Forem: Csaba Boros

Simple way to play around with terraform locally without any cloud account

Csaba Boros — Sat, 23 Dec 2023 11:23:59 +0000

I don't want to live under a bridge or on the streets. For this reason when I was learning terraform I was stressed about messing up something and getting a huge bill from aws or gcp.
Fortunately I found an easy way to start playing around with terraform locally without using any cloud account or any complicated local kubernetes setup.

As you probably already know terraform is a tool that lets you provision and manage infrastructure resources. Things like virtual machines, EC2 instances, IAM users and so on...
Basically terraform is able to create and manage any type of resources if there is a Provider written for it. There are separate providers for aws, gcp, digital ocean, you name it. You can browse the list of available Providers or you can even write your own. Here is the official list of providers.

In this tutorial we will be using the local Provider as this can provision local files without needing any other setup.

Install terraform

Step 0 is to configure terraform on your machine. This is very easy to do, you just need to download a binary and set up its path in the path system variable.
Download and unzip the terraform binary from the terraform website. I will place it in a newly created C:/terraform folder.
Next step is to add the location of the terraform.exe file to your PATH system variable.
Go to System properties:

And select "Environment Variables..."

In the "System variables" section find the "Path" variable and click "Edit..."

Write some terraform

Open up vs code (or any other IDE) in an empty folder and create a new file and name it main.tf
First we need to specify the providers we will be using and then we can specify the resources we want to create. Here is an example terraform file that will create a hello.txt file with the content of "hello world".



terraform {
    required_providers {
      local = {
        source = "hashicorp/local"
      }
    }
}

resource "local_file" "hello" {
    content = "hello world"
    filename = "hello.txt"
}

It's always a good idea to check the documentation of the provider as it will tell us what resources it can create and what are the options we can set.

As you can see the local provider has a resource called local file and it has a required filename property. Optionally we can also specify the content of the file.

Terraform commands

Open a new terminal and run



terraform init

This will Prepare your working directory and download all the necessary files for the provider.
Next run



terraform validate

This command will validate the syntax of your code.
And now the fun part, let's run



terraform plan

The plan command will output the list of changes that need to be made to reach the infrastructure described in your code. In this case the plan should be to create one new file.
And now let's run



terraform apply

The apply command will persist the planned changes. In this case it will create the file.

You can remove the file by running the destroy command:



terraform destroy

Now you can play around with it and see what happens if you modify your code and plan and apply it again or what happens if you modify the file manually. Have fun!

This tutorial is also available on youtube: https://www.youtube.com/watch?v=nb6onGm970k

Encryption at rest using EF

Csaba Boros — Sat, 15 Jul 2023 12:28:43 +0000

Encryption at rest can come in handy when we have some sensitive data that we need to store in our database and we don't want to store it in plain text for everyone to see.

In my case I needed to store some API keys in the database. The keys are inputted by the app users and the app later uses these keys for accessing some external services.

In this tutorial I will show you a seamless way to use encryption at rest in your .NET application using EF value converters.

How it will work

First we will create a ValueConverter that encrypts values on write and decrypts on read. We will also create an attribute, EncryptedAttribute, and apply the value converter to each of the properties that has the EncryptedAttribute.

The value converter class

We will need a string-string value converter that can encrypt on write and decrypt on read. For this we will use AES encryption and we will need an encryption key. This key is a simple base64 string but we need to store it securely (in Azure Key Vault for example). I won't go in detail here, but we well also need a unique IV (initialization vector) key that will basically ensure that we always get different ciphers even if the input string is the same. Because the IV value is also needed when we decrypt the data we will just append the IV value to the cipher and store it in the database as part of the encrypted value. Here is the source code of my value converter:

using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using System.Security.Cryptography;
using System.Text;

namespace EncryptionAtRest.Database.Encryption
{
  public class EncryptedConverter : ValueConverter<string, string>
  {

    public EncryptedConverter(string encryptionSecretKey)
    : base(
        v => Encrypt(v, encryptionSecretKey),
        v => Decrypt(v, encryptionSecretKey))
    { }

    private static string Encrypt(string inputString, string encryptionSecretKey)
    {
      using var aes = Aes.Create();
      using var encryptor = aes.CreateEncryptor(Encoding.UTF8.GetBytes(encryptionSecretKey), aes.IV);
      using var memoryStream = new MemoryStream();
      using var cryptoStream = new CryptoStream(memoryStream, encryptor, CryptoStreamMode.Write);
      using (var streamWriter = new StreamWriter(cryptoStream))
      {
        streamWriter.Write(inputString);
      }

      var cipher = memoryStream.ToArray();
      // append the IV to the start of the cipher
      var result = new byte[aes.IV.Length + cipher.Length];
      Buffer.BlockCopy(aes.IV, 0, result, 0, aes.IV.Length);
      Buffer.BlockCopy(cipher, 0, result, aes.IV.Length, cipher.Length);

      return Convert.ToBase64String(result);
    }

    private static string Decrypt(string cipherText, string encryptionSecretKey)
    {
      using var aes = Aes.Create();

      var cipherByteArray = Convert.FromBase64String(cipherText);
      var iv = new byte[aes.IV.Length];
      var cipher = new byte[cipherByteArray.Length - aes.IV.Length];
      // get the IV from the start of the cipher
      Buffer.BlockCopy(cipherByteArray, 0, iv, 0, iv.Length);
      Buffer.BlockCopy(cipherByteArray, iv.Length, cipher, 0, cipher.Length);

      using var decryptor = aes.CreateDecryptor(Encoding.UTF8.GetBytes(encryptionSecretKey), iv);
      using var memoryStream = new MemoryStream(cipher);
      using var cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Read);
      using var streamReader = new StreamReader(cryptoStream);

      return streamReader.ReadToEnd();
    }
  }
}

The Encrypted attribute

We will create an attribute and write some logic to apply the converter to the properties that use this attribute.
The source code for the attribute:

[AttributeUsage(AttributeTargets.Property, AllowMultiple = false)]
public class EncryptedAttribute : Attribute
{
}

And here is the code that will apply the converter based on the attribute. I will place this static method inside my converter:

public static void Apply(ModelBuilder builder, string encryptionSecretKey)
{
    var entityTypes = builder.Model.GetEntityTypes();
    var properties = entityTypes.SelectMany(entity => entity.GetProperties());

    foreach (var property in properties)
    {
        var attributes = property.PropertyInfo?.GetCustomAttributes(typeof(EncryptedAttribute), true);
        if (attributes != null && attributes.Any())
        {
            property.SetValueConverter(new EncryptedConverter(encryptionSecretKey));
        }
    }
}

And the final step is to call the EncryptedConverter.Apply function from the OnModelCreating method of our db context:

using EncryptionAtRest.Database.Encryption;
using EncryptionAtRest.Database.Models;
using Microsoft.EntityFrameworkCore;

namespace EncryptionAtRest.Database
{
  public class AppDbContext : DbContext
  {
    public DbSet<Api> Apis { get; set; } = null!;
    private readonly string _encryptionSecretKey;

    public AppDbContext(string connectionString, string encryptionSecretKey)
      : base(new DbContextOptionsBuilder().UseNpgsql(connectionString).Options)
    {
      _encryptionSecretKey = encryptionSecretKey ?? throw new ArgumentNullException(nameof(encryptionSecretKey));
    }

    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
      base.OnModelCreating(modelBuilder);
      EncryptedConverter.Apply(modelBuilder, _encryptionSecretKey);
    }
  }
}

Ready to go

Now we just need to add the [Encrypted] attribute to the properties we want to store in an encrypted form. Your DbContext will work as usually, you can write and read your plain text properties but in the underlaying database table the data will be encrypted.

You can also find the source code and a working example in this repository: https://github.com/boros-csaba/encryption-at-rest-with-property-attribute

Architecture of my portfolio website

Csaba Boros — Sun, 19 Mar 2023 12:22:39 +0000

Initially I just created a simple static HTML and CSS page with some images to serve as my portfolio page - no frameworks, (almost) no javascript - why over complicate it?
After some time I decided that I would also write a few blog posts and tutorials on my portfolio website, but again, I didn't want to over engineer my website.
At first I thought that maybe I would just copy and paste a new page for each article.
This sounds stupid but if you consider that I will only write about one article a month and I will not redesign my site too often, this use-case doesn't really justify the overhead of a back-end and database with more complicated and pricier hosting...

But you wouldn't hire me if I did this!
So here is what I did instead:

11ty

I converted my website to be compatible with 11ty. 11ty is a static site generate and it can generate static pages from template files. Basically I just had to configure a few things and create a nunjucks template file for my articles. I created a separate file for each of my articles with only the content of the of the post and some metadata for the nunjucks template. Now my website is still just a static site but the design and structure of the article pages is managed from a single template file.

Amazon S3

The website is hosted in an Amazon S3 bucket. For technical reason there are actually two buckets. One contains the actual website file the other bucket just points to the first one. This is needed to support both the www and non-www version of the site.

Amazon CloudFront

The S3 bucket is exposed through a CloudFront distribution. This makes the website load faster and also makes it possible to set up HTTPS.

AWS Certificate Manager

The certificate for HTTPS is provided by AWS Certificate Manager. The certificate is free and is easy to set up with CloudFront.

Amazon Route 53

I've bought my domain from a different registrar but I've set up my domain to use the name servers from my Route53 hosted zone. Using Route53 makes it easy to point the domain to the CloudFront distribution.

Github Actions

Because I didn't want to manually upload my website to S3 every time I make a change or write a new article I've set up a pipeline to run the 11ty build and upload the website to S3 every time there is a commit to the master branch.
Here is the yml file that does all this magic:

on:
  push:
    branches:
      - master

jobs:
  deploy:
    name: Deploy to S3
    runs-on: ubuntu-latest
    steps:

      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install packages
        run: npm ci

      - name: Build
        run: npm run build

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${% raw %}{{ secrets.AWS_ACCESS_KEY_ID }}{% endraw %}
          aws-secret-access-key: ${% raw %}{{ secrets.AWS_SECRET_ACCESS_KEY }}{% endraw %}
          aws-region: us-west-1

      - name: Deploy to S3
        run: aws s3 sync ./dist s3://www.boroscsaba.com

The AWS credentials are stored as secrets in the repository settings.

Your feedback is welcome! Please let me know if you think there is something important that should be included in this post or if you find anything wrong!

SSL Certificates - an easy to understand guide

Csaba Boros — Sat, 24 Dec 2022 15:39:46 +0000

As with any technology, I think it's very important that first we understand the problem that this technology is trying to solve. Let's try to understand the problem through an example.

Problem with sending messages in plain text

We are operating a website where we are selling some fancy coffee. For completing purchases we need payment information from our customers. Our customer, Bob, is sitting in a coffee shop and is trying to buy our newest product on sale. He just connected his laptop to a shady public Wi-Fi that is controlled by a hacker who can read the traffic that goes through this network. If we are sending the payment information in plain text the hacker is able to intercept the traffic and can easily read the payment information that is sent.

Encryption to the rescue

(Encryption is a very big topic on its own and I am over simplifying things in this section, but this is enough for us to understand the big picture.)

The simplest and quickest form of encryption that we can use is symmetric encryption. In this case there is a single key that can both encrypt (lock) and decrypt (unlock) messages.
In our story Bobs laptop can generate a random key and send it to our website. After both the website and Bobs laptop agreed on this shared key all the following communication can be encrypted with it and there would be no more plain text messages to capture.

BUT! What if the hacker also intercepted Bobs first message, the one that contained the secret key? In this case the hacker would also know the key and would be able to decrypt the messages.

Asymmetric encryption

When using asymmetric encryption we have a pair of keys - a private and a public key. If something is encrypted with one of the keys it can only be decrypted with the other one and vice versa.
The beauty of this setup is that the website server can share its public key freely. By doing this the clients can encrypt messages using the public key of the website and be sure that only the website can read the message.

In our example Bobs browser would not send the symmetric key it generated in plain text, but instead it would encrypt it using the websites public key. Because this messages can only be decrypted by using the private key we can be sure that only the website can read this message.

So to recap: The client (Bobs browser) generates a (symmetric) key. Encrypts it using the public key of the web server and sends it. The web server can decrypt the message using its private key. Now both the web server and the client have the key that will be used for further communication.

And finally we can send those credit card information... BUT! What if we are dealing with a really skilled hacker?

Man-in-the-Middle Attack

Our setup is still vulnerable. The problem is that a skilled hacker that controls the Wi-Fi network could intercept all the messages from the client and impersonate the web server. In this case the hacker could send its own public key to the client, acting as the real website. The hacker can act as a middle-man, forwarding the content between the client and the original website. In this case the client would have no way to know that he is not talking with the real website.
Since the public key is just a very big random number it doesn't carry any more information about its source. When the client receives a public key it cannot be sure that this key really belongs to the website he is trying to connect to.
SSL Certificates were invented to solve this problem.

SSL Certificates

An SSL Certificate in its most basic form works just like an identity card. The ID card certifies that the information from the ID card belongs to the person from the photo. You trust the information on an identity card because you trust the issuer of the card, the government.
A SSL Certificate certifies that a given public key belongs to a given domain or IP address and it is signed by a third party (CA - Certificate Authority) organization. If you trust the authority who signed it, then you can trust the certificate.

These formal definitions like, "certificate" and "authority" may seem overwhelming, bug there is nothing complicated about SSL Certificates. A certificate is just a piece of data with a standard format (X.509 is the name of the standard).

What is a certificate?

The most important information of a certificate are:

validity (the period during which the certificate is vaid)
domain name of the subject (CN)
more information about the subject (company name, county, etc)
public key of the subject
information about the issuer of the certificate (CA)
signature

The certificate is sent to the client in base 64 encoded format and it looks similar to the following example:

Ok, so the server instead of just sending its public key it sends a certificate that contains the public key, some extra information and a signature from a third party (CA - Certificate Authority).

Can the hacker just send its own public key along with the signature of the web server?

The hacker can get the certificate of the web server - it is public information. And since the certificate is just a block of information - the hacker could send the its own public key together with the signature from the certificate of the web server. So this is a valid question...

The trick is that the signature of the certificate is created by hashing all of the data from the certificate and encrypting it using the private key of the Certificate Authority.
When Bobs browser receives the certificate it will decrypt the signature using the public key of the Certificate authority and it will compare the data from the signature with the content of the certificate. In this case the browser would notice that the public key from the certificate doesn't match with the one that was encrypted in the signature.

Who can sign a certificate?

Basically anyone... A certificate is basically singed by a private key. This signing private key in turn has a public key and also a certificate of the public key. And in turn this certificate is also signed, forming a chain of certificates.
A certificate can also be self-signed, this would be the root certificate.
A certificate is trusted by the browser if it trusts the root certificate. The operating system and the browser have lists of pre-installed Certificate Authority certificates they trust (such as DigiCert, Go Daddy, Let's Encrypt, etc.)

Summary

Here is a short summary of what happens when Bob needs to send his credit card information to our web server securely using a public wifi.

Our web server has a public and a private key and we have a certificate about the public key from Let's Encrypt. When Bob tries to connect to our website we first send him our certificate. Bobs browser looks at the root certificate of our certificate and decides that it can trust it. It can trust it since the certificate of the CA (Let's Encrypt in our case) is trusted by the browser. Bobs browser decrypts the signature of our certificate using the public key of the CA and compares it to the content of our certificate. After the certificate is found to be valid Bobs laptop generates a secret key. Encrypts this secret key using our public key from our certificate and sends it to our web server. From now on all the communication between us will be encrypted using this secret key - our communication is secure.

Your feedback is welcome! Please let me know if you think there is something important that should be included in this post or if you find anything wrong!

Adding business days to a date using SQL

Csaba Boros — Thu, 18 Aug 2022 14:10:17 +0000

Recently I had a task that seemed very simple at first. I had a table with billing start dates and number of business days to bill. The task was to calculate the end date for each row. Basically to calculate the start date + number of business days without having to worry about holidays.

I was surprised that there is no built-in solution for this seemingly common problem. Here is my own take on the problem.

The logic is quite simple:

for each 5 working days add an entire calendar week to the starting date
after adding the whole weeks add the remaining days (for example adding 8 days means adding 1 week and 3 days)
if the resulting date is a Saturday then add 2 more days
if the resulting date is a Saturday then add 1 more day

And here is the resulting code:



create function addWorkingDays(@startDate datetime, @workingDays int)
returns datetime
as begin
    if @workingDays = 0
        return @startDate

    declare @calendarDays int = 
        (@workingDays / 5) * 7 +  -- add whole weeks 
        (@workingDays % 5) -- add remaining days

    declare @resultDate datetime = dateadd(d, @calendarDays, @startDate)

    declare @dayOfWeek int = ((datepart(DW, @resultdate) - 1) + @@datefirst ) % 7 --the @@datefirst part is needed if you are outside of US where 0 is Monday 

    return case 
        when @dayOfWeek = 0 then --Sunday
            dateadd(d, @calendarDays, @startDate) + 1
        when @dayOfWeek = 6 then -- Saturday
            dateadd(d, @calendarDays, @startDate) + 2
        else
            dateadd(d, @calendarDays, @startDate)
    end
end

The bellow table lists a few test cases: