 GMT

The main principle behind the Register Resolve Release pattern is that loosely coupled object graphs should be composed as a single action in the entry point of the application (the Composition Root). For request-based applications (web sites and services), we use a variation where we compose once per request.

It seems to me that a lot of people are apprehensive when they first hear about this concept. It may sound reasonable from an architectural point of view, but isn’t it horribly inefficient? A well-known example of such a concern is Jeffrey Palermo’s blog post Constructor over-injection anti-pattern. Is it really a good idea to compose a complete object graph in one go? What if we don’t need part of the graph, or only need it later? Doesn’t it adversely affect response times?

Normally it doesn’t, and if it does, there are elegant ways to address the issue.

In the rest of this blog post I will expand on this topic. To keep the discussion as simple as possible, I’ll restrict my analysis to object trees instead of full graphs. This is quite a reasonable simplification as we should strive to avoid circular dependencies, but even in the case of full graphs the arguments and techniques put forward below hold.

Consider a simple tree composed of classes from three different assemblies:

All the A classes (blue) are defined in the A assembly, B classes (green) in the B assembly, and the C1 class (red) in the C assembly. In code we create the tree with Constructor Injection like this:

var t =

    new A1(

        new A2(

            new B1(

                new B2()),

            new A3()),

        new C1(

            new B3()));

Given the tree above, we can now address the most common concerns about composing object trees in one go.

Will it be slow?

Most likely not. Keep in mind that Injection Constructors should be very simple, so not a lot of work is going on during composition. Obviously just creating new object instances takes a bit of time in itself, but we create objects instances all the time in .NET code, and it’s often a very fast operation.

Even when using DI Containers, which perform a lot of (necessary) extra work when creating objects, we can create tens of thousand trees per second. Creation of objects simply isn’t that big a deal.

But still: what about assembly loading?

I glossed over an important point in the above argument. While object creation is fast, it sometimes takes a bit of time to load an assembly. The tree above uses classes from three different assemblies, so to create the tree all three assemblies must be loaded.

In many cases that’s a performance hit you’ll have to take because you need those classes anyway, but sometimes you might be concerned with taking this performance hit too early. However, I make the claim that in the vast majority of cases, this concern is irrelevant.

In this particular context there are two different types of applications: Request-based applications (web) and all the rest (desktop apps, daemons, batch-jobs, etc.).

Request-based applications

For request-based applications such as web sites and REST services, an object tree must be composed for each request. However, all requests are served by the same AppDomain, so once an assembly is loaded, it sticks around to be available for all subsequent requests. Thus, the first few requests will suffer a performance penalty from having to load all assemblies, but after that there will be no performance impact.

In short, in request-based applications, you can compose object trees with confidence. In only extremely rare cases should you have performance issues from composing the entire tree in one go.

Long-running applications

For long-running applications the entire object tree must be composed at start-up. For background services such as daemons and batch processes the start-up time probably doesn’t matter much, but for desktop applications it can be of great importance.

In some cases the application requires the entire tree to be immediately available, in which case there’s not a lot you can do. Still, once all assemblies have been loaded, actually creating the tree will be very fast.

In other cases an entire branch of the tree may not be immediately required. As an example, if the C1 node in the above graph isn’t needed right away, we could improve start-up time if we could somehow defer creating that branch, because this would also defer loading of the entire C assembly.

Deferred branches

Since object creation is fast, the only case where it makes sense to defer loading of a branch is when creation of that branch causes an assembly to be loaded. If we can defer creation of such a branch, we can also defer loading of the assembly, thus improving the time it takes to compose the initial tree.

Imagine that we wish to defer creation of the C1 branch of the above tree. It will prevent the C assembly from being loaded because that assembly is not used in any other place in the tree. However, it will not prevent the B assembly from being loaded, since that assembly is also being used by the A2 node.

Still, in those rare situations where it makes sense to defer creation of a branch, we can make that cut into a part of the infrastructure of the tree. I originally described this technique as a reaction to the above mentioned post by Jeffrey Palermo, but here’s a restatement in the current context.

We can defer creating the C1 node by wrapping it in a lazy implementation of the same interface. The C1 node implements an interface called ISolo<IMarker>, so we can wrap it in a Virtual Proxy that defers creation of C1 until it’s needed:

public class LazySoloMarker : ISolo<IMarker>

    private readonly Lazy<ISolo<IMarker>> lazy;

    public LazySoloMarker(Lazy<ISolo<IMarker>> lazy)

        if (lazy == null)

            throw new ArgumentNullException("lazy");

        this.lazy = lazy;

    #region ISolo<IMarker> Members

    public IMarker Item

        get { return this.lazy.Value.Item; }

    #endregion

This Virtual Proxy takes a Lazy<ISolo<IMarker>> as input and defers to it to implement the members of the interface. This only causes the Value property to be created when it’s first accessed – which may be long after the LazySoloMarker instance was created.

The tree can now be composed like this:

var t =

    new A1(

        new A2(

            new B1(

                new B2()),

            new A3()),

        new LazySoloMarker(

            new Lazy<ISolo<IMarker>>(() => new C1(

                new B3()))));

This retains all the original behavior of the original tree, but defers creation of the C1 node until it’s needed for the first time.

The bottom line is this: you can compose the entire object graph with confidence. It’s not going to be a performance bottleneck.

Injection Constructors should be simple

Mark Seemann — Thu, 03 Mar 2011 14:18:54 GMT

The Constructor Injection design pattern is a extremely useful way to implement loose coupling. It’s easy to understand and implement, but sometime perhaps a bit misunderstood.

The pattern itself is easily described through an example:

private readonly ISpecimenBuilder builder;

public SpecimenContext(ISpecimenBuilder builder)

    if (builder == null)

        throw new ArgumentNullException("builder");

    this.builder = builder;

The SpecimenContext constructor statically declares that it requires an ISpecimenBuilder instance as an argument. To guarantee that the the builder field is an invariant of the class, the constructor contains a Guard Clause before it assigns the builder parameter to the builder field. This pattern can be repeated for each constructor argument.

It’s important to understand that when using Constructor Injection the constructor should contain no additional logic.

An Injection Constructor should do no more than receiving the dependencies.

This is simply a rephrasing of Nikola Malovic’s 4th law of IoC. There are several reasons for this rule of thumb:

When we compose applications with Constructor Injection we often create substantial object graphs, and we want to be able to create these graphs as efficiently as possible. This is Nikola’s original argument.
In the odd (and not recommended) cases where you have circular dependencies, the injected dependencies may not yet be fully initialized, so an attempt to invoke their members at that time may result in an exception. This issue is similar to the issue of invoking virtual members from the constructor. Conceptually, an injected dependency is equivalent to a virtual member.
With Constructor Injection, the constructor’s responsibility is to demand and receive the dependencies. Thus, according to the Single Responsibility Principle (SRP), it should not try to do something else as well. Some readers might argue that I’m misusing the SRP here, but I think I’m simply applying the underlying principle in a more granular context.

There’s no reason to feel constrained by this rule, as in any case the constructor is an implementation detail. In loosely coupled code, the constructor is not part of the overall application API. When we consider the API at that level, we are still free to design the API as we’d like.

Please notice that this rule is contextual: it applies to Services that use Constructor Injection. Entities and Value Objects tend not to use DI, so their constructors are covered by other rules.

Interfaces are access modifiers

Mark Seemann — Mon, 28 Feb 2011 13:19:04 GMT

.NET developers should by familiar with the standard access modifiers (public, protected, internal, private). However, in loosely coupled code we can regard interface implementations as a fifth access modifier. This concept was originally introduced to me by Udi Dahan the only time I’ve had the pleasure of meeting him. That was many years ago and while I didn’t grok it back then, I’ve subsequently come to appreciate it quite a lot.

Although I can’t take credit for the idea, I’ve never seen it described, and it really deserves to be.

The basic idea is simple:

If a consumer respects the Liskov Substitution Principle (LSP), the only visible members are those belonging to the interface. Thus, the interface represents a dimension of visibility.

As an example, consider this simple interface from AutoFixture:

public interface ISpecimenContext

    object Resolve(object request);

A well-behaved consumer can only invoke the Resolve method even though an implementation may have additional public members:

public class SpecimenContext : ISpecimenContext

    private readonly ISpecimenBuilder builder;

    public SpecimenContext(ISpecimenBuilder builder)

        if (builder == null)

            throw new ArgumentNullException("builder");

        this.builder = builder;

    public ISpecimenBuilder Builder

        get { return this.builder; }

    #region ISpecimenContext Members

    public object Resolve(object request)

        return this.Builder.Create(request, this);

    #endregion

Even though the SpecimenContext class defines the Builder property, as well as a public constructor, any consumer respecting the LSP will only see the Resolve method.

In fact, the Builder property on the SpecimenContext class mostly exists to support unit testing because I sometimes need to assert that a given instance of SpecimenContext contains the expected ISpecimenBuilder. This doesn’t break encapsulation since the Builder is exposed as a read-only property, and it more importantly doesn’t pollute the API.

To support unit testing (and whichever other clients might be interested in the encapsulated ISpecimenBuilder) we have a public property that follows all framework design guidelines. However, it’s essentially an implementation detail, so it’s not visible via the ISpecimenContext interface.

When writing loosely coupled code, I’ve increasingly begun to see the interfaces as the real API. Most other (even public) members are pure implementation details. If the members are public, I still demand that they follow the framework design guidelines, but I don’t consider them parts of the API. It’s a very important distinction.

The interfaces define the bulk of an application’s API. Most other types and members are implementation details.

An important corollary is that constructors are implementation details too, since they can never by part of any interfaces.

In that sense we can regard interfaces as a fifth access modifier – perhaps even the most important one.

Creating general populated lists with AutoFixture

Mark Seemann — Tue, 08 Feb 2011 14:53:16 GMT

In my previous post I described how to customize a Fixture instance to populate lists with items instead of returning empty lists. While it’s pretty easy to do so, the drawback is that you have to do it explicitly for every type you want to influence. In this post I will follow up by describing how to enable some general conventions that simply populates all collections that the Fixture resolves.

This post describes a feature that will be available in AutoFixture 2.1. It’s not available in AutoFixture 2.0, but is already available in the code repository. Thus, if you can’t wait for AutoFixture 2.1 you can download the source and built it.

Instead of having to create multiple customizations for IEnumerable<int>, IList<int>, List<int>, IEnumerable<string>, IList<string>, etc. you can simply enable these general conventions as easy as this:

var fixture = new Fixture()

    .Customize(new MultipleCustomization());

Notice that enabling conventions for populating sequences and lists with ‘many’ items is an optional customization that you must explicitly add.

This feature must be explicitly enabled. There are several reasons for that:

It would be a breaking change if AutoFixture suddenly started to behave like this by default.
The MultipleCustomization targets not only concrete types such as List<T> and Collection<T>, but also interfaces such as IEnumerable<T>, IList<T> etc. Thus, if you also use AutoFixture as an Auto-Mocking container, I wanted to provide the ability to define which customization takes precedence.

With that simple customization enabled, all requested IEnumerable<T> are now populated. The following will give us a finite, but populated list of integers:

var integers =

    fixture.CreateAnonymous<IEnumerable<int>>();

This will give us a populated List<int>:

var list = fixture.CreateAnonymous<List<int>>();

This will give us a populated Collection<int>:

var collection =

    fixture.CreateAnonymous<Collection<int>>();

As implied above, it also handles common list interfaces, so this gives us a populated IList<T>:

var list = fixture.CreateAnonymous<IList<int>>();

The exact number of ‘many’ is as always determined by the Fixture’s RepeatCount.

As this code is still (at the time of publishing) in preview, I would love to get feedback on this feature.

Creating specific populated lists with AutoFixture

Mark Seemann — Mon, 07 Feb 2011 19:49:26 GMT

How do you get AutoFixture to create populated lists or sequences of items? Recently I seem to have been getting this question a lot, and luckily it’s quite easy to answer.

Let’s first look at the standard AutoFixture behavior and API.

You can ask AutoFixture to create an anonymous List like this:

var list = fixture.CreateAnonymous<List<int>>();

Seen from AutoFixture’s point of view, List<int> is just a class like any other. It has a default constructor, so AutoFixture just uses that and returns an instance. You get back an instance, no exceptions are thrown, but the list is empty. What if you’d rather want a populated list?

There are many ways to go about this. A simple, low-level solution is to populate the list after creation:

fixture.AddManyTo(list);

However, you may instead prefer getting a populated list right away. This is also possible, but before we look at how to get there, I’d like to point out a feature that surprisingly few users notice. You can create many anonymous specimens at once:

var integers = fixture.CreateMany<int>();

Armed with this knowledge, as well as the knowledge of how to map types, we can now create this customization to map IEnumerable<int> to CreateMany<int>:

fixture.Register(() => fixture.CreateMany<int>());

The Register method is really a generic method, but since we have type inference, we don’t have to write it out. However, since CreateMany<int>() returns IEnumerable<int>, this is the type we register. Thus, every time we subsequently resolve IEnumerable<int>, we will get back a populated sequence.

Getting back to the original List<int> example, we can now customize it to a populated list like this:

fixture.Register(() =>

    fixture.CreateMany<int>().ToList());

Because the ToList() extension method returns List<T>, this call registers List<int> so that we will get back a populated list of integers every time the fixture resolves List<int>.

What about other collection types that don’t have a nice LINQ extension method? Personally, I never use Collection<T>, but if you wanted, you could customize it like this:

fixture.Register(() =>

    new Collection<int>(

        fixture.CreateMany<int>().ToList()));

Since Collection<T> has a constructor overload that take IList<T> we can customize the type to use this specific overload and populate it with ‘many’ items.

Finally, we can combine all this to map from collection interfaces to populated lists. As an example, we can map from IList<int> to a populated List<int> like this:

fixture.Register<IList<int>>(() =>

    fixture.CreateMany<int>().ToList());

When we use the Register method to map types we can no longer rely on type inference. Instead, we must explicitly register IList<int> against a delegate that creates a populated List<int>. Because List<int> implements IList<int> this compiles. Whenever this fixture instance resolves IList<int> it will create a populated List<int>.

All of this describes what you can do with the strongly typed API available in AutoFixture 2.0. It’s easy and very flexible, but the only important drawback is that it’s not general. All of the customizations in this post specifically address lists and sequences of integers, but not lists of any other type. What if you would like to expand this sort of behavior to any List<T>, IEnumerable<T> etc?

Stay tuned, because in the next post I will describe how to do that.