Free eBooks

Everyone gotta loves free stuff. Here are free eBooks that would improve your technical skills and knowledge.


Cognitive Complexity

Fairly short read. SonarQube, a company that makes an automatic code-review tool with the same name, has come up with an algorithm to determine how complex code is and the score to determine easy it’s to understand, called Cognitive Complexity.


Azure Security Best Practices

If you are in Azure environment, this is a really good resource to understand what Azure has to offer to secure your application and environment. From identity management, network, monitoring system, VMs and database, it covers pretty much everything security.


Learn Azure in a Month of Lunches

You can learn everything Azure in a month of lunches, that’s 30 days x 1 hour = 30 hours! Sounds pretty good deal to me!


Advertisements

Barebone Angular Project with Auth0

Simple project to demonstrate how to use Auth0 in Angular project, download code on Github.

To get started, you must have Auth0 account.
To setup the project, update following value in `environment.ts`:
1. Client ID. This is the id of your app you created in Auth0 dashboard. See here.
2. Client Domain. Your Auth0 domain to authenticate user. See here.
3. Callback Url. This is url Auth0 will redirect to after user is authenticated. This url must be white-listed in Auth0 dashboard. See here.
4. Logout Url. This is url Auth0 will redirect to after user logout. This url must be white-listed in Auth0 dashboard. See here.

The juice is on `service/auth.service.ts`, following are explanations of each methods:
1. Login
Call Auth0 authorize method to authenticate users. The method will redirect user to Auth0, if user is not authenticated, a login screen will displated, if user is authenticated Auth0 will redirect to callback endpoint and pass id token.

2. HandleAuthentication
Parse response object from Auth0 which contain id token, access token, expiration time and other information. Redirect user to appropriate url depend on the authorization results.

3. SetSession
Set authentication tokens and expiration in browser’s storage. User is authenticated.

4. Logout
Remove authentication tokens and expiration from browser’s storage. User is not authenticated anymore.

5. IsAuthenticated
Check browser’s storage to see if user is authenticated.

Create All Purpose Self-Signed Certificate with Makecert

All Purpose Certificate (with Certificate Authority)

#Root authority certificate
C:\>makecert -n "CN=TempCA" -pe -r -sv TempCA.pvk TempCA.cer
#Certificate
C:\>makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

All Purpose Certificate (w/o the Certificate Authority)

#Self-signed Certificate
C:\>makecert -r -pe -n "CN=SignedByCA" -sr currentuser -ss my

The certificate will be installed in Current User, Personal store.

From there you can export the private key. Alternatively, use pvk2pfx to export.
 
For local SSL specific certificate: How to Create Valid and Trusted SSL Certificate (Wildcard) for Development

Reference
Microsoft Docs
Makecert Documentation

Conceal Sensitive Information with Azure Role-Based Access Control (RBAC)

Use Role-Based Access Control to Hide Access to Configurations, Connection Strings, Account Keys and Certificates

Access to Azure services can be defined in a more granular level. This is useful when you want to grant access to certain services without revealing sensitive information, such as account keys, connection strings or certificates.

RBAC Custom Roles

This can be achieved by defining Custom Roles in RBAC. Built-in roles is not going to be sufficient.

For example, we could restrict access to Azure Cloud Service ‘s Configurations and Certificates below:

azure-rbac-1

{
  "Name": "Dev Ops",
  "Id": "<some_guid>",
  "IsCustom": true,
  "Description": "Dev Ops role.",
  "Actions": [
    "Microsoft.ClassicCompute/domainNames/read",
	"Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/metricDefinitions/read",
	"Microsoft.ClassicCompute/domainNames/slots/start/action",
	"Microsoft.ClassicCompute/domainNames/slots/state/start/write",
	"Microsoft.ClassicCompute/domainNames/slots/state/stop/write",
	"Microsoft.ClassicCompute/domainNames/slots/stop/action",
	"Microsoft.ClassicCompute/domainNames/swap/action"
  ],
  "NotActions": [
	"Microsoft.ClassicCompute/domainNames/slots/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/operationStatuses/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/read"
  ],
  "AssignableScopes": [
    "/subscriptions/<some_guid>"
  ]
}

What restrict users access to the configurations and certificates are the resource provider operations in NotActions.

What Resource Provider Needed for Azure Service?

In the example above, I use Azure Cloud Service as an example and the resource provider for Azure Cloud Service is Microsoft.ClassicCompute.

You can find out what resource provider used in an Azure Service from the URL. For example, this is URL for Azure Cloud Service.

azure-rbac-2

The part where it says Microsoft.ClassicCompute is what tells you which resource provider to use.

More

The challenge is to find resource provider operations to suit your needs.

For more information on how to create custom roles, available built-in roles and list of resource provider operations, see the links in References.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Get Private Key and Certificate from .PFX

Export the private key from .PFX file

C:\> openssl pkcs12 -in filename.pfx -nocerts -out privatekey.pem

Decrypt the encrypted private key

C:\> openssl rsa -in privatekey.pem -out private.key

The final private.key file is the the private key file.

Export the certificate from the .PFX file

C:\> openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

The cert.pem output from the command is the certificate file.

Claims-Based Authorization in ASP.Net MVC and Web Api

Normally, I would re-write a blog post in hope to provide better explanation and concise the article, but since this is from Dominick Baier, I think he does it the best.

So, here’s it, how to apply claims based authorization in ASP.Net MVC and Web Api:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

Add Authentication to MongoDB Database

To prevent un-authorized access to your MongoDB database, you can add security to it by requiring authentication whenever someone tries to connect.

It’s simple, run the mongod with --auth option. the command is:

// To add user
> use admin;
> db.addUser('admin','123456');

// Start mongod with --auth
$ sudo mongod --auth --dbpath /data

// Run mongo and login
$ mongo localhost:27017
> use admin
> db.auth('admin','123456');

// Include login in mongo command
$ mongo localhost:456789/admin -u admin-p 123456

More MongoDB security option: http://docs.mongodb.org/manual/administration/security/