RSS

Tag Archives: security

Barebone Angular Project with Auth0

Simple project to demonstrate how to use Auth0 in Angular project, download code on Github.

To get started, you must have Auth0 account.
To setup the project, update following value in `environment.ts`:
1. Client ID. This is the id of your app you created in Auth0 dashboard. See here.
2. Client Domain. Your Auth0 domain to authenticate user. See here.
3. Callback Url. This is url Auth0 will redirect to after user is authenticated. This url must be white-listed in Auth0 dashboard. See here.
4. Logout Url. This is url Auth0 will redirect to after user logout. This url must be white-listed in Auth0 dashboard. See here.

The juice is on `service/auth.service.ts`, following are explanations of each methods:
1. Login
Call Auth0 authorize method to authenticate users. The method will redirect user to Auth0, if user is not authenticated, a login screen will displated, if user is authenticated Auth0 will redirect to callback endpoint and pass id token.

2. HandleAuthentication
Parse response object from Auth0 which contain id token, access token, expiration time and other information. Redirect user to appropriate url depend on the authorization results.

3. SetSession
Set authentication tokens and expiration in browser’s storage. User is authenticated.

4. Logout
Remove authentication tokens and expiration from browser’s storage. User is not authenticated anymore.

5. IsAuthenticated
Check browser’s storage to see if user is authenticated.

Advertisements
 
Leave a comment

Posted by on November 27, 2018 in General

 

Tags: , , , , , ,

Create All Purpose Self-Signed Certificate with Makecert

All Purpose Certificate (with Certificate Authority)

#Root authority certificate
C:\>makecert -n "CN=TempCA" -pe -r -sv TempCA.pvk TempCA.cer
#Certificate
C:\>makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

All Purpose Certificate (w/o the Certificate Authority)

#Self-signed Certificate
C:\>makecert -r -pe -n "CN=SignedByCA" -sr currentuser -ss my

The certificate will be installed in Current User, Personal store.

From there you can export the private key. Alternatively, use pvk2pfx to export.
 
For local SSL specific certificate: How to Create Valid and Trusted SSL Certificate (Wildcard) for Development

Reference
Microsoft Docs
Makecert Documentation

 
Leave a comment

Posted by on May 6, 2018 in General

 

Tags: ,

Conceal Sensitive Information with Azure Role-Based Access Control (RBAC)

Use Role-Based Access Control to Hide Access to Configurations, Connection Strings, Account Keys and Certificates

Access to Azure services can be defined in a more granular level. This is useful when you want to grant access to certain services without revealing sensitive information, such as account keys, connection strings or certificates.

RBAC Custom Roles

This can be achieved by defining Custom Roles in RBAC. Built-in roles is not going to be sufficient.

For example, we could restrict access to Azure Cloud Service ‘s Configurations and Certificates below:

azure-rbac-1

{
  "Name": "Dev Ops",
  "Id": "<some_guid>",
  "IsCustom": true,
  "Description": "Dev Ops role.",
  "Actions": [
    "Microsoft.ClassicCompute/domainNames/read",
	"Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/metricDefinitions/read",
	"Microsoft.ClassicCompute/domainNames/slots/start/action",
	"Microsoft.ClassicCompute/domainNames/slots/state/start/write",
	"Microsoft.ClassicCompute/domainNames/slots/state/stop/write",
	"Microsoft.ClassicCompute/domainNames/slots/stop/action",
	"Microsoft.ClassicCompute/domainNames/swap/action"
  ],
  "NotActions": [
	"Microsoft.ClassicCompute/domainNames/slots/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/operationStatuses/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/read"
  ],
  "AssignableScopes": [
    "/subscriptions/<some_guid>"
  ]
}

What restrict users access to the configurations and certificates are the resource provider operations in NotActions.

What Resource Provider Needed for Azure Service?

In the example above, I use Azure Cloud Service as an example and the resource provider for Azure Cloud Service is Microsoft.ClassicCompute.

You can find out what resource provider used in an Azure Service from the URL. For example, this is URL for Azure Cloud Service.

azure-rbac-2

The part where it says Microsoft.ClassicCompute is what tells you which resource provider to use.

More

The challenge is to find resource provider operations to suit your needs.

For more information on how to create custom roles, available built-in roles and list of resource provider operations, see the links in References.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

 
Leave a comment

Posted by on April 24, 2018 in General

 

Tags: ,

Get Private Key and Certificate from .PFX

Export the private key from .PFX file

C:\> openssl pkcs12 -in filename.pfx -nocerts -out privatekey.pem

Decrypt the encrypted private key

C:\> openssl rsa -in privatekey.pem -out private.key

The final private.key file is the the private key file.

Export the certificate from the .PFX file

C:\> openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

The cert.pem output from the command is the certificate file.

 
Leave a comment

Posted by on February 2, 2018 in General

 

Tags: , ,

Claims-Based Authorization in ASP.Net MVC and Web Api

Normally, I would re-write a blog post in hope to provide better explanation and concise the article, but since this is from Dominick Baier, I think he does it the best.

So, here’s it, how to apply claims based authorization in ASP.Net MVC and Web Api:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

 
Leave a comment

Posted by on May 28, 2015 in General

 

Tags: , , , , ,

Add Authentication to MongoDB Database

To prevent un-authorized access to your MongoDB database, you can add security to it by requiring authentication whenever someone tries to connect.

It’s simple, run the mongod with --auth option. the command is:

// To add user
> use admin;
> db.addUser('admin','123456');

// Start mongod with --auth
$ sudo mongod --auth --dbpath /data

// Run mongo and login
$ mongo localhost:27017
> use admin
> db.auth('admin','123456');

// Include login in mongo command
$ mongo localhost:456789/admin -u admin-p 123456

More MongoDB security option: http://docs.mongodb.org/manual/administration/security/

 
1 Comment

Posted by on May 7, 2015 in General

 

Tags: , , ,

Unit Testing WIF’s ClaimsPrincipalPermission.CheckAccess

WIF 4.5 has ClaimsPrincipalPermission.CheckAccess method, very useful to check user’s authorization. You can use this as method call or attribute.

// Imperative method call
using System.IdentityModel.Services;
public ActionResult Index()
{
    ClaimsPrincipalPermission.CheckAccess("foo", "bar");

    return View();
}

// Attribute
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation="foo", Resource="bar")]
public ActionResult ViewFoobar()
{
    return View();
}

Either way, how do we unit test this? My approach is to first abstract out ClaimsPrincipalPermission and create a new wrapper class that will be injected to the dependent class.

Abstract Out

using System.IdentityModel.Services;

public class ClaimsPrincipalWrapper : IClaimsPrincipalWrapper
{
    public void CheckAccess(string resource, string action)
    {
        ClaimsPrincipalPermission.CheckAccess(resource, action);
    }
}

Dependency Injection

using System.IdentityModel.Services;

public class HomeController : Controller
{
    private readonly IClaimsPrincipalWrapper _ClaimsPrincipalWrapper;

    public HomeController(IClaimsPrincipalWrapper claimsPrincipalWrapper)
    {
        _ClaimsPrincipalWrapper = claimsPrincipalWrapper;
    }

    public ActionResult Index()
    {
        _ClaimsPrincipalWrapper.CheckAccess("foo", "bar");

        return View();
    }
}

Unit Test

[TestMethod]
public void TestIndex()
{
    // Arrange
    var _claimsPrincipal = new Mock<IClaimsPrincipalWrapper>();
    _claimsPrincipal.Setup(m => m.CheckAccess(It.IsAny<string>, It.IsAny<string>));
    var _controller = new HomeController(_claimsPrincipalMock.Object);

    // Act
    var _result = _controller.Index() as ViewResult;

    // Assert
    Assert.IsTrue(_result.View != null);
}
 
Leave a comment

Posted by on May 4, 2015 in General

 

Tags: , , , , , , ,

 
%d bloggers like this: