RSS

Tag Archives: security

Create All Purpose Self-Signed Certificate with Makecert

All Purpose Certificate

#Root authority certificate
C:\>makecert -n "CN=TempCA" -pe -r -sv TempCA.pvk TempCA.cer
#Certificate
C:\>makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

The certificate will be installed in Current User, Personal store.

From there you can export the private key. Alternatively, use pvk2pfx to export.

For local SSL specific certificate: How to Create Valid and Trusted SSL Certificate (Wildcard) for Development

Reference
Microsoft Docs

Advertisements
 
Leave a comment

Posted by on May 6, 2018 in General

 

Tags: ,

Conceal Sensitive Information with Azure Role-Based Access Control (RBAC)

Use Role-Based Access Control to Hide Access to Configurations, Connection Strings, Account Keys and Certificates

Access to Azure services can be defined in a more granular level. This is useful when you want to grant access to certain services without revealing sensitive information, such as account keys, connection strings or certificates.

RBAC Custom Roles

This can be achieved by defining Custom Roles in RBAC. Built-in roles is not going to be sufficient.

For example, we could restrict access to Azure Cloud Service ‘s Configurations and Certificates below:

azure-rbac-1

{
  "Name": "Dev Ops",
  "Id": "<some_guid>",
  "IsCustom": true,
  "Description": "Dev Ops role.",
  "Actions": [
    "Microsoft.ClassicCompute/domainNames/read",
	"Microsoft.ClassicCompute/domainNames/slots/roles/providers/Microsoft.Insights/metricDefinitions/read",
	"Microsoft.ClassicCompute/domainNames/slots/start/action",
	"Microsoft.ClassicCompute/domainNames/slots/state/start/write",
	"Microsoft.ClassicCompute/domainNames/slots/state/stop/write",
	"Microsoft.ClassicCompute/domainNames/slots/stop/action",
	"Microsoft.ClassicCompute/domainNames/swap/action"
  ],
  "NotActions": [
	"Microsoft.ClassicCompute/domainNames/slots/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/operationStatuses/read",
	"Microsoft.ClassicCompute/domainNames/serviceCertificates/read"
  ],
  "AssignableScopes": [
    "/subscriptions/<some_guid>"
  ]
}

What restrict users access to the configurations and certificates are the resource provider operations in NotActions.

What Resource Provider Needed for Azure Service?

In the example above, I use Azure Cloud Service as an example and the resource provider for Azure Cloud Service is Microsoft.ClassicCompute.

You can find out what resource provider used in an Azure Service from the URL. For example, this is URL for Azure Cloud Service.

azure-rbac-2

The part where it says Microsoft.ClassicCompute is what tells you which resource provider to use.

More

The challenge is to find resource provider operations to suit your needs.

For more information on how to create custom roles, available built-in roles and list of resource provider operations, see the links in References.

References:
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

 
Leave a comment

Posted by on April 24, 2018 in General

 

Tags: ,

Get Private Key and Certificate from .PFX

Export the private key from .PFX file

C:\> openssl pkcs12 -in filename.pfx -nocerts -out privatekey.pem

Decrypt the encrypted private key

C:\> openssl rsa -in privatekey.pem -out private.key

The final private.key file is the the private key file.

Export the certificate from the .PFX file

C:\> openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

The cert.pem output from the command is the certificate file.

 
Leave a comment

Posted by on February 2, 2018 in General

 

Tags: , ,

Claims-Based Authorization in ASP.Net MVC and Web Api

Normally, I would re-write a blog post in hope to provide better explanation and concise the article, but since this is from Dominick Baier, I think he does it the best.

So, here’s it, how to apply claims based authorization in ASP.Net MVC and Web Api:

http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/

 
Leave a comment

Posted by on May 28, 2015 in General

 

Tags: , , , , ,

Add Authentication to MongoDB Database

To prevent un-authorized access to your MongoDB database, you can add security to it by requiring authentication whenever someone tries to connect.

It’s simple, run the mongod with --auth option. the command is:

// To add user
> use admin;
> db.addUser('admin','123456');

// Start mongod with --auth
$ sudo mongod --auth --dbpath /data

// Run mongo and login
$ mongo localhost:27017
> use admin
> db.auth('admin','123456');

// Include login in mongo command
$ mongo localhost:456789/admin -u admin-p 123456

More MongoDB security option: http://docs.mongodb.org/manual/administration/security/

 
1 Comment

Posted by on May 7, 2015 in General

 

Tags: , , ,

Unit Testing WIF’s ClaimsPrincipalPermission.CheckAccess

WIF 4.5 has ClaimsPrincipalPermission.CheckAccess method, very useful to check user’s authorization. You can use this as method call or attribute.

// Imperative method call
using System.IdentityModel.Services;
public ActionResult Index()
{
    ClaimsPrincipalPermission.CheckAccess("foo", "bar");

    return View();
}

// Attribute
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation="foo", Resource="bar")]
public ActionResult ViewFoobar()
{
    return View();
}

Either way, how do we unit test this? My approach is to first abstract out ClaimsPrincipalPermission and create a new wrapper class that will be injected to the dependent class.

Abstract Out

using System.IdentityModel.Services;

public class ClaimsPrincipalWrapper : IClaimsPrincipalWrapper
{
    public void CheckAccess(string resource, string action)
    {
        ClaimsPrincipalPermission.CheckAccess(resource, action);
    }
}

Dependency Injection

using System.IdentityModel.Services;

public class HomeController : Controller
{
    private readonly IClaimsPrincipalWrapper _ClaimsPrincipalWrapper;

    public HomeController(IClaimsPrincipalWrapper claimsPrincipalWrapper)
    {
        _ClaimsPrincipalWrapper = claimsPrincipalWrapper;
    }

    public ActionResult Index()
    {
        _ClaimsPrincipalWrapper.CheckAccess("foo", "bar");

        return View();
    }
}

Unit Test

[TestMethod]
public void TestIndex()
{
    // Arrange
    var _claimsPrincipal = new Mock<IClaimsPrincipalWrapper>();
    _claimsPrincipal.Setup(m => m.CheckAccess(It.IsAny<string>, It.IsAny<string>));
    var _controller = new HomeController(_claimsPrincipalMock.Object);

    // Act
    var _result = _controller.Index() as ViewResult;

    // Assert
    Assert.IsTrue(_result.View != null);
}
 
Leave a comment

Posted by on May 4, 2015 in General

 

Tags: , , , , , , ,

OAuth2 Flows

Cliff notes from Dominick Baier’s OAuth2 Flows.

Authorization Code Flow

oauth2-flows-1

Characters: web application (server-based) clients, confidential and secured client where nobody can see user credential, human involves, consent screen, authorization happens in authorization server.

Apply to: web applications

Steps:

  1. Request authorization.
  2. Request token.
  3. Access resource.

Implicit Flow

oauth2-flows-2

Characters: native / local clients, user-agent based clients, human involves, consent screen, authorization happens in authorization servers.

Apply to: third party native applications (JavaScript application is included).

Steps:

  1. Request authorization & token.
  2. Access resource.

Resource Owner Credential Flow

oauth2-flows-3

Characters: trusted clients, no human involvement, no consent screen, authorization happens in client.

Apply to: official native applications (JavaScript application included).

Steps:

  1. Request token with resource owner credentials.
  2. Access resource.

Client Credential Flow

oauth2-flows-4

Characters: client to Service communication, no human involvement, no consent screen, authorization happens in client.

Apply to: machine to machine communication, service communication to authorization server without act as.

Steps:

  1. Request token with client credentials.
  2. Access resource.

Assertion Flow

oauth2-flows-5

Characters: use one of the ‘core’ flows, access another trusted system (partner).

Apply to: translate between identity management system (ADFS’s saml to ThinkTecture’s jwt), communication with partner’s resources using client’s credential.

Steps:

  1. Request token using ‘core’ flow (Authorization Code, Implicit, Resource Owner Credential, Client Credential).
  2. Request token using ‘assertion’ flow.
  3. Use token.
 
Leave a comment

Posted by on September 24, 2014 in General

 

Tags: , , , , , ,

 
%d bloggers like this: