Securing Sensitive App Settings Using Azure Key Vault.

DownLoad Complete Project: WebApiWithAzureKeyVault

Why Azure Key Vault?

Almost every Azure app has some kind of cryptographic key, storage account key, sensitive setting, password, or connection string.

For example, consider a web app that requires a connection string to an Azure SQL Database.Storing this sensitive information in an App.config file could result in it being checked in to a source-code control system and unintentionally exposed to many developers.

Compare this to using Azure Key Vault, where the App.config file only contains a reference to this sensitive data, and is controlled by the access policy of Azure Key Vault.

Below is insecure way which is commonly used in azure based solutions:

A1

you can see here all secret information is clearly mentioned in webconfig.cs file in plain text from and think if some one got access on server and stolen all sensitive information easily. Usually these configuration files also checked in on repository systems like TFS,GitHub etc along with other project files.Any team who have access to these repositories can also see these secret information.

By using Key Vault you can securely store data and avoid having these sensitive pieces of information stored in source code which may then be compromised.

The Microsoft Azure cloud platform provides a secure secrets management service, Azure Key Vault, to store sensitive information. It is a multi-tenant service for developers to store and use sensitive data for their application in Azure.

The Azure Key Vault service can store three types of items: secrets, keys, and certificates.

  • Secrets are any sequence of bytes under 10KB like connection strings, account keys, or the passwords for PFX (private key files). An authorized application can retrieve a secret for use in its operation.
  • Keys involve cryptographic material imported into Key Vault, or generated when a service requests the Key Vault to do so. An authorized cloud service can request the Key Vault perform one or more cryptographic operations with a key on its behalf.
  • An Azure Key Vault certificate is simply a managed X.509 certificate. What’s different is Azure Key Vault offers life-cycle management capabilities. Like Azure Keys, a service can request Azure Key Vault to create a certificate. When Azure Key Vault creates the certificate, it creates a related private key and password. The password is stored as an Azure Secret while the private key is stored as an Azure Key. Expired certificates can roll over with notifications before these operations happen.

Application flow with key vault

A30

Steps Required:

  1. Create A Key Vault
  2. Create a Secret
  3. Register an App in Azure Active Directory
  4. Create an API Key for the App
  5. Give App-Specific Permissions to Access Key Vault
  6. Configure your Dot Net Application

1. Create a key vault

Login on azure portal  and add new service “key vault”. If ‘Key vaults’ is not already in your list, click on ‘More services’ and use the filter to find it. Select ‘Key vaults’.Fill all the mandatory information and press create button.

A2.JPG

A3

2. Create Secrets:

To do this, click on ‘Secrets’ under ‘Settings’ on the left, or under ‘Assets’ in the Overview panel. Once the ‘Secrets’ panel opens up, click the ‘Add’ button at the top so you can create a new one.

Activation and expiry dates can be used if you only want the secret to be accessed for a specific period of time. When you are finished, click ‘Create’.

A4

Key vault DNS name will be used as Key Vault url in application from where key request will initiate.

A15.jpg

3.Register An App In Azure Active Directory

Now You have data protected by Key Vault and You need to give our application (secure) access to this data, first.

Again go to azure portal and search “Azure Active Directory”. inside AD, select ‘App registrations’ from under the ‘Manage’ panel on the left. This is where You will configure the access and permissions.

our application will have when accessing Key Vault programmatically.

A5

In my case i have already created a webapi app named as  “DubaiProperties-Api” which is running under azure app service and i have register the same application in azure active directory to read secure keys/secrets from key vault by this application.

A7

4. Create An Api Key For Registered App

From the ‘App registrations’ menu, you should see your newly created app listed.

A8.JPG

Click on registered application and  Copy the ‘Application ID’ that you should be able to see under ‘Essentials’.

A9.JPG

select ‘Keys’ from the ‘API Access’ section on the right.Give the Key a meaningful description that will explain its purpose, then set an expiration setting. Click ‘Save’ and your API Key ‘Value’ will be presented to you. Copy this key value now as when you navigate away it will never be presented again.

You can always create a new one, if you forgot to copy it.

A10

A11

5.Give App-Specific Permissions to Access Key Vault

Return to key vault and select ‘Access Policies’ under the ‘Settings’ panel on the right. Click the ‘Add New’ button. Click the ‘Select Principal’ option to be presented with a new blade. Enter the Application ID of the app in Azure AD into this field, and select the app when it is presented to you. Click the ‘Select’ button at the bottom to confirm. You can now configure the permissions that you wish to grant the application.

A13.jpg

Only assign the necessary permissions. As it is only Secrets that your app needs access to (and read-only access at that), I would suggest picking ‘Get’ and ‘List’ under the ‘Secret permissions’ option. This is all you need to do, so click ‘OK’ to complete this step.

A14

Now key vault configurations are ready to store secret keys  and refer by  any application.

6.Configure your Dot Net Application

Now all key vault and active directory administration task has completed and now you need to set up dotnet application to use key vault for consuming secret keys instead of define those keys in app.config or some where in application.

Let’s start with Webapi project that needs to use some secrets that is stored in key vault.

Initially there are few things that are required to configure in you application like application Id,Key Vault Url and App Registration keys. All these information already described above at the time of application registration in AD and key Vault Creation.

Below are the settings for webconfig.cs:

A16.jpg

Now add some nuget packages for azure key vault  to the application

A17.jpg

Create a helper class to interact with azure key vault by using Azure SDK and fetch all required secret keys and use in application.

A18.jpg

Now Use this helper class in our webapi controller.

A19.jpg

Now Publish webapi project on azure app service. webapi application should work after deployment.

A21.jpg

Now Check complete swagger url for deployed api and see all api’s controller with all http verbs.

A22

expend Get method of keyvault controller and try to make request to read key vault secret keys value from azure key vault.

A23.jpg

Below is response of webapi with key vault values.

A24.jpg

if you analysis whole code you will not find any secret keys configured in application configuration files or application settings section of azure app service.Keys value directly comes from key vault that is different location.

If you can add new version of same key in keyvault again  then no need to make any changes in your application and application always pick latest version of  key.

let’s create new version of same key with differ value.Go back to secret keys section under key vault  settings pane,here you will found all defined keys.

A25.jpg

click on key for which you want to create new version with new value. choose “DemoSecretKey” to update the value.Once you click on that,you will found all versions of selected key.Currently single version is created.

you never see values of secret keys,its hide to every one.

A26.jpg

Click on “New Version” and select “manual” from the drop down.enter new secret value for key and save it.

A27.jpg

now you can see new version added with updated value,and previous version also maintain by the Azure key vault.

A28.jpg

Let’s test our webapi and it should read new updated value from the key vault.Important thing this is, i have not make any changes in deployed webapi.

A29.jpg

That’s it! This configuration should enable to you to protect your sensitive information in Key Vault and then provide a Dot Net with secure access to that data

Summary

The Azure Key Vault is an excellent service and a welcome addition to the overall Azure services family. It promotes the secure management of cryptographic keys without the associated overhead, which is an important step to adopting and implementing better security within our applications. In the next article, we’ll see how you can set up a Key Vault for our application and use the .NET SDK to create, manage and retrieve keys.

Advertisements

Web API Documentation With Swagger

DownLoad Complete Project: WebApiDocumentationWithSwagger

“If it is not documented, it doesn’t exist. As long as information is retained in someone’s head, it is vulnerable to loss.”

That is absolutely valid when we talk about APIs, because any small-to-complex API needs to be documented, in order to make it easy to use. This might be an interesting challenge, because you have to find the bridge between the abstract world of computer programming and the way people think and work. Here is where Swagger shows its great utility.

Swagger is a specification for documenting REST API. It specifies the format (URL, method, and representation) to describe REST web services. Swagger is meant to enable the service producer to update the service documentation in real-time so that client and documentation systems are moving at the same pace as the server.

Microsoft also provide its own Api documentation libraries that automatically generates help page content for the web APIs on your site.The help page package is a good start but it is lacking things like discoverability and live interactions. This is where Swagger comes to the rescue.

Adding Swagger to your Web API does not replace ASP.NET Web API help pages. You can have both running side by side, if desired.

Adding swagger to Api Project

To add Swagger to an ASP.NET Web Api, we will install an open source project called Swashbuckle via nuget.

s1

After the package is installed, navigate to App_Start in the Solution Explorer. You’ll notice a new file called SwaggerConfig.cs. This file is where Swagger is enabled and any configuration options should be set here.

s2

Now you just need to set up Swagger by adding below code:

s3

 Start a new debugging session (F5) and navigate to

http://localhost:%5BPORT_NUM%5D/swagger. You should see Swagger UI help pages for your APIs.

s4.PNG

Now you can see,all api methods of web api comes with pretty good documentation and you expand/hide the method definition.

Below is api controller code in which i created two methods that comes in swagger documentation.

s5

if you expand method defination by click on individual methods,then you will find all required api level  meta data  like request,response.

s6

s7.PNG

The good thing about swagger is you can invoke api methods with swagger UI without using any external reset client like DHC,postman etc.There is “Try it now” button on each api method and you can call methods and get response from server.

s8.PNG

Another useful feature of Swagger is to create a json document with the entire documentation of the API endpoints and models.

In order to open the json document, where your documentation is included, access the link on the top of the dashboard.

copy below highlighted url from swagger ui and enter in new browser tab.After that you will get pretty nice json document that contains all meta data about all api methods.

s9

Below image shows json documentation.

s10.PNG

 

you have an API which is documented and offers a nice experience to developers. You should keep in mind that this process of documenting APIs should start at the very beginning of the development process, for it to be easy to maintain.

 

 

 

.Net Interview Questions Asked in MNC.

  1. Can we create multiple dbcontext in single entity framework application, please explain if not then why and if yes then what will be real-time use of this.
  2. In code first approach how new tables updated to database through entity framework.
  3. What is odata in webapi and what is controller name for odata.
  4. How you can test your webapi through unit testing.
  5. if webapi and client application is hosted on different environment then what type of challenges you face.
  6. What is Cors in webapi.
  7. What is attribute routing .
  8. What are the attributes which is applied to class and methods in unit testing.
  9. Write a query to find record from table where name start with “S”.data should be fetch using entity framework.

      WebAPI questions:

  1. Have to experience in webapi and are you consumer or developer of those api’s ?
  2. What is difference between wcf and webapi. If wcf is hot in demand then why you select webapi ?
  3. What does REST means,how state transfer through the network?
  4. What are necessary steps to create Webapi from scratch?
  5. What is difference between conventional routing and attribute routing.Is both routing works together and when you select conventional routing and attribute routing?
  6. How to enable attribute routing?
  7. How many filters are in webapi ?
  8. How to register global filters in Webapi ?
  9. What is major security concern in webapi ?what is CORS and how to make webapi compatible to support CORS, define all necessary steps ?
  10. Have you implement security in webapi, if yes then what approach you have followed. Explain in detail.
  11. What is Oauth and Owin based authentication?
  12. How you serialize and deserialize json object to C# native objects?
  13. What is OWASP? What are the top 10 security flaws ?
  14. How you can test webapi ?

 

MVC interview Questions:

  1. What is routing in MVC and how MVC routing differs from WebApi Routing?
  2. What is Constraints in Mvc routing and how many ways to implement this?
  3. What is Child Action in Mvc ?
  4. What is advantage of Mvc as compare to conventional web form application?
  5. How you implement caching in Mvc ?
  6. How you handle XSS and CSRF in Mvc ?
  7. Have you used code first approach in Mvc if yes then how you manage data concurrency?
  8. In code first approach, when new property added to entity then what happen? Is new column added in database table or any error comes. If errors comes then what is the process to resolve this?
  9. Can we use multiple dB contexts with single database in code first approach?

SQL Interview questions:

  1. What is CTE and how CTE differ from temp tables?
  2. Is it possible to create index on views?
  3. What is table valued functions and variable and give me real-time scenario when you can use these?
  4. What is covering indexes?
  5. Can you apply joins with table value functions?
  6. What is left outer join?
  7. Have u create user defined data types in Sqlserver and explain with real-time example where you had used?
  8. How you can ensure store procedure cannot me read after creation?

 

Oops Interview Questions:

  1. How many design patterns you have used, related each one with real-time use case in your project?
  2. What is difference between Abstract class and interface?
  3. What is the importance of interface in unit testing?
  4. Which test framework you used in your last project? Have you ever used MOQ?

 

WebApi Exception: Multiple Action were found that match the request.

Usually webapi controller contains GET,GET(id),Post,Put,Patch & Delete methods but sometimes we need to create multiple get or post method or more custom methods to support http verbs.

Let say we have existing Get() method and now we want to add one more custom method names as “GetALL()” to support http Get verb.My Api Controller code looks like:

c2

When you defined your new method with http Get verb along with existing Get() method  and run webapi than below error comes:

C1

WebApiConfig.cs for above code which is created by default when new api project created.

C3

So talk about why this error comes if every thing is perfect in code.So look at the defined route in config file and .In webapi routing only controller name is mentioned in route template and there is no action like (Get,Post or any Custom Action Name) are defined.

Here is the difference in mvc routing and Webapi routing. In mvc routing action name are by default included in Url’s while in webapi actions names are not mandatory.

MVC Route: url: “{controller}/{action}/{id}”

WebApi Route: routeTemplate: “api/{controller}/{id}”

So when ever any request comes to webapi,it always goes to default http verbs and if default GET or Post methods used then it returns a response to the client.

But when we have defined some custom methods along with default Api methods than same request will thrown an exception because now there are multiple action methods that supports http verbs  and server not able to identify which method have to execute.

Why this happened because we have not defined any specific action name in webapi Route.

So what is the solution of this problem as we need many custom action names along with default http verbs in our webapi solution to solve the day-to-day business needs.So question comes in mind whether custom method names are allowed in webapi or not.

Then answer is “yes”,off-course we can add custom action names as much as we want but some changes have to make in webapi routing to support custom action names.

To support custom action method names we have to add {action} with controller name in default route as per below:

routeTemplate: “api/{controller}/{action}/{id}”

Now Complete Webapiconfig.cs after make some changes:

c4

Now Test our methods with these changes.

.1.when request goes to default methods:

C5

2.When request goes to custom action method (GetAll)

C6

 

 

 

 

 

 

WebApi Field Level Response Without Implementing Odata.

Download Complete Project: WebApiFieldLevelSelection

When you are writing a RESTful web API you often want to allow clients to feed a list of fields to the API that the clients need. The reason is to return only the useful data to the client. Say for example, you have an entity called Product that has many properties. The client may need only a few properties of the Product object. If you return the entire object every time the client asks for a product.

it unnecessarily wastes bandwidth and increases the response time. So to avoid that you can accept a list of fields the client wants and return only those. How can you do that?

Odata is best way to achieve this where you can use $Select command to fetch specific database fields in response.

Problem comes when webapi not implementing odata then how can achieve this functionality ?

To achieve this you have to use some basic .net objects like dynamic,expendoObject or  generic collections etc.

Let’s resolve the problem step by step:

  1. Create empty Webapi Project with controller name as “ProductCategory” with Two Get method.one is parameter less and other with string parameter that will accept comma separated field list in request.
  2. Get() method will return all fields of database in response while Get(string fields) method accept list of fields and return desired fields in response.
  3. In below example i have use hardcoded list with dummy values.You may replace it with actual database.

    ProductCategroyController.cs

w1.png

 DynamicObject Method:

DynamicObject accept the list of fields  and return object.here I have use .net reflection to get the value of each fields and respective value to dictionary<string,object> object. later this dictionary object pass to linq query.

w2.PNG

ApiHelper.cs

w3.PNG

OUTPUT:

  1.  When user pass two fields (productid and productName) as query string in request.you can see only two fields are coming in json response.

w4

  1.  When User pass three fields (productId,ProductName,Price) as query string in request.You can see now three fields are coming with json response.

w5.PNG

So you can see how you can implement field level selection on webapi without Odata implementation.

MVC View With Multiple Models Using Tuples And Expendo Object.

DownLoad Sample Project: MvcViewWithMultipleModels 

In mvc programming model a view can be associate with multiple models and developers have to send multiple models from controller to cshtml page.There are many  common approaches like ViewBag,ViewData,ViewModel etc can be use to achieve this functionality.

But here i am not going to demonstrate all above three approches.you can use .net framework 4.0 new features to pass the multiple models from controller to view effeciently.

  1. Expendo Object
  2. Tuples

1.) Using Expendo Object:

The ExpandoObject class enables you to add and delete members of its instances at run time and also to set and get values of these members. This class supports dynamic binding, which enables you to use standard syntax like sampleObject.sampleMember instead of more complex syntax like sampleObject.GetAttribute(“sampleMember”).

Let say you have two models named as “Department” and “Employee” and you want bind these two models with mvc view.Below are the model definitions:

Department.cs:

c1.PNG

Employee.cs

c2

Controller.cs :

c4

Method details fetch employee and department details as per below:

c5.PNG

View (Index.Html):

On the view you have to use dynamic property of .net framework 4.0 and need to be declared as @model dynamic.this is not strongly type of view.

c6

Rendered output:

c3.PNG

2.) Using Tuples:

In C#, tuples are used to store data. It’s sort of like a variable, but in order for it to be a tuple it must contain more than one value. Each instance of a tuple has a fixed number of items within it (and each item has its own distinct type, eg. a variable or an int), and once the tuple has been created, it can’t be altered in any way.

Let’s continue with previous create models and there are no changes in model class.the only change need to do in controller and view.

Now Controller looks like after code updating for tuples:

HomeController.cs

t4

View (index.html)

you have use tuples at top of the view and you have to declare as per below:

@model Tuples<List<Employee>,List<Department>

complete view looks like:

t2.PNG

Rendered Output:

t1.PNG

You can see there is no change in final rendered output.

this article describe how to pass multiple models from controller to view .I hope this will be helpful for programmers.

“Drop If Exists” Syntax in Sql-Server 2016

With the recent Sql server 2016 Service Pack 1, one important feature “Drop If Exists” syntax has been added, which developers were missing from long time.Prior to Sqlserver 2016 developers need to check database objects existence before creating.

Prior to sql server 2016,If Exist clause was used to check the db object existence then developers were taking appropriate action if objects exists.

If the Database objects doesn’t exists it will not raise any error, it will continue executing the next statement in the batch.

If Exist In Older Versions:

Previously you need to add an IF EXISTS() condition to check if the database object already exists or not. If exists then drop and then create a new objects, like:

IF EXISTS (SELECT name FROM master.sys.databases WHERE name = N'DatabaseName')
  Do your thing...

Example:
IF EXISTS (SELECT name FROM master.sys.databases WHERE name = N'Sql2016DB')
drop database Sql2016DB

New Way :

You can see new syntax much easier and shorter as compare to older syntax.Developer’s not need to memories whole long syntax to check and drop database objects.

Query Syntax: DROP <DbObject> [ IF EXISTS ] <ObjectName>

Here DbOject can be any database,store procedure,functions,Tables or triggers.


Let See  real-time examples for few important database objects:

1)Drop Database if Exists:

Now query syntax to drop the database is very easy and shorter.

Syntax:  Drop Database If Exists  <DatbaseName>

Example: let say our database  name is SqlDb2016 than below query will drop database by using new query syntax.

Drop database if exists SqlDb2016

d1


2. Drop Tables If Exists:

Syntax: Drop Database If Exists <TableName>

Examplelet “EmployeeMaster” is a table in Sqldb2016 database than below query will drop table if exists in database.

Old Syntax :

d3.PNG

New query Syntax in Sql Server 2016

d2.PNG


3.Drop Procedure If Exist:

Drop procedure query is very often to use during the complex procedure writing and developers needs to apply some logic to check whether procedure is exists in database or not.

New “Drop If Exists” query syntax make developers life easy and new syntax is more short and memorable.

Old Query Syntax:

d4.PNG

 

New Query Syntax:

d5.PNG


4.) Drop Function If Exists:

User-defined functions are routines that accept parameters, perform an action and return the result of that action as a value. The return value can either be a single scalar value or a result set (table).

Old Query Syntax:

d6.PNG

New Query Syntax:

d7.PNG


5.) Drop Views If Exists:

A view is a virtual table based on the result-set of an SQL statement.A view contains rows and columns, just like a real table. The fields in a view are fields from one or more real tables in the database.

Old Query Syntax:

d8

New Query Syntax:

d9.PNG


6.)Drop Trigger If Exists:

A trigger is a special kind of stored procedure that automatically executes when an event occurs in the database server. DML triggers execute when a user tries to modify data through a data manipulation language (DML) event. DML events are INSERT, UPDATE, or DELETE statements on a table or view. These triggers fire when any valid event is fired, regardless of whether or not any table rows are affected.

Old Query Syntax:

d10.PNG

New Query Syntax:

d11.PNG


Drop if Exists statement is not limited to above mentioned database objects it can be use with other database objects like :

  • Index
  • constraints
  • Columns
  • Schema
  • Synonym
  • Type
  • Users
  • Role