The main content of this article depends upon an Azure Service called ‘Access Control Service’. To make use of this service, you’ll need to sign up for an Azure Account. At the time of writing this article there is a 90 day free trial available.

You can find the portal entry page and sign up page at this web address : [ http://www.windowsazure.com/en-us/ ]

The wizard will take you through the sign up process, including signing up for a live account if you do not have one currently.

What is Azure?

Azure is Microsoft cloud offering , in very simple terms Microsoft provide huge containers full of hardware across the world and from these hardware clusters, Microsoft offer you the ability to:

• Upload and consume Virtual Machines
• Upload your own websites, applications and services
• Consume specialist services for example Access Control Service [ACS]
• Distribute your content worldwide via the Content Delivery Network [CDN]
• Make use of Object based data storage using a variant of  NoSQL concept called Table Storage
• Online SQL server instances , known as Azure SQL
• Distributed messaging and workflow via powerful and custom service bus offering.

In simple terms, Azure gives you the power to focus on writing world class software whilst it handles the hardware and costing concerns. All this power comes with a price tag, but when you take into account the cost of physical data canters Azure is more than competitive. In this article we will only utilise a tiny fraction of the power of Azure, but we would encourage you to explore it in more depth if you haven’t already.

What Is the Access Control Service [ ACS ] ?

Web Address – [ http://msdn.microsoft.com/en-us/library/windowsazure/gg429786.aspx ]

The Access Control Service offered by Microsoft via the Azure platform is a broker for Single Sign On Solutions. In simple terms this provides the capability for users to Authenticate to use your application. This authentication uses commercial and trusted Identity Providers such as:

• Google
• Windows Live Id
• A custom identity provider or a corporate Active Directory.

Once a user has authenticated they are issued with a token. We can receive and use this token as a unique identifier for the user inside the target software system.

This is as far as we will go to explain ACS, there is a lot of high quality material available on the internet that covers the basics of getting up and running with ACS . We have included a number of in depth links below, but the rest of this article will focus on Test driving ACS.

Adding Internet Identity Providers like Facebook, Google, LiveID and Yahoo to your MVC web application using Windows Azure AppFabric Access Control Service and jQuery in 3 steps

http://blogs.southworks.net/mwoloski/2011/04/12/adding-internet-identity-providers-like-facebook-google-liveid-and-yahoo-to-your-mvc-web-application-using-windows-azure-appfabric-access-control-service-and-jquery-in-3-steps/

How to Authenticate Web Users with Windows Azure Access Control Service

http://www.windowsazure.com/en-us/develop/net/how-to-guides/access-control/

Re-Introducing the Windows Azure Access Control Service

http://msdn.microsoft.com/en-us/magazine/gg490345.aspx

Behaviour Driven Development and black box testing – Concepts

Behaviour Driven Development or BDD has been in common use for a number of years, and there are several  flavours available in a number of frameworks. The basis of BDD is that we execute living requirements (or in Agile speak, Stories) which have been written in a English readable representation of the required functionality.

Some frameworks take a Domain Specific Language (DSL) approach to defining the requirements that the BDD tests will execute, a common standard is called Gherkin.

DSL  : [ http://www.martinfowler.com/bliki/BusinessReadableDSL.html ]

Gherkin : [ http://www.ryanlanciaux.com/2011/08/14/gherkin-style-bdd-testing-in-net/ ]

The framework we will be using in this article is called StoryQ ([ http://storyq.codeplex.com/ ]). We have chosen this framework due to its simplistic approach to specification design, and more importantly its support for coded specifications. To be specific; we write the specification in code and therefore they become part of our living code base.

Driving the Browser

Although StoryQ provides a nice step by step format and structure to our Stories, it still leaves the problem that the requirements are written from a high level perspective.

As developers, we could implement a White box style approach where by we do not respect the outer borders of the application. Our Tests would then be allowed to interact with the code, and even substitute parts of the code for Testing objects such as Mocks. We speak about this approach in detail in this article.

[ http://blog.elastacloud.com/2012/08/21/step-by-step-guides-getting-started-with-specification-driven-development-sdd/ ] .

In this case we have elected to respect the boundaries of the application. We will treat the application as if it is within a black box, into which we can not see or interfere but with who’s public interface (in this case a web page) we can interact.

Having made this decision we now need to find a framework to work with StoryQ. We need to allow our tests to drive a browser and cause it to replicate a users interaction. There are a number of frameworks available , in this case we select the excellent Selenium  + Web driver packages from Nuget.

[ http://www.nuget.org/packages/Selenium.WebDriver ].

The tools we are using

Our own development setup is as follows:

·Windows 8 http://windows.microsoft.com/en-US/windows-8/release-preview

· Visual Studio 2012 http://www.microsoft.com/visualstudio/11/en-us

· Resharper 7 http://www.jetbrains.com/resharper/whatsnew/index.html

· NUnit http://nuget.org/packages/nunit

· NUnit Fluent Extensions http://fluentassertions.codeplex.com/

- Selenium + Web Driver http://www.nuget.org/packages/Selenium.WebDriver

We find that the above combination of software packages makes for an exceptional development environment. Windows 8 is by far the most productive Operating System we have used across any hardware stack. Jet Brains Resharper has become an indispensable tool, without which Visual Studio feels highly limited. NUnit is our preferred testing framework, however you could use MBUnit or XUnit. For those who must stick with a pure Microsoft ALM experience you could also use MSTest.

What are we trying to achieve

In the rest of this article we will demonstrate using Selenium + Web Driver to empower our StoryQ tests. We will show how to represent a User logging into Azure [ACS] prior to them accessing our site.

We will show illustrations of the following

• Web Driver
• StoryQ
• Azure Access Control Service
• Emergent Design
• NUnit
• Unit Testing a controller action
• Selenium Selectors
• Identity and Access Tool

Test Driven

As Test Driven Developers we start with a requirement and a Test -

As A User who is not logged in

When I try to access the site

Then I expect to be taken to a login screen

Step 1 : Is to add a Test Assembly this is just a standard class library project.

Step 2 : Add Nuget references for -

• Nunit
• StoryQ
• Fluent Assertions

Step 3 : Write a Story -

Note on Story Planning

The Story above reflects the spirit of the original requirement, but actually attacks them in a very pragmatic way. This will not appeal to purist BDD folks, but it is an approach we have found to be very effective when analysing requirements from Business. We often find that some of the set up and Administrator stories have been missed from the planning, and that these are required to empower the pure business Story’s.

We can also see here that the motivation for the ACS integration has changed to the Administrator. This would of typically come out of a conversation with a Business Owner over who this Story benefits and which role would be motivated by the security of the system.

The business would typically readjust their Story pallet to include Stories relevant to User profile and data security that arise from discussion with the business owner. This allows us to refine the Stories provided to the developers and better reflect the businesses intentions. The above situation illustrates the cooperative requirement management process with the Agile space. It is a good example of iterative requirement planning as a requirement passes through different stages of planning.

If we execute a dry run of this story -

we see the following output -

Story is We are forced to login to ACS when trying to access the site
In order to keep the web site secure => (#001)
As a Administrator
I want users to have to authenticate via ACS prior to entry to the web site

With scenario Happy Path

Step 4 : Write the scenario -

Step 5 :Generate Step Stubs

Recap – What we have done so far

We have taken the following steps –

• Set up a environment
• Built a class library project
• Set up a story
• Set up a scenario
• Stubbed out the steps required by the scenario

If we dry run the story now we see the following output -

Lets take a closer look

We can immediately see what we need to do to make this test pass, and in a very human readable output. This is one of the amazing and empowering features of StoryQ; it’s ability to bridge the gap between technical and business, via its clear and precise output formats.

Note – this is still a bit of a technical story, terms such as ACS would probably need to be refactored or added to a product definition dictionary, for the sake of this article we have kept this wording in.

Implementing the Functionality and making the story pass.

Next we start to use the test steps defined in the Story to drive out our functional foot print. In the following sections we will start to make formative steps to construct the application. The ACS bridge being built through the Azure side of the configuration will not be covered, as this has been covered in depth by the links supplied in earlier sections of this article.

Steps illustration

Now lets get started with the implementation.

Step 1 : That I am Not Logged In

This step forces us to use Nuget to bring in the webdriver and selenium implementation we referred to earlier. The main reason we are driven to do this now is because we want to be sure we have no ACS cookies registered with the browser. To delete any cookies that are present we need to make a call to the browser. This also gives us our perfect motivation to bring down a browser automation tool kit.

With the Webdriver in place we can now instantiate it and make sure we have cleared down any cookies and are working with a fresh profile. There are drivers available for Firefox, Internet Explorer and Chrome. In our case we have used Firefox.

With the Driver in place and instantiated we can now make sure it is clear of cookies.

We are being explicit here despite the fact we have just created a new Profile. This is because the step cannot be dependant upon the set code, the driver or profile to remain unchanging.  We therefor include a deliberate step to delete all cookies and make sure we are working with a clean browser.

Step 2 : I Try To Go To The Home Page

In this step we will see a browser window open up and try to browse to the site. To enable this we are driven to add the following elements -

• App.Config
• ASP MVC Application
• Home Controller
• Index Action

When we can see that the browser launched by the framework automatically navigates to the home page then we know this step is complete.

The code to drive the browser -

The settings for the test runner, held in a app.config file for convenience.

We now add a ASP MVC 4 project

When we run the story we can see Firefox open and try to navigate to the Home URL, which fails.

We will now add a Unit test to drive out the Home controller and index action.

From this test we drive out the view and the controller, we have added them below for completeness.

Controller

View

The controller and view are skeletal objects, we only implement what we are driven to add by our tests.

We now rerun our test and find that we are green. We are ready to continue our journey.

With the new controller and view in place we will re-run our Step and see if we can reach the site. Unfortunately we find we still fail – this is because the default is for visual studio to use the development server. We can work with this, but when working on the types of sites that we will be running via the Azure Emulator, we prefer to work directly with a IIS or IIS express. Eventually, as mentioned above, we would more than likely be driven by our none functional requirements to implement the Azure emulator. However as we have not been driven there yet, we will configure visual studio to run this site via IIS.

The links below will explain how to configure your choice of web server for your project to run under.

[ http://msdn.microsoft.com/en-us/library/ms178108%28v=vs.100%29.aspx ]

[ http://ukchill.com/technology/setting-up-a-web-project-environment-in-visual-studio-2010-to-allow-debugging-using-both-iis7-and-the-development-web-server/ ]

With IIS configured we have proved the potential for this step to succeed. We can see below that without ACS implemented we are successfully able to Test Drive to the Home action of the site.

StoryQ guides our efforts by showing a textual map of what we have done and what we have left to achieve.

Step 3 : I Am Taken To The ACS Provider Chooser Page

To Achieve this step we need to add some acceptance criteria and then we need to configure ACS. First let us set our expectations for this step.

In the code above we have a search to retrieve all div elements on page, followed by a Query to make sure the ACS sign on text can be found in the collection. Note that there are many elements that we could have checked on the page, including a fragment of the URL. As there was a choice, we have chosen to select just enough to get the job done and fix the Query and Criteria if it proves to be problematic.

Note: the selection criteria above will vary dependent upon the Identity providers you have configured. The above criteria works when we have selected multiple identity providers, in this case google and Windows Live.

The next step is to configure the pathways to ACS. For this to succeed you need to have configured an ACS namespace as per the directions supplied on the links earlier in this article.

Identity And Access Tool

The Identity and Access Tool can be used to bypass a lot of manual configuration and pain. It is a substantial improvement on the WIF tool kit. Below is a link which provides details of how to configure the tool .

http://visualstudiogallery.msdn.microsoft.com/e21bf653-dfe1-4d81-b3d3-795cb104066e

http://blogs.iqcloud.net/2012/09/federated-authentication-with-azure-acs.html

Note: We have, on occasions, found that we have needed to restart Visual Studio 2012 multiple times when installing this tool, before the Identity and Access option has been available on the context menu.

Note: We have found with our ASP MVC projects when using this tool, that we then need to add some namespaces as reference. You can check what these are by taking a quick peek at the web.config file.

We found we needed to add System.IdentityModel.

If you want to check your configuration , set the ASP MVC project as the start up project and press f5 to run the project. Depending on the identity providers you configured, you should be presented with a challenge page.

Once you have logged in you , you should be presented with your Home page for your ASP MVC Application

With the ACS bridge in place and properly configured, we will now head back to our Story and the step we were completing. We need to rerun the test to check the expectation.

After running the test Firefox starts up and goes to the ACS page. The text inside the div is found and we have another passing step in our story as well as a configured ACS bridge.

Next we will pick an identify provider. We will then login to the ACS page using the web driver and authenticate.

Step 4 : I Have To Pick A Identity Provider

We will use the web driver to login to Windows Live as the Identity Provider.

We can now execute this step

Success –  The test now executes the step to take the driver to the Windows Live login page

Step 5 : I Have To Login To My Identity Provider

To provide this functionality we have written a few extension methods. There is no magic here, the secret of this technique is in its simplicity.  We need only do the following :

• Find the relevant elements on the page
• Enter the expected Text
• Click a button
• Capture a confirmation dialog and accept it

Step implementation

Extension Methods

The ACS provider after the Email address and Password have been filled in

Success – The Home screen, post click of submit button and acceptance of Confirmation Dialog

Test output showing passing step

Step 6 : I am Taken To The Site

The final step asserts that we are in fact on the home page and we are done

Let us now execute this test and hopefully we should have a green passing story.

Recap – What have we just done

Let us just take a moment to take a breath and look back at what we have achieved.

• We now have a ASP MVC 4 application shell
• The ASP MVC 4 application shell is integrated with ACS
• We have security test coverage across the homepage. We can add other scenarios to our Stories if we want to make them implement ACS security.
• We have introduced the the concepts of Black Box Browser based BDD.
• We have had a short discussion about the need to reinterprete and reframe requirements

Conclusion

At a certain point people from outside the organisation had the ability to upload a file and this file had to be intercepted by a gateway before being persisted and operated on the through the workflow. You would think that this was an easy and common solution to implement. However, at the time it wasn’t. We used a Symantec gateway product and its C API which allowed us to use the ICAP protocol and thus do real time scanning.

Begin everything with a web role

For the last 6 months I’ve wanted to talk about Microsoft Endpoint Protection (http://www.microsoft.com/en-us/download/details.aspx?id=29209) which is still in CTP as a I write this. It’s a lesser known plugin which exists for Windows Azure. For anybody that receives uploaded content, this should be a commonplace part of the design. In this piece I want to look at a pattern for rolling your gateway with Endpoint Protection. It’s not ideal because it literally is a virus scanner, enabling real time protection and certain other aspects but uses Diagnostics to show issues that have taken place.

The files which are part of the endpoint protection plugin

So initially we’ll enable the imports:

<Imports>
<Import moduleName="Diagnostics" />
<Import moduleName="Antimalware" />
<Import moduleName="RemoteAccess" />
<Import moduleName="RemoteForwarder" />
</Imports>

You can see the addition of Antimalware here.

Correspondingly, our service configuration gives us the following new settings:

<Setting name="Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString" value="<my connection string>" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.ServiceLocation" value="North Europe" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.EnableAntimalware" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.EnableRealtimeProtection" value="true" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.EnableWeeklyScheduledScans" value="false" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.DayForWeeklyScheduledScans" value="7" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.TimeForWeeklyScheduledScans" value="120" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedExtensions" value="txt|rtf|jpg" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedPaths" value="" />
<Setting name="Microsoft.WindowsAzure.Plugins.Antimalware.ExcludedProcesses" value="" />

The settings are using Endpoint Protection for real time protection and scheduled scan. It’s obviously highly configurable like most virus scanners and in the background will update all malware defitions securely from a Microsoft source.

Endpoint protection installed on our webrole

First thing we’ll do is download a free virus test file from http://www.eicar.org/85-0-Download.html. Eicar has ensured that this definition is picked by most of the common virus scanning so Endpoint Protection should recognise this immediately. I’ve tested this with the .zip file but any of them are fine.

The first port of call is setting up diagnostics to proliferate the event log entries. We can do this within our RoleEntryPoint.OnStart method for our web role.

var config = DiagnosticMonitor.GetDefaultInitialConfiguration();
//exclude informational and verbose event log entries
config.WindowsEventLog.DataSources.Add("System!*[System[Provider[@Name='Microsoft Antimalware'] and (Level=1 or Level=2 or Level=3 or Level=4)]]");
//write to persisted storage every 1 minute
config.WindowsEventLog.ScheduledTransferPeriod = System.TimeSpan.FromMinutes(1.0);
DiagnosticMonitor.Start("Microsoft.WindowsAzure.Plugins.Diagnostics.ConnectionString", config);

Diagnostics info in Azure Management Studio

Okay, so in testing it looks like the whole process of cutting and pasting the file onto the desktop or another location takes about 10 seconds for the Endpoint Protection to pick this up and quarante the file. Given this we’ll set the bar at 20 seconds.

Endpoint protection discovers malware

I created a very simple ASP.NET web forms application with a file upload control. There are two ways to detect whether the file has been flagged as malware:

1. Check to see whether the file is still around or has been removed and placed in quarantine
2. Check the eventlog entry to see whether this has been flagged as malware.

We’re going to focus on No.2 so I’ve created a simple button click event which will persist the file. Endpoint protection will kick in within the short period so we’ll write the file to disk and then pause for 20 seconds. After our wait we’ll then check the eventlog and in the message string we’ll have a wealth of information about the file which has been quarantined.

bool hasFile = fuEndpointProtection.HasFile;
string path = "";
if(hasFile)
{
	path = Path.Combine(Server.MapPath("."), fuEndpointProtection.FileName);
	fuEndpointProtection.SaveAs(path);
}
// block here until we check endpoint protection to see whether the file has been delivered okay!
Thread.Sleep(20000);
var log = new EventLog("System", Environment.MachineName, "Microsoft Antimalware");
foreach(EventLogEntry entry in log.Entries)
{
	if(entry.InstanceId == 1116 && entry.TimeWritten > DateTime.Now.Subtract(new TimeSpan(0, 2, 0)))
        {
        	if(entry.Message.Contains(value: fuEndpointProtection.FileName.ToLower()))
                {
			Label1.Text = "File has been found to be malware and quarantined!";
                        return;
                }
        }
}
Label1.Text = path;

When I upload a normal file

When I upload the Eicar test file

The eventlog entry should look like this, which contains details on the affected process, the fact that it is a virus and also some indication on where to get some more information by providing a threat URL.
   %%860
   4.0.1521.0
   {872DA7D0-383A-4A18-A447-DC4C7E71785F}
   2012-08-12T09:31:18.362Z

   2147519003
   Virus:DOS/EICAR_Test_File
   5
   Severe
   42
   Virus

http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003

   3

   2
   3
   %%818
   D:\Windows\System32\inetsrv\w3wp.exe
   NT AUTHORITY\NETWORK SERVICE

   containerfile:_F:\sitesroot\0\eicar_com.zip;file:_F:\sitesroot\0\eicar_com.zip->(Zip);file:_F:\sitesroot\0\eicar_com.zip->eicar.com
   1
   %%845
   1
   %%813
   0
   %%822
   0
   2
   %%809

   0x00000000
   The operation completed successfully.

   0
   0
   No additional actions required
   NT AUTHORITY\SYSTEM

   AV: 1.131.1864.0, AS: 1.131.1864.0, NIS: 0.0.0.0
   AM: 1.1.8601.0, NIS: 0.0.0.0

Okay, so this is very tamed example but it does prove the concept. In the real world you may even want to have a proper gateway which acts as a proxy and then forwards the file onto a "checked" store if it succeeds. We looked at the two ways you can check to see whether the file has been treated as malware. The first, checking to see whether the file has been deleted from it's location is too non-deterministic because although "real time" means real time we don't want to block and wait and timeout on this. The second is better because we will get a report if it's detected. This being the case, a more hardened version of this example will entail building a class which may treat the file write as a task and asynchronously ping back the user if the file has been treated as malware - something like this could be written as an HttpModule or ISASPI filter pursue the test and either continue with the request or end the request and return an HTTP error code to the user with a description of the problems with the file.
Happy trails etc.
]]>



http://blog.elastacloud.com/2012/07/06/tricks-with-iaas-and-sql-part-2-scripting-simple-powershell-activities-and-consuming-the-service-management-api-in-c-with-fluent-management/
Fri, 06 Jul 2012 07:38:50 +0000
azurecoder
http://blog.elastacloud.com/2012/07/06/tricks-with-iaas-and-sql-part-2-scripting-simple-powershell-activities-and-consuming-the-service-management-api-in-c-with-fluent-management/

In the last blogpost we looked at how we could use powershell to build an IaaS deployment for SQL Server 2012. The usage was pretty seamless and it really lends itself well to scripted and unattended deployments of VMs. The process we went through showed itself wanting a little in that we had to build in some unwanted manual tasks to get a connection to the SQL Server. We looked at the provision of firewall rules, moving from Windows Authentication to Mixed Mode authentication and then adding a database user in an admin role.

The unfortunate fact is that this process can never be seamless (unlike PaaS) with the default gallery images since you cannot control the running of a startup script (nor would you want to). So to dive in we’ll look into building a powershell script that can do all of the above which can just be copied via remote desktop and executed.
The first part of the script will update the registry key so that we can test our SQL Server connection locally.

#Check and set the LoginMode reg key to 2 so that we can have mixed authentication
 Set-Location HKLM:\
 $registry_key = "SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL11.MSSQLSERVER\MSSQLServer"
 var $item = (Get-ItemProperty -path $registry_Key -name LoginMode).loginmode
 If($item -eq 1) {
 # This is Windows Authentication we need to update
 Set-ItemProperty -path $registry_key -name "LoginMode" -value 2
 }


When this is done we’ll want to open up the firewall port on the machine. Whether we our goal is to use Windows Authentication or Mixed Mode, or only expose the SQL Server to a Windows network that we create as part of an application – so only available internally we’ll still need to open up that firewall port. We do this through the use of a COM object which will allow us to set various parameters such as a port number, range and protocol.

# Add a new firewall rule - courtesy Tom Hollander
 $fw = New-Object -ComObject hnetcfg.fwpolicy2
 $rule = New-Object -ComObject HNetCfg.FWRule
 $rule.Name = "SQL Server Inbound Rule"
 $rule.Protocol = 6 #NET_FW_IP_PROTOCOL_TCP
 $rule.LocalPorts = 1433
 $rule.Enabled = $true
 $rule.Grouping = "@firewallapi.dll,-23255"
 $rule.Profiles = 7 # all
 $rule.Action = 1 # NET_FW_ACTION_ALLOW
 $rule.EdgeTraversal = $false
 $fw.Rules.Add($rule)


Lastly, we will need to add a user that we can test our SQL Server with. This is done through SQL statements and stored procedures. You can see the use of sqlcmd here. This is by far the easiest way although we could have used SMO to do the same thing.

# add the new database user
 sqlcmd -d 'master' -Q "CREATE LOGIN richard1 WITH PASSWORD='icanconnect900'"
 sqlcmd -d 'master' -Q "EXEC sys.sp_addsrvrolemember @loginame = N'richard1', @rolename = N'sysadmin'"


Take all of this and wrap it into a powershell file “.ps1″.
The point of this second post was to show that you could do exactly what we did in the first post programmatically as well. This is what we’ve done through a branch of our Fluent Management library which will now support IaaS. One of the reasons we’ve been very keen to integrate IaaS programmatically is because we feel that the hybrid scenarios of PaaS and IaaS are a great mix so to be able to inevitably this mixture transactional in the same way is a good goal for us.

var manager = new SubscriptionManager(TestConstants.InsidersSubscriptionId);
 manager.GetVirtualMachinesManager()
 .AddCertificateFromStore(TestConstants.ManagementThumbprintIaaS)
 .CreateVirtualMachineDeployment()
 .AddToExistingCloudServiceWithName(TestConstants.CloudServiceNameIaaS)
 .WithDeploymentType(VirtualMachineTemplates.SqlServer2012)
 .WithStorageAccountForVhds(TestConstants.StorageServiceNameIaaS)
 .WithVmOfSize(VmSize.Small)
 .Deploy();


So in one line of code we now have the equivalent of the powershell script in the first part. Note that this is a blocking call. When this returns initially a 202 Accepted response is retuned and then we continue to poll in the background using the x-ms-request-id header as we previously did with PaaS deployments. On success Fluent Management will return unblock.
From the code there are key messages to take away.

we continue to use our management certificate with the subscription activity
we need to provide a storage account for the VHD datadisks
we can control the size of VM which is new thing for us to be able to do in code (normally the VmSize is set in .csdef but in this case we don’t have one or a package)
we have to have a cloud service already existing with which to add the deployment to

In many of the previous posts on this blog we’ve looked at the Service Management API in the context of our wrapper Fluent Management. The new rich set of APIs that have been released for Virtual Machines make for a good set of possibilities to do everything that is easy within the CLI and Powershell right now enabled within an application.
Happy 4th July to all of our US friends (for yesterday!)
]]>



http://blog.elastacloud.com/2012/06/02/azure-fluent-management-v-0-4-released/
Sat, 02 Jun 2012 12:50:58 +0000
azurecoder
http://blog.elastacloud.com/2012/06/02/azure-fluent-management-v-0-4-released/

If you haven’t tried Fluent Management yet try it now! It’s beginning to shape up into quite a powerful library. There are several features which are on cards for the lib between v0.4 and v0.5 most of which revolve around ServiceSystemWatchers and Upgrades but the deployment side of things is done now. We’re also going to update the Service Bus side of things to create multiple service identities with new queue creation. There are a few updates which need to be done to support rdp, ssl enablements across multiple roles instead of a single one as well as an error router which will deal with common web exceptions through a notification interface but on the whole it can do some pretty good things in a very easy to understand manner. We’ve had 187 downloads so hopefully people are using it even though we haven’t had that much feedback.

A common scenario we’re using it for now are as follows:

Upload a package to Blob storage
Auto-update the configs (.cscfg, .csdef on the fly using business rules)
Deploy the package with 3 roles, rdp support and an autgenerated self-signed SSL/RD certificate in the name of the role
Create a SQL Azure instance, logins, firewall rules, single database, new admin user and populate the database
Add a storage account and return the keys

Of course the beauty around these scenarios is that this is an all or nothing thing so we’ll have a rollback occur if there is a failure at any point. The logging support is okay at the moment to help determine the failure scenarios but it will be much better by the next v0.5 release.
Hope you enjoy using this. Remember this is beta and it was released to try and get feedback from the community so if you have any comments or suggestions let us know.
UPDATE: Added the framework this morning for watching things. It should be really easy now to drop in a watcher to keep an eye on whether someone deletes your database, database server, storage account, hosted service, deployment in staging or production etc. can lead to some very useful scenarios.
The only one I’ve implemented is the one that Michael Collier from Neudesic requested since I think it may be useful for a number of people but when I get time I’ll add the others because it would be nice to have a simple monitoring and supporting reference service off the back of the lib.
Anyway, the code from my test looks like this (it will poll every 15 seconds by default) – if you haven’t got it Azure Fluent Management from nuget:

var man = new ManualResetEvent(false);

var subscriptionManager = new SubscriptionManager(TestConstants.LwaugSubscriptionId); var manager = subscriptionManager.GetRoleStatusChangedWatcher(TestConstants.LwaugServiceName, TestConstants.LwaugRoleName,                  DeploymentSlot.Staging, TestConstants.LwaugThumbprint);

manager.RoleStatusChangeHandler += (status, oldStatus) =>  {

Assert.AreNotEqual(oldStatus, status);

man.Set();

};

man.WaitOne(10000);


]]>



http://blog.elastacloud.com/2012/04/21/service-bus-acs-and-multiple-service-identities/
Sat, 21 Apr 2012 11:20:58 +0000
azurecoder
http://blog.elastacloud.com/2012/04/21/service-bus-acs-and-multiple-service-identities/

As windows Azure becomes more prolific and people begin to use key features we’ve had several users of the service bus come to us at the user group showing us reasonably good implementations. They all have one key design flaw on production release which I wanted to write about here.

Good security for a website entails that you don’t send messages back to the client when they get their password wrong that tell that it was their password that was at fault. Whilst the lack of pintpoint feedback like this is not ideal one of the key considerations is not to give an attacker more information then they need to crack an account. Without precise feedback any random attack bot (is there such a term or is my star wars head just inventing stuff this morning?!) can learn details on credentials.
 



Service Bus management details


 
One of the problem with the Service Bus is that many people begin to use it without understanding how ACS is used to protect access to it. They key idea here is that ACS is like a lockbox. As part of the setup process it creates a single “identity” which contains the information needed for any client to participate in the service bus and send and receive messages. So this identity then becomes your most important asset.
The problem here is that most users still don’t effectively understand the coupling mechanism between the service bus and ACS so they keep the default identity with the name “owner”. So now we’re left with breaking our pattern of good security because 50% of the information we need to know is known to an attacker – it would still be pretty hard to guess the default 256-bit symettric key though!
Showing the default and owner and key
 
As such you may want to predicate access on groups or corporations or something that would beget a good access policy and create at least one new or multiple identities so that at least you could track usage effectively as well as revoke access to a particular messaging client.
In order to do this you need to follow the link to the Management Endpoint in your browser which takes you straight to the ACS for the Service Bus. Then select Service Identities. You can add another identity very easily and choose either symettric key, password or certificate-based authentication.
 
Select Service Identities from the Menu
Creating and editing a service identity
 
I’ve now removed the owner, which is the default identity and set up a new identity which can be used with clients. Of course it’s possible to automate this process through the management REST layer. Maybe this is something we can look at doing in the fluent management API.
 
Managing Multiple Identities
 
Anyway, should you now try and use these credentials you’ll get an UnauthorizedAccessException! The Service Bus uses a particular action to generate output claims for access to specific things you can do with the bus. These claims are Send, Listen and Manage. By default, the “owner”, has all 3 enabled. The first two are fine but the third could cause major disruption to your project which is all the more reason to change your management access – or disable programmatic access if you choose to and use the portal instead.
 
Bye-bye owner!
UnauthorizedAccessException
 
Send and Listen output claims should be sufficient for pretty much everything as long as you don’t ask the Service Bus to divulge any information (e.g. if you use QueueExists to check the validity of a queue or try and get metainformation about anything on the service bus then it will fail if you don’t have the Manage output claim).
Here is a screenshot showing the claims:
 
Editing and completing input -> output claims
 
To add standard rule you would use the following format:

Input Claim Issuer: Access Control Service
Input Claim Type: (Select Type) namesidentifier
Input Claim Value: <your new identity name>
Output Claim Type: net.windows.servicebus.action
Output Claim Value: Send/Listen/Manage

Once you’ve created 1-3 rules depending on the rights of the identity, if you’ve created a new rule group and not added rules to the existing one then you’ll need to add this to the Relying Party Application as in the screenshot.
 
Adding a second rule group to a relying party application
 
So the moral of the story here is that ACS offers a rich model of managing identities and claims. Use this and ensure that you adhere to good application design principles, get rid of default users and don’t send these credentials to clients. Ensure that each user of the service bus subscribes to the principle of least privilege so unless they need management access don’t give it to them. It means writing your applications in a certain way to ensure that no management checks are done prior to sending and/or receiving messages but better safe than sorry!
]]>



http://blog.elastacloud.com/2012/04/19/961/
Thu, 19 Apr 2012 23:13:52 +0000
azurecoder
http://blog.elastacloud.com/2012/04/19/961/

Okay, so I know the naming convention is pretty pants but I wanted to make another release. Version 0.4 will include a hosted service delete feature, automatic checks of hosted lists and blob container existance checks, propogation of exceptions from WebExceptions (which are currently suppressed) and enablement of Remote Desktop.

The roadmap for v 0.5 is about a month away but will include an orchestration engine and addition of plugins and new config settings. Remember, this library is still in beta so don’t use this in a production release until we say so!
Firstly we’ll review the new read infosets. This will get the current subscription information:
 var subscriptionManager = new SubscriptionManager(TestConstants.SubscriptionId);
 var subscriptionInformation = subscriptionManager.GetSubscriptionDetailsManager()
                .AddCertificateFromStore(TestConstants.ManagementThumbprint)
                .GetSubscriptionInformation();

This will return the locations available under your subscription. Useful if your subscription is free and is pinned to a particular territory.
 var subscriptionInformation = subscriptionManager.GetSubscriptionDetailsManager()
                .AddCertificateFromStore(TestConstants.ManagementThumbprint)
                .GetSubscriberLocations();

To get a list of hosted services you can use the following:
 var hostedService = subscriptionManager.GetDeploymentManager()
                .ForServiceInformationQuery()
                .UseExistingBuild()
                .AddCertificateFromStore(TestConstants.ManagementThumbprint)
                .GetHostedServiceList();

However, by far the most useful feature is the automatic addition of SSL to package and config. I’m a little tired now but this was not an easy thing to do and required several steps some of which I’ll share over the next few months.
var subscriptionManager = new SubscriptionManager(TestConstants.SubscriptionId);

            var deploymentManager = subscriptionManager.GetDeploymentManager();
            ((DeploymentManager)deploymentManager).AzureTaskComplete += TestConstants.TaskComplete;

            deploymentManager.ForNewDeployment(TestConstants.DeploymentName)
                .SetBuildDirectoryRoot(TestConstants.ProjectBuildRoot)
                .Rebuild()
                .EnableSslForRole(TestConstants.RoleNameHellocloudWeb)
                .UploadExistingServiceCertificate(TestConstants.ManagementThumbprint, "xxxxxxx")
                .AddCertificateFromStore(TestConstants.ManagementThumbprint)
                .WithNewHostedService(TestConstants.HostedServiceName)
                .WithStorageConnectionStringName(TestConstants.ConnectionStringName)
                .AddDescription("My new hosted services")
                .AddEnvironment(DeploymentSlot.Production)
                .AddLocation(Constants.LocationNorthEurope)
                .AddParams(DeploymentParams.StartImmediately)
                .ForRole(TestConstants.RoleNameHellocloudWeb)
                .WithInstanceCount(2)
                .Go();

The above example would create a hosted service and deployment and add SSL to it. It would allow the uploading of a Service Certificate. In many ways, however, when testing the certificate might not be available so you can replace the UploadExistingServiceCertificate with this:
.GenerateAndAddServiceCertificate("helloelastacloud.cloudapp.net")
 
And this will generate the appropriate certificate. In order to actually do this the library needs to rebuild the package from source with new build definitions and cloud config. A lot of refactoring has gone on with the lib so I hope you enjoy the updates. It’s getting that time of night now where I’m sort of slumped over the keyboard and mistyping every third letter. Leave it another 10 minutes and my keyboard will be full of drool so just to say I’m happy that this is a semi-stable release and I’ll upload the new package to nuget tomorrow morning.
Lastly, there is some licensing information in the library which explains the terms of use. Contact us if there are any problems but it’s fairly open, commercial reditribution usage should get in touch as per the terms etc. etc.
]]>



http://blog.elastacloud.com/2012/04/13/automating-the-generation-of-service-certificates-in-windows-azure/
Fri, 13 Apr 2012 20:32:22 +0000
azurecoder
http://blog.elastacloud.com/2012/04/13/automating-the-generation-of-service-certificates-in-windows-azure/

I was prompted to write this having seen some of the implementations of the generation of service certificates online. Some poor explanations so I though I’d plug the gap. First let us cover some definitions. We interact with our subscription through a management certificate.

The management certificate needs to be uploaded to the subscription through the portal. This is the only function that we can’t automate. Obvious why, everybody has probably seen the chicken and the egg here already. Anyway, Microsoft have provided a .publishsettings file and Uri which eases the pain of automating this process because the fabric will instamagically update your subscription when you use your live id to login and download a publishsettings file. Y voila you have management access.
A service certificate is something different though. Service certificates are bound to an individual hosted service and don’t entail management of anything. They actually allow you to perform any operation which involves a certificate for that particular hosted service. Under the seams that certificate is being added to the Personal store on each of the role instances within that service.
Service certificates are immensely important for two essential functions:  SSL and Remote Desktop.
Management Portal Showing Service Certificates
SSL is intrinsic to the role instance since it is part of IIS which is present on each of the web roles. Remote Desktop requires a plugin but equally uses the service certificate for authentication purposes.
I wanted to highlight one great way of generating service certificates. There are several ways to do this but we’ll focus on a single one although we can use makecert, powershell and Microsoft provide a test app called CertificateGenerator (essentially a COM Callable Wrapper) amongst others. This way uses Bouncy Castle, a great library which is available through nuget. Simply:
Bouncy Castle from Nuget
> Install-Package BouncyCastle
at the Package Manager Console prompt and it is installed.
Let’s start by determining all of our using statements:
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;

And then our method signature:
public static X509Certificate2 Create(string name, DateTime start, DateTime end, string userPassword, bool addtoStore = false)

In order to create our certificate as a minimum we need a name, a validity period and as we are protecting a private key we need a private key password (more on this later!). Additionally we may want to add this to a local certificate store which the System.Cryptography assembly allows us to do fairly easily.
We always start any asymmetric cryptographic operation with the a private-public key pair. To generate keys we can use the following:
// generate a key pair using RSA
var generator = new RsaKeyPairGenerator();
// keys have to be a minimum of 2048 bits for Azure
generator.Init(new KeyGenerationParameters(new SecureRandom(new CryptoApiRandomGenerator()), 2048));
var cerKp = generator.GenerateKeyPair();

Two properties that an X509v3 certificate has are a serial number and a subject name (and issuer name). The representation of what this looks like is canonical so we use terms such as “Common Name” (CN) or “Organisational Unit” (OU) to define details about the party the certificate represents and who the authority is that is vouching for them.
To create a subject name we use the X509Name as below and to generate a serial number which is a unique reference to our certificate we generate a large random prime:
// create the CN using the name passed in and create a unique serial number for the cert
var certName = new X509Name("CN=" + name);
var serialNo = BigInteger.ProbablePrime(120, new Random());

After doing this we can create an X509v3CertificateGenerator object which will encapsulate and create the certificate for us:
// start the generator and set CN/DN and serial number and valid period
var x509Generator = new X509V3CertificateGenerator();
x509Generator.SetSerialNumber(serialNo);
x509Generator.SetSubjectDN(certName);
x509Generator.SetIssuerDN(certName);
x509Generator.SetNotBefore(start);
x509Generator.SetNotAfter(end);

Once we’ve set the basic and essential properties we can focus on what the cert actually does:
// add the server authentication key usage
var keyUsage = new KeyUsage(KeyUsage.KeyEncipherment);
x509Generator.AddExtension(X509Extensions.KeyUsage, false, keyUsage.ToAsn1Object());
var extendedKeyUsage = new ExtendedKeyUsage(new[] {KeyPurposeID.IdKPServerAuth});
x509Generator.AddExtension(X509Extensions.ExtendedKeyUsage, true, extendedKeyUsage.ToAsn1Object());

Two types of property that the certificate has are Key Usage and Extended Key Usage which tell us all about its purpose to life. It’s rasion D’etre (it’s getting that time of night where I think I can actually speak French!)
In this case the certificate we create will need to be able to do two things.

Prove to a client that it has authority to verify the server and
Encrypt a key during a key exchange process

X509 Certificate with KU/EKU properties
Both of these are common to SSL (TLS).
The rest is fairly straightforward. We can set a signature algorithm. Note the use of Sha1 which by extension is the thumbprint algorithm in our certificate which is an integrity check to prove that the cert hasn’t been tampered with. It’s important to be aware that Azure will only support this thumbprint algorithm.
// algorithm can only be SHA1 ??
x509Generator.SetSignatureAlgorithm("sha1WithRSA");
// Set the key pair
x509Generator.SetPublicKey(cerKp.Public);
Org.BouncyCastle.X509.X509Certificate certificate = x509Generator.Generate(cerKp.Private);

When this is done we will want to do common tasks with this and generally end up with our familiar X509Certificate2 exposed by the System.Cryptography.X509Certificates namespace and used in all common crypto tasks. Well the means to do this are fairly easy and provided by Bouncy Castle.
// export the certificate bytes
byte[] certStream = DotNetUtilities.ToX509Certificate(certificate).Export(X509ContentType.Pkcs12, userPassword);

Also not the use of PKCS#12 (Public Key Cryptographic Standard) which defines the private and uses a form of password-based encryption (PBE) to ensure that only with the password can I access the private key. As we can just use our password and now treat the X509Certificate2 class as a container for our cert with private key.
var cert = new X509Certificate2(certStream, userPassword);

Adding the certificate to the store is fairly easy. You would first start by opening the store you want to engage:
///
<summary> /// Returns the My LocalMachine store
/// </summary>
private static X509Store ReturnStore()
{
  var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
  store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);
  return store;
}

After that all it takes is a bit addition using your X509Certificate2 object and then closing the store to release the handle.
One thing to note is that this certificate is self-signed. This doesn’t have to be the case; I could easily build a PKI here using this simple technique. Of course the code would like slightly differently (maybe we’ll cover this in a follow-up post) as would the issuer name.
I thought I’d write this post to offer readers another way to generate certificates. Six years ago when I was involved as the CTO in a startup that produced epassport software I would get immersed into the underlying details of these standards. Most of the time we would use OpenSSL which is an absolute gem of a library but Bouncy Castle comes a pretty close second in terms of functionality and upkeep. Have a play and enjoy!
The next generation of the Azure Fluent Management library uses the above code in order to automate the setup of SSL for a webrole and remote desktop. There has been a lot of refactoring on this recently to help us streamline deployments and we hope to release this in the coming week.
Happy trails!
]]>



http://blog.elastacloud.com/2012/04/11/agile-continuous-integration-and-windows-azure/
Wed, 11 Apr 2012 11:23:37 +0000
azurecoder
http://blog.elastacloud.com/2012/04/11/agile-continuous-integration-and-windows-azure/

Recently our friends at Blush Packages raised the bar with a great implementation of TeamCity build for an Azure project they’re consulting on. We will be running an intermediate day course on Azure for the Enterprise which will comprise of how to make an enterprise ready application. The course will be delivered at the behest of Microsoft who are sponsors. It will probably take place within the next four weeks and we will have the following agenda:


Introduction to TFS Preview: Using TFS Preview to build an agile project in Azure
Development of a sample application using web/worker roles
Adding security using SQL Azure and Membership
Integration of Diagnostics capture for trace, exceptions and logs
Resilience and autoscaling with Enterprise Application Blocks
Automating common deployment tasks with Cerebrata Powershell CmdLets
Using mstest, msbuild and TFS to make a CI server

Remember this is not an advanced course; it’s simply addressing the problem of how to build and deploy a windows azure application and use enterprise methodologies and deployment and build processes to deliver cloud ready projects in the same way as you would traditional server projects.
Feel free to leave a comment here if you’re interested in attending. For updates on this follow @ukwaug or @azurecoder
]]>