Wednesday, November 30, 2016

NIST is bringing some common sense to password policies

As a consultant I’m frequently confronted with strange password policies. Every company I visit has different password rules with different expiration windows and so on. Although a password manager helps me to keep my sanity, I have a hard time understanding some of the multipage password rules that customers are using.

But ok, if it makes our systems more secure, it’s a burden I’m willing to carry. Unfortunately there is enough research available that shows that most of these rules make no sense and doesn’t help to improve security at all…

So reading the following post(https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/) about NIST(the United States National Institute for Standards and Technology) and the new guidelines for password policies they published made me happy.

An extract of some of the rules:

  • A minimum of 8 characters.
  • Allow at least a maximum of 64 characters(I hate it when I cannot use passphrases)
  • No composition rules (again, I hate it when I cannot use passphrases)
  • No password hints
  • No knowledge-based authentication(questions that only you should know the answer, like your favorite color Confused smile)
  • No more password expiration without reason

Thank you NIST!

Tuesday, November 29, 2016

NUnit tests are really slow when using Microsoft.Owin.Testing TestServer

After introducing Microsoft.Owin.Testing TestServer in a Test project we noticed that our test execution time increased from a few milliseconds for all tests to multiple seconds for each individual test.

With the help of dotTrace I noticed that most time was spent inside Microsoft.Owin.Hosting.Tracing.DualWriter. This class is used by OWIN to write all OWIN related data to the console.

image

After removing the related tracelistener using the line of code below, I noticed that the test execution time returned back to normal:

Trace.Listeners.Remove("HostingTraceListener");

Monday, November 28, 2016

Fun retrospectives

In my job as a consultant I visit a lot of development teams. Most of them are using a ‘Scrum-like’ approach meaning that the typical Scrum ceremony(Daily Standups, Sprint reviews, Retrospectives,…) are in place.

However I noticed that especially the Retrospective becomes boring after a while. To spice up your retrospectives and make them meaningfull again, I recommend having a look at http://www.funretrospectives.com/ . This site brings a lot of activies and ideas together for making agile retrospectives more engaging.

image

Part of the information is also available as an e-book at http://www.caroli.org/book-fun-retrospectives/

Friday, November 25, 2016

ASP.NET Web API 2 Request Pipeline

I remember a time where ASP.NET WebForms was mainstream and ASP.NET MVC and Web API still had to be invented. To do a good a job as an ASP.NET WebForms developer you needed deep understanding of the ASP.NET WebForms page lifecycle. (I even got some related interview questions at the time).

These times have gone and now you should understand ASP.NET MVC and Web API both having their own lifecycle. Here is a great poster explaining the ASP.NET Web API Message Lifecycle:

image

And a similar one for ASP.NET MVC:

image

Must print material! Smile

Thursday, November 24, 2016

Xamarin Workbooks

I started experimenting with Xamarin Workbooks as a new(better) way to create my API documentation. Workbooks are an interactive combination of executable code snippets and markdown documentation.

image

Xamarin Workbooks is a cross platform tool both available for Windows and Mac. Download information is available here: https://developer.xamarin.com/guides/cross-platform/workbooks/install/

After installation, it is time to create your first workbook:

  • Open Xamarin Workbooks. The new C# workbook window is shown. You can choose between a Console iOS, Android or WPF app(at the moment of writing).
    • Xamarin Workbooks uses the concept of agents. Agents are responsible to inject and execute your code in a specific application type. This means there is a seperate agent for WPF, iOS, Android,…
  • Let’s start simple and choose Console.

image

  • You are welcomed by a blank workbook.

image

  • In the workbook you can add two types of cells, either an executable C# cell or a documentation cell. Click on the + or “ button to add a new cell.

image

  • In a C# cell you can enter your C# code. The workbook will provide code completion, syntax coloring, inline live-diagnostics, and multi-line statement support to optimize the editing experience.

image

  • To execute the code you can hit <enter>, click on the play button or press <control>+<return>.

image

  • In a Documentation cell you can enter any documentation including images. Formatting is done using the MarkDown format

image

Some annoyances I have at the moment:

  • I noticed that the editing experience isn’t bug free yet. I got some strange behavior.
  • I couldn’t find a way to include my own assemblies or use my own NuGet server.
  • Compilation is (too) slow.
  • No undo functionality(yet).

It will be interesting to see how this application evolves…

Wednesday, November 23, 2016

TFS Build vNext: Build artifacts are not cleaned up on UNC file share

A while ago, I got a message from one of my customers mentioning that their build servers were running out of disk space. As they had a lot of teams and projects and each of these projects had at least a CI, Nightly and Release build, the number of build artifacts was growing at a large pace. To keep this under control, we reconfigured the build retention policies for all our builds. I removed most of the old CI builds and we were good to go, at least that was what I thought…

One week later, they called me again saying that one of the build server was again running out of disk space. I double checked all the retention policies, they all looked OK. However there were 2 things that I noticed:

  • The builds that were consuming all the space were TFS vNext builds using the new task based system. XAML builds didn’t cause any trouble.
  • Although I specified in the Build retention policy to only keep the latest build, I noticed in the drop folder that all previous builds were still there.

image

On the Connect site I found an explanation:

 The retention policy only cleans up build artifacts that are saved inside source control(server drops). Build artifacts that are dropped to a file share are not removed.

On UserVoice I noticed that this issue should be solved in VSTS and the latest bits of TFS 2015.

From the release notes:

image

Time to rollout an update…

Tuesday, November 22, 2016

SQL Server Extension for VS Code

Yesterday I discovered the following great extension for VS Code: mssql.

From the marketplace:

An extension for developing Microsoft SQL Server, Azure SQL Database and SQL Data Warehouse everywhere with a rich set of functionalities, including:

  • Connect to Microsoft SQL Server, Azure SQL Database and SQL Data Warehouses.
  • Create and manage connection profiles and most recently used connections.
  • Write T-SQL script with IntelliSense, T-SQL snippets, syntax colorizations, T-SQL error validations and GO batch separator.
  • Execute the script.
  • View the result in a slick grid.
  • Save the result to json or csv file format and view in the editor.
  • Customizable extension options including command shortcuts and more.

Installation

  • To install it, open Visual Studio Code
  • Open the Extension tab by hitting ctrl-shift-x
  • On the Extension tab, search for ‘mssql’

image

  • Click on the Install button. After the installation has completed, click on the Reload button to activate the extension.

image

Connecting to SQL Server

  • Oa new text file (ctrl+n) and change the language mode to SQL by pressing ctrl+k,m and select SQL.

image

  • mssql commands and funtionalities are enabled in the SQL language mode in Visual Studio Code editor.

image

  • Create a new connection profile using command palette by pressing F1, type sqlman to run MS SQL: Manage Connection Profile command.

image

  • Select Create. Follow the steps and specify a server name, database name and authentication type.

image

  • The created connection profile is already selected. If you want to connect to another database, press F1 and type sqlcon to run MS SQL: Connnect command, then select a connection profile.

image

  • Write T-SQL script in the editor using IntelliSense and Snippets. Type sql in the editor to list T-SQL Snippets.

image

  • Execute T-SQL script or selection of statements in the script by pressing F1 and type sqlex to run MS SQL: Execute Query command. You can also use a shortcut (ctrl+shift+e).
  • View the T-SQL script execution results and messages in result view.

image

Monday, November 21, 2016

.NET Core SDK not found

I downloaded a sample project from Github to experiment with the new .NET Core.  However when I opened it, I was welcomed by the following error message:

“.NET Core SDK Not Found”

clip_image002

This is a known issue and can be solved by downloading the correct version of the .NET SDK:

.NET Core 1.0.1 SDK 1.0.0-preview2-003131 download links
.NET Core 1.0.0 SDK 1.0.0-preview2-003121 download links
.NET Core 1.0.0 RC2 SDK 1.0.0-preview1-002702 download links

Friday, November 11, 2016

TFS Build vNext : Running your JavaScript unit tests as part of your build process

Thanks to the Chutzpah test adapter, you can run your QUnit, Jasmine or Mocha unit tests inside Visual Studio using the built-in tools like the Unit Test Explorer. I’m using this VSIX for years, and it works great.

But what if you want to run these same tests as part of your build process? I’ll explain the steps to get it up and running inside TFS Build vNext.

  • Start by opening the solution that contains the test project in Visual Studio.
  • Add the NuGet package for the Chutzpah test runner to your solution, this is a solution level package, so does not need to be associated with any project.
    • Don’t forget to check-in the change into source control Smile
  • Now go to the TFS web portal. Open your build definition and add a Visual Studio Test build task:

image

  • Configure the Test Assembly parameter inside the task to search for your JavaScript tests. All my JavaScript tests have ‘test’ as part of their filename so I used the following pattern; **\$(BuildConfiguration)\*test*.js;-:**\obj\**

image

  • That’s all. As we added the Chutzpah Test Runner adapter through NuGet, the build task will automatically pick it up and use it while executing the tests.
    • In case the test adapter isn’t discovered, you can still configure it manually by specifying the ‘Path to Custom Test Adapters’ parameter.

image

Thursday, November 10, 2016

Azure: Cloud services are not available in this subscription

I encountered a strange issue when using the Azure Cloud Services(Web and worker roles). When I tried to publish the project to Azure using Visual Studio, I couldn’t continue after selecting the Azure subscription I wanted to deploy to. Instead I got the following error message:

Cloud services are not available in this subscription

The error is caused because the Cloud Services still use the old deployment model that is based on Azure Service Management (ASM). To deploy an ASM based component to Azure you need to be ‘co-admin’ for the subscription. Our subscription administrator made me ‘Owner’ on the new portal but this role only has impact on the new ARM based resources.

So I had to ask our subscription admin to login to the old portal(https://manage.windowsazure.com) and make me co-administrator:

  • Login to the old portal
  • Click on Settings –> Administrators
  • Click on the Add button at the bottom
  • Enter the co-admin email address and click on the OK button.

After I got the confirmation from our subscription administrator, I hitted refresh in Visual Studio and the error disappeared. Great!

Wednesday, November 9, 2016

Building a modern JavaScript stack from scratch

Great tutorial I found on GitHub: JavaScript Stack from Scratch

This is a minimalistic and straight-to-the-point guide to assembling a JavaScript stack. It requires some general programming knowledge, and JavaScript basics. It focuses on wiring tools together and giving you the simplest possible example for each tool. You can see this tutorial as a way to write your own boilerplate from scratch.

You don't need to use this entire stack if you build a simple web page with a few JS interactions of course (a combination of Browserify/Webpack + Babel + jQuery is enough to be able to write ES6 code in different files with CLI compilation), but if you want to build a web app that scales, and need help setting things up, this tutorial will work great for you.

image

Certainly worth the time…

Tuesday, November 8, 2016

SecurityTokenValidation exception: the X.509 certificate CN=LocalSTS chain building failed. The certificate that was used has a trust chain that cannot be verified.

I’m talking to a WCF service and use a bearer token to authenticate to the service. The bearer token is provided by a custom STS (during testing). However when I tried to invoke the service, I got the following error message back:

The X.509 certificate CN=LocalSTS chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

clip_image001

And indeed this error makes sense as the tokens generated by the local STS are signed by an untrusted certificate. As we are using it for testing purposes only, it’s OK to disable the certificate validation.

  • Open the configuration of your webservice.
  • Add a serviceCredentials block to your serviceBehavior.
  • Inside this block add an issuedTokenAuthentication section and set the certificateValidationMode to “None”.
  • That should do the trick.
    • Note that this should only be done for testing purposed and this is not secure for production usage!

  <behaviors>

      <serviceBehaviors>

        <behavior name="">

          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />

          <serviceDebug includeExceptionDetailInFaults="false" />

          <serviceAuthorization principalPermissionMode="Always" />

          <serviceCredentials>

            <issuedTokenAuthentication certificateValidationMode="None" />

          </serviceCredentials>

         </behavior>

      </serviceBehaviors>

    </behaviors>

Monday, November 7, 2016

Unit testing Microsoft Orleans

Unit testing your Orleans actors in isolation is not easy. The problem is that they all have to inherit from a Grain or Grain<T> base class. This class has a lot of properties that you probably are using during the lifetime of your actor(e.g. accessing state, writing state, using the GrainFactory to talk to other actors,…)

I first tried to avoid the unit testing problem by focussing more on integration testing and using the TestingSiloHost but the need to test some functionality in isolation remained. Time for a better solution…

I searched around on the web to see how other people tackled this issue. Some falled back to mocking frameworks but it didn’t help to make the tests more readible. In the end I ended on a simple approach where we use some simple composition and extract the real actor logic into a separate class:

Friday, November 4, 2016

Swagger Type Provider for F#

One of the cool features of F# are Type Providers. Type providers provide an information-rich programming model where type information(types, properties, methods,…) can be deferred form internal and external information sources. For example, an F# type provider for SQL will provide the types, properties, and methods you need to work directly with the tables of any SQL database you have access to. Similarly, a type provider for WSDL web services will provide the types, properties, and methods you need to work directly with any WSDL web service.

Last week I discovered a Type Provider for Swagger(a simple yet powerful representation of your RESTful API) called SwaggerProvider.

Let’s see SwaggerProvider in action:

  • Create a new F# application
  • Add an F# code file
  • Add the SwaggerProvider NuGet package to your project

image

  • Load the provider in your module, specify the location of the swagger.json schema information and create a provider instance:
  • If we now access the petStore instance, we’ll get a list of available methods deferred from the swagger metadata:

image

Consuming a Web API was never so easy!

Thursday, November 3, 2016

Create a clean ASP.NET MVC project

One thing I find annoying when creating a new ASP.NET MVC project is that the default templates are not well suited for my needs. You can take the MVC template but then you end up with a lot of extra stuff that you don’t need or you can choose the Empty template but then it is… too empty Confused smile.

image

I need to have something in between where I have the minimal set of boilerplate code without all the extra stuff added by the MVC template.

Here is a way how you can do this:

  • Start by creating a new ASP.NET project.
  • Choose the Empty template from the list of available templates. Click OK.

image

  • Once your new (empty) project is created, right click on the project in the Solution Explorer and choose Add –> New Scaffolded Item…

image

  • Choose MVC 5 Controller – Empty from the list and click on Add.

image

  • After the scaffolding is complete, you have a minimal set of starter code available…

image

Great tip from a colleague, thanks Koen!

Wednesday, November 2, 2016

WCF Error when using BearerTokens - The security token is used in a context that requires it to perform cryptographic operations, but the token contains no cryptographic keys.

By default WCF uses symmetric encryption for token validation. However in our situation we were using a custom STS that created bearer tokens. This means that we don’t provide any proof about our identity.

When we tried to use the token to call a WCF service we got the following error message:

The signing token Generic XML token:

   validFrom: 10/31/2016 10:52:49

   validTo: 10/31/2016 11:52:49

   InternalTokenReference: SamlAssertionKeyIdentifierClause(AssertionId = '_129cb505-83f0-4af0-a455-c51b51926d3a')

   ExternalTokenReference: SamlAssertionKeyIdentifierClause(AssertionId = '_129cb505-83f0-4af0-a455-c51b51926d3a')

   Token Element: (Assertion, urn:oasis:names:tc:SAML:1.0:assertion)

has no keys. The security token is used in a context that requires it to perform cryptographic operations, but the token contains no cryptographic keys. Either the token type does not support cryptographic operations, or the particular token instance does not contain cryptographic keys. Check your configuration to ensure that cryptographically disabled token types (for example, UserNameSecurityToken) are not specified in a context that requires cryptographic operations (for example, an endorsing supporting token).

Here is the related code:

Problem was that in the binding I forgot to explicitly mention that the provided token type is a Bearer token, making WCF fallback to the default token validation. Let’s fix this: