Security Archives - GeralexGR

Posted on March 25, 2024March 25, 2024 by geralexgr — Leave a comment

Connect to Azure resources with Managed Identity – Storage account example

A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

There are two types of managed identities:

System Assigned
User assigned

You can learn more about how managed identity works from the below guide.

https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview

On a previous article I have documented how managed identity can be used inside an azure web app.

Connect to Azure resources with Managed Identity – Azure Web app container example

In this demonstration we will examine how we can use managed identity to authenticate with a storage account from a .NET application. This is very useful when dealing with security as we eliminate access to specific resources and we do not have to manage passwords in the code.

In order to implement Managed Identity it should be supported for the specific resource. This example is an ASP .NET web app that is deployed on a app service and uses managed Identity to communicate with a storage account and get blob data or information.

Firstly the managed identity object should be enabled on the web app. This means that you enable the web app to request when needed managed identity authentication from Azure AD.

Then you will need to enable the specific role that is required on the identity resource. As you can see from the image, I assigned the Storage Blob Data Reader, as I only need to perform read actions (least privilege) on the dotnet-testmi identity which is identified by azure with the App Service Label. When you enable the managed identity on a resource it will connect with an object ID which is then the identified on the whole azure portal. You can search later on with this ID or the name of the resource from the IAM of the destination resource. This means that you have to assign the permissions on the Blob Container of the Storage account that you need to access through code.

Finally you you will need to use Managed Identity Authentication in your code.

In this example two libraries are needed in order to interact with the storage account using managed identity. First the Azure.identity which includes Managed Identity Authentication and also Azure.Storage library.

https://www.nuget.org/packages/Azure.Identity 
https://www.nuget.org/packages/Azure.Storage.Blobs

Authenticate using Managed Identity instead of a connection string

BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

Authentication using connection string

BlobContainerClient client = new BlobContainerClient("connectionString","testing");

When creating a blank ASP .NET application you will have a WeatherController built by default to start experimenting. The code for this example is added there for the case of simplicity and you can find it below.

using Azure.Storage.Blobs.Models;
using Azure.Storage.Blobs;
using Azure;
using Microsoft.AspNetCore.Mvc;
using Azure.Identity;

namespace WebApplication1.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {

        private readonly ILogger<WeatherForecastController> _logger;

        private static List<string> _blobList;
        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [HttpGet(Name = "GetWeatherForecast")]
        public IEnumerable<string> Get()
        {
         BlobContainerClient client = new BlobContainerClient(new Uri($"https://NAME.blob.core.windows.net/testing"), new ManagedIdentityCredential());

            ListBlobsFlatListing(client, 1).GetAwaiter().GetResult();
            return _blobList.ToArray();
        }


        private static async Task ListBlobsFlatListing(BlobContainerClient blobContainerClient,
                                               int? segmentSize)
        {
            try
            {
                _blobList = new List<string>();
                // Call the listing operation and return pages of the specified size.
                var resultSegment = blobContainerClient.GetBlobsAsync()
                    .AsPages(default, segmentSize);

                // Enumerate the blobs returned for each page.
                await foreach (Page<BlobItem> blobPage in resultSegment)
                {
                    foreach (BlobItem blobItem in blobPage.Values)
                    {
                        Console.WriteLine("Blob name: {0}", blobItem.Name);
                        _blobList.Add(blobItem.Name);
                    }

                    Console.WriteLine();
                }
            }
            catch (RequestFailedException e)
            {
                Console.WriteLine(e.Message);
                Console.ReadLine();
                throw;
            }
        }


    }
}

Posted on October 18, 2023October 18, 2023 by geralexgr — Leave a comment

Download repos with ssh keys on Gitlab with MFA enabled

When you enable MFA in Gitlab you may face issues when interacting with git repositories. Some of your commands like git pull, push etc could fail and this is done because of the MFA.

There is a way to resolve those issues by communicating with ssh keys. The procedure to create and upload your keys are described in the below article.

https://docs.gitlab.com/ee/user/profile/account/two_factor_authentication.html

However sometimes this may not work as in my case. The issue was that the ssh key for some reason could not be found correctly from the computer.

In order to bypass I used the ssh-add command and then pointed the directory of the key.

ssh-add ~/.ssh/gitlab_id_rsa

After this action your gitlab interaction will start working.

Posted on September 28, 2023September 28, 2023 by geralexgr — Leave a comment

Publish coverage report on SonarQube for dotnet test

When you create coverage reports for your .NET projects you have the ability to use the native logger mechanism in order to export a trx report with your results.

An example of this native functionality can be found below as the logger parameter is used along with dotnet test.

dotnet test keyvault.sln  --logger "trx;logfilename=mytests.trx"

However if you try to upload this trx file in a sonarqube in order to get your coverage report result, this will fail with the below error message.

Error message:

WARN: Could not import coverage report ‘.\Keyvault_MI_Pod\Tests\TestProject1\TestResults\mytests.trx’ because ‘Only dotCover HTML reports which start with “” are supported.’. Troubleshooting guide: https://community.sonarsource.com/t/37151

Using the below sonarqube documentation page you will find all the available methods that are supported for the coverage reporting. When you need to upload your coverage results in sonarqube you will need to use a tool from the list and upload the file that this tool generates.

.NET test coverage (sonarsource.com)

In my case I will use dotCover and create the relevant report file.

In the teamcity task (begin analysis) you will need to add in the additional parameters where you export your report.

Then in the pipeline you will need to add the dotnet test task as shown from the documentation.

dotnet dotcover test --dcReportType-HTML

In the finish task you will see the coverage report type is now compatible and can be parsed from sonarqube.

Finally you will have your coverage report inside sonarqube.

Posted on September 1, 2023September 1, 2023 by geralexgr — Leave a comment

Integrate SonarQube with Teamcity

Sonarqube is a self-managed, automatic code review tool that systematically helps you deliver clean code. SonarQube integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. In this article we will examine how to integrate it with Teamcity in order to scan our workflows during build.

First you will need to install the sonar runner for your teamcity installation. You should go in the administration tab

and then plugins

Then browse plugin directory and install the sonar runner.

After that you should go in root project and integrate sonar tool with teamcity.

Press add a new server and provide Name, URL and the Token. Token can be retrieved from your sonar installation. Under Administration select security and create a new token with an expiry date.

Finally you can create a new build definition and use the sonar scanner plugin.