DEV Community: Isaac Adams

Learning to love my code again...

Isaac Adams — Wed, 21 Feb 2024 01:14:24 +0000

Writing good code is hard. It just is.

I rarely review my own code and think to myself: "this code is amazing!"

In fact, I usually hate it.

Back when I was a new software developer, fresh out of college, I fell in love with every piece of code I wrote.

A few years in, and I began to realize that whenever I came across code I had written only months ago, I hated it.

Now, I write code, look at it, and hate it.

Why?

It isn't because I hate software development. I love it.

It's because I have had my code reviewed so many times by so many different people, I can now hear their voices in my head when I read my own code.

Does anyone else experience this?

I do not think this is a good thing. And my primary way of combatting this experience is to highlight what "good code" means to me.

It works.

It does the thing it's supposed to do. Yup. That is a foundational aspect to good code.

Intent is clear.

I am not going to say something nerdy like "it must follow clean code principles". Or that variables should be named a certain way. Or something about spaces versus tabs.

I am going to simply say that the intent of the code you wrote is clear. That I can read the code and understand not only what it is doing, but the purpose or intention behind it.

Whether you add comments or not. Whether the code is simple or complex. Whether it's 10 lines or 1,000 lines. Either I can understand it or I cannot.

It has some unit tests.

I don't care about perfect code coverage. I don't think anyone should because I think it is an unrealistic and unhelpful goal. If developers aren't careful, writing unit tests can often become a burden and counterproductive when every single function, class, or module needs to be tested against every single case imaginable.

No. Nerp. Zip. Ain't nobody got time for that.

Cover the base cases and sprinkle in a couple edge cases if they are likely to occur and/or easy to write.

Although I struggle with hating my code these days, if I remind myself of these principles and my code lives up to the standards, it gives me a way to love my code again.

Securing a .NET 4.6.x API with OpenID Connect

Isaac Adams — Wed, 08 Sep 2021 21:16:51 +0000

Introduction

OpenID Connect is powerful... and confusing. If you have ever experienced the frustration of adding authentication/authorization to an API built on .NET 4.6.x where the token comes from an OpenID Server, then you have come to the right place. I have accomplished this and can help you implement it in this guide.

Here are the requirements of the system we will be implementing.

protect legacy API from unauthorized access
only requests that include a valid bearer token (access_token from identity server) will be allowed
identity server should issue a valid access_token to our configured client

Protecting the API

In this particular instance, I want to protect a legacy application from unauthorized access. That kind of requirement calls for an API resource to be made. API resources are configured on the identity server and are used to protect API(s) from unauthorized access. So, I added the following code to my self hosted identity server which sits on a .NET core application.

new ApiResource()
{
    Name = "legacy",
    Description = "protects the legacy API from unauthorized access",
    ApiSecrets = new List<Secret> { new Secret("secret".Sha256()) },
    Scopes = new List<Scope>
    {
        // only interested in a single scope for this purpose
        new Scope("legacy.access", "grants access to use the legacy API")
    }
}

Now I need to add authorization to the legacy application. First, add the IdentityServer3.AccessTokenValidation nuget package to your .NET 4.6.x web app.

Next, in Startup.cs, add the following code.

using Owin;
using Microsoft.Owin;
using IdentityServer3.AccessTokenValidation;

[assembly: OwinStartup(typeof(Legacy.Startup))]
namespace Legacy
{
    public class Startup
    {
        public void Configuration(IAppBuilder appBuilder)
        {
            appBuilder.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "https://localhost/identityserver", // this will ultimately change per environment and therefore come from configuration
                ClientId = "legacy",
                ClientSecret = "secret", // this should be populated through configuration
                RequiredScopes = new[] { "legacy.access" },
                ValidationMode = ValidationMode.ValidationEndpoint,
                EnableValidationResultCache = true
            });
        }
    }
}

This will enable the use of the [Authorize] attribute and respond to any request with 401 Unauthorized unless it has the Bearer Authorization header with a valid access_token issued to it from the identity server with the legacy.access scope.

Yes, the ClientId and ClientSecret should match the Name and ApiSecret you configured in the ApiResource.

Fetching the access_token

The last piece is getting the access_token which will be added to the Authorization header for making authorized requests to the legacy app.

In order to see this in action, we will need a client that can make an authenticated request to the identity server for the token.

Add the following configuration to your identity server.

new Client()
{
    ClientId = "client",
    ClientSecrets = new[] { new Secret("client-secret".Sha256()) }, // the secret should be populated through configuration
    AllowedGrantTypes = GrantTypes.ClientCredentials,
    AllowedScopes = new[] { "legacy.access" },
    AccessTokenType = AccessTokenType.Jwt,
    Enabled = true,
}

By adding legacy.access, we are saying that this client can generate an access_token that will include the legacy.access scope.

Using postman (or whatever tool you use), construct the following request given that your identity server is hosted @ localhost/identityserver

!! NOTE: make sure your request parameters are formed as application/x-www-form-urlencoded content type

POST /identityserver/connect/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 89

client_id=client&client_secret=client-secret&grant_type=client_credentials&scope=legacy.access

the expected response should look like the following

{
  "access_token": "xxx.xxx.xxx",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Using the access_token

Lets setup a controller in our legacy app

using System;
using System.Web;
using System.Web.Http;

namespace Legacy
{
    [RoutePrefix("api/test")]
    public class TestController : ApiController
    {
        [HttpGet]
        public IHttpActionResult Test()
        {
            return Ok("Hello World");
        }

        [Authorize]
        [HttpGet, Route("auth")]
        public IHttpActionResult AuthTest()
        {
            return Ok("Authorized: Hello World");
        }
    }
}

Make sure your controller is properly registered in your app by hitting the endpoint that doesn't have the [Authorize] attribute.

Now, take the access_token you generated and place it inside the Authorization header (prefixed with "Bearer") and make a request to the AuthTest() endpoint

GET /legacy/api/test/auth HTTP/1.1
Host: localhost
Authorization: Bearer xxx.xxx.xxx

If the response is 401 Unauthorized ❌, something is not configured properly 😢
If the response is 200 OK 🚀 and the content is Authorized: Hello World, you are in business ✅

git: removing or replacing sensitive data

Isaac Adams — Thu, 04 Mar 2021 15:40:46 +0000

Introduction
Examples
Email Use Case
Definitions
Credits

BFG Repo Cleaner is both faster and easier to use than using git filter-branch. It can handle most use cases for editing sensitive information in a git log.

Read the instructions (see above series) for installing BFG before moving ahead. Otherwise, if you already have it installed, move onto the next section.

Introduction

Accidents happen. We have all been there. You committed sensitive data (e.g. passwords, keys, emails, or phone numbers) to the branch. Ok, no problem. Amend the previous commit. Easy. Right? Wrong.

This time you didn't realize the mistake until several weeks later. The commit is now baked deep into the repository, making it almost impossible to fix using git. A git rebase is too difficult due to the complexity or amount of the changes. Other methods like git filter-branch might be too slow. Now what?

[Enter BFG Repo Cleaner]

BFG is a tool that cleans git repositories of sensitive data. It is easy to use and faster than git filter-branch. Using BFG is easy because it expects "expressions" as input. An "expression" (see definition) describes what the sensitive data is, how to search for it and how to edit it. BFG expects one or more expressions as input from the command line or from a local file.

Examples

I will refer to the "expressions file" (see definition) in examples. This is the local file that contains a list of expressions separated by newlines.

The creator of bfg gave an example of how to use the tool in a stack overflow answer (see credits).

$ bfg --replace-text replacements.txt -fi *.php my-repo.git

replacements.txt



PASSWORD1
PASSWORD2==>examplePass
PASSWORD3==>
regex:password=\w+==>password=
regex:\r(\n)==>$1

expression example	description
PASSWORD1	Replace literal string 'PASSWORD1' with '*REMOVED*' (default)
PASSWORD2==>examplePass	replace with 'examplePass' instead
PASSWORD3==>	replace with the empty string
regex:password=\w+==>password=	Replace, using a regex
regex:\r(\n)==>$1	Replace Windows newlines with Unix newlines

Let's unpack every argument in the example command

--replace-text replacements.txt
- --replace-text <path: file location describing replacements>
- replacements.txt is the path to the expressions file
-fi *.php
- -fi <glob: files to search>
- the "filter content including" (-fi) option tells bfg to only perform its actions "in these files"
- configured to only perform the replacements in all files that end in .php
- remove this if you want bfg to search through all files
my-repo.git
- <path: folder location of repo>
- this is the path to the repo you want to
- use . (a dot) as the input when invoking bfg from the root of your target repo

Email Use Case

I want to use BFG to replace my old email since my github account uses a new email.

important note.
emails are best stored in configuration files, rather than hard coded into the source.

For this example, I will be using dummy emails.

$ bfg -rt replace-email.txt .

replace-email.txt



old-email@gmail.com==>my.new.email@gmail.com

old-email@gmail.com==>my.new.email@gmail.com
- [left part of the expression]: old-email@gmail.com is the old email I want to replace
- [middle part of the expression]: ==> indicates to bfg that I want to give it a value for replacing the old email
- [right part of the expression]: my.new.email@gmail.com is the value that will replace the old email
-rt replace-email.txt
- -rt is the alternative form of --replace-text
- replace-email.txt is the path to the expressions file
- invoking bfg from the same directory as the file means makes it easier to reference the file
.
- the dot indicates that the repo I am targeting is the current directory from which I am invoking bfg

Running bfg will rewrite the current branch with new commits. Be very careful when using this tool! In case something goes wrong, make a copy of the branch you are working on by checking it out with a new name.

Definitions

word	description
expression	special syntax describing "the what" and "the how" to replace
expressions file	it is a file which contains expressions separated by new lines

Credits

an interesting alternative to BFG

Mar 31 '13

123

I'd recommend using the BFG Repo-Cleaner, a simpler, faster alternative to git-filter-branch specifically designed for rewriting files from Git history.

You should carefully follow these steps here: https://rtyley.github.io/bfg-repo-cleaner/#usage - but the core bit is just this: download the BFG's jar (requires Java 7 or above) and run this command…

Open Full Answer

git: BFG installation

Isaac Adams — Thu, 04 Mar 2021 12:51:25 +0000

BFG Repo Cleaner is both faster and easier to use than using git filter-branch. It handles simple use cases for editing sensitive information in git.

Invoking BFG

BFG is a .jar file that is invoked from the command line using java.

$ java -jar path/to/bfg.jar

Invoking BFG this way can become tedious...

Easier way to reference BFG?

To simplify it, consider creating an alias

.bashrc

...
alias bfg='java -jar path/to/bfg.jar'

BFG is now invokable from the command line in any directory:

$ bfg ...

Fixing slow down speeds w/ curl in alpine docker images

Isaac Adams — Thu, 21 Nov 2019 20:21:47 +0000

The problem

After playing around with using the jenkins:alpine base image and attempting to download a .war (60 MB) file using curl, I discovered that it was EXTREMELY slow. I am talking about the difference between it taking a minute and a half on my host machine and 15 mins during the docker image build.

FROM jenkins:alpine

ARG JENKINS_VERSION
ENV JENKINS_WAR="/usr/share/jenkins/jenkins.war"

USER root
RUN curl -o ${JENKINS_WAR} -L \
    https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION}/jenkins.war
RUN chown jenkins:jenkins ${JENKINS_WAR}
USER jenkins

Obviously, this is ridiculous and there had to be something wrong. After searching online, I found there was very little documentation on how to resolve this issue, so I started doing my own experimenting.

Overview

downloading .war of 60 MB took

minute and a half on host machine
15 min during docker alpine image build

NOTICE

made some updates were made on 12.4.2019

What did NOT work 👎

Adding `docker build ...` options

I was unable to get any increase from adding in options to docker build ... such as ...

--network host : performs the commands using the host network
-m 1GB : allocates more memory to the image build

Fixing alpine DNS issues

I also read online about some DNS issues that alpine has and followed some of their instructions for fixing them. None of that helped increase download speeds.

Using the docker "ADD" command (12.4.2019)

Using ADD is easily the cleanest and most straightforward option. However, I found it was just as slow as using curl. See the secondary solution at the end of this article to see how I was able to still use the simplicity of ADD and while also getting an increase in speed.

FROM jenkins:alpine
...
ADD https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION} ${JENKINS_WAR}
...

Changing image base (some success)

I noticed that when switched out from an alpine based image, I was able to significantly increase my download speeds. However, it still wasn't as fast as my host machine.

Notice the change in "TAG" in first line the FROM jenkins:TAG from "alpine" to "latest". The "latest" tag does not use alpine.

FROM jenkins:latest

ARG JENKINS_VERSION
ENV JENKINS_WAR="/usr/share/jenkins/jenkins.war"

USER root
RUN curl -o ${JENKINS_WAR} -L \
    https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION}/jenkins.war
RUN chown jenkins:jenkins ${JENKINS_WAR}
USER jenkins

Increasing curl limit rate (some success)

Using the alpine base image, I found that setting --limit-rate 1G as a curl ... option increased the download speed. I could have stopped at this point, but the download was still taking about 1-5 mins. It seemed rather unstable to me, so I kept experimenting.

FROM jenkins:alpine

ARG JENKINS_VERSION
ENV JENKINS_WAR="/usr/share/jenkins/jenkins.war"

USER root
RUN curl --limit-rate 1G -o ${JENKINS_WAR} -L \
    https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION}/jenkins.war
RUN chown jenkins:jenkins ${JENKINS_WAR}
USER jenkins

The solution 😄

I found that by combining switching the image base (from alpine to debian) and setting --limit-rate 1G curl option I was able to make the download happen in 2 seconds.

I still wanted to use alpine as my base image, so I changed the dockerfile to use multi-stage.

FROM debian:buster-slim as downloader

RUN apt update && apt install curl -y

USER root
ARG JENKINS_VERSION
WORKDIR /home/root

# running curl inside the debian image instead of alpine
RUN curl --limit-rate 1G -o jenkins.war -L \
    https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION}/jenkins.war


FROM jenkins:alpine

ENV JENKINS_WAR="/usr/share/jenkins/jenkins.war"
# getting the downloaded .war file from the debian image
COPY --from=downloader /home/root/jenkins.war ${JENKINS_WAR}

USER root
RUN chown jenkins:jenkins ${JENKINS_WAR}
USER jenkins

Another better solution 🚀 (12.4.2019)

It suddenly hit me that the ADD or COPY docker commands must have the capability to use URLs. Once I confirmed that ADD can do this, I felt so dumb. When I first tried using ADD to download the jenkins.war file it was still very slow 😢

BUT, then I thought, "what about switching the base image and then using ADD?". And what do you know, it was FAST 😄 It took about 3 seconds to download. This is more simple because the code is easier to follow and it removes the need to run apt update and apt install curl. This results in a smaller image overall.

FROM debian:buster-slim as downloader

ARG JENKINS_VERSION
WORKDIR /home/root
ADD https://updates.jenkins-ci.org/download/war/${JENKINS_VERSION}/jenkins.war \
jenkins.war

FROM jenkins:alpine

ENV JENKINS_WAR="/usr/share/jenkins/jenkins.war"
COPY --from=downloader /home/root/jenkins.war ${JENKINS_WAR}

USER root
RUN chown jenkins:jenkins ${JENKINS_WAR}

DEV Community: Isaac Adams

Learning to love my code again...

It works.

Intent is clear.

It has some unit tests.

Securing a .NET 4.6.x API with OpenID Connect

Introduction

Protecting the API

Fetching the access_token

Using the access_token

git: removing or replacing sensitive data

Table Of Contents

Introduction

Examples

Email Use Case

Definitions

Credits

git: BFG installation

Invoking BFG

Easier way to reference BFG?

Fixing slow down speeds w/ curl in alpine docker images

The problem

Overview

NOTICE

What did NOT work 👎

Adding docker build ... options

Fixing alpine DNS issues

Using the docker "ADD" command (12.4.2019)

Changing image base (some success)

Increasing curl limit rate (some success)

The solution 😄

Another better solution 🚀 (12.4.2019)

Adding `docker build ...` options