Clean as you code is an approach to code quality that eliminates many of the challenges that come with traditional approaches. As a developer, you focus on maintaining high standards and taking responsibility specifically in the new code you’re working on. SonarQube gives you the tools to set high standards and take pride in knowing that your code meets those standards.

This approach lets you focus on whether the new code you write is clean and safe and you take responsibility only for the code you write. This approach also lets the reviewer see only the analysis of the new code and not the code that was written before introducing SonarQube analysis.

Prerequisite

For you to follow this approach, the project in the SonarQube server should know the analysis report of the branch or a particular code version or a specific analysis or code version with a floating period which will be used for comparison.

Setting your new code definition is explained here — https://docs.sonarqube.org/latest/project-administration/defining-new-code

So, the prerequisite is an analysis report to which the changed code in PR’s analysis report can be compared.

Branch(main/master) analysis for a new project in SonarQube

When a new project is added in SonarQube for your source code, the analysis would be empty, and you must feed the base analysis report (Overall Code) which you decide to go with.

This is a step that should be done before any PR pipeline with SonarQube analysis is created.

For this documentation purpose, the default branch is analyzed and fed into the SonarQube server.

This base analysis can be done in two ways,

1. From the DevOps pipeline

2. Using the dotnet-sonarscanner tool — https://www.nuget.org/packages/dotnet-sonarscanner

This is a one-time step based on your new code definition.

The usual setup for SonarQube analysis would be in the PR build pipeline which would do the following,

1. Pull the source (task) branch

2. Prepare the SonarQube analysis

3. Build the source code

4. Run the SonarQube Analysis

5. Publish the Analysis to the SonarQube server in the PR’s name

The same pipeline would be triggered after the PR is completed to run the analysis against the destination (main/master) branch. This will update the existing base report (Overall Code) analysis with the latest analysis.

If this is the flow that the project needs, then the recommended approach is to use the dotnet-sonarscanner tool as a one-time step after the project is created.

If your project needs to set the new code definition dynamically or want scan the main branch without setting up the source code in your machine, then running the analysis in the pipeline would be useful.

However, for the first-time setup, if you take the DevOps pipeline approach to feed the base analysis report, then you must override the Quality gate and complete the PR to trigger the analysis on the main branch.

Dotnet tool dotnet-sonarscanner

Using this tool, you can scan any branch in your source code and publish it to the SonarQube server. The tool will detect the git branch name for you and will be pushed along with the analysis.

Once you add the project in SonarQube for your source code repo, you will be shown a page like the one below. Choose the manual approach here,

Follow the below steps,

Step 1: Setup your token for analysis

Give the token a name and generate it,

You can always use an existing token if you have one. This is the token you will use in the dotnet tool for authenticating you and publishing the analysis report on your machine.

Step 2: Run the analysis

Prerequisite for this step,

Prerequisite 1

Install the dotnet tool dotnet-sonarscanner using the below command,

dotnet tool install --global dotnet-sonarscanner --version 6.2.0

6.2.0 is the latest version when writing this documentation.

Prerequisite 2

Checkout the source code of the project you are configuring the analysis and make sure you have the branch you want to scan and set as the base report (Overall Code) analysis.

Once the prerequisites are completed, you can execute the scanner on the root of your source code.

Running a SonarQube analysis is straightforward. You just need to execute the following commands at the root of your solution.

SonarScanner begin command

This command will ensure the tracking of code analysis when you build the project.

dotnet sonarscanner begin /k:"Project.Name" /d:sonar.host.url="https://sonarqubeapp.azurewebsites.net"  /d:sonar.login="login.id.here"

Dotnet build command

Now you can build the project with the dotnet build command.

dotnet build

SonarScanner end command

This command will collect the code analysis and publish it to the SonarQube server.

dotnet sonarscanner end /d:sonar.login="login.id.here"

All these commands and instructions are shown in the setup page as like below,

Using the DevOps pipeline for branch analysis

This is the usual step you do in a build pipeline using the SonarQube tasks in the DevOps. Check the below blog on how to do this,

https://blogs.aspnet.in/sonarqube-deployment-integration-and-configuration

Overall Code

Once the branch analysis and publishing are done from the above steps either using the dotnet tool or the DevOps pipeline, you should see the measures in the Overall Code tab as shown below,

This will be the default base report analysis which will be used for comparison(until the next scan happens on the same branch) when a PR analysis report is published.

The new code tab will be empty at this point.

PR pipeline analysis report comparison

Now, let's introduce a code smell issue in a task branch and see the analysis report.
In the New Code tab, you will now see the issue that was identified in the PR as shown below. Note that the 33 code smells in the Overall Code are not reported here.

Only the new issues are reported which lets you focus on them and ignore the existing code. This is how we follow the “Clean as you code” approach.

SonarQube is a web service that can run in our Azure App Service. It uses an SQL database to store code analysis reports.

We can use the SonarQube docker available in Docker Hub to deploy the app into Azure App Service.

Here is the docker-compose.yml,

version: "3"

services:
  sonarqube:
    image: sonarqube:lts-enterprise
    environment:
      SONARQUBE_JDBC_URL: jdbc:sqlserver://testsql.database.windows.net:1433;database=sonarqube-enterprise-edition;user=sonarqube@sql-server-sonarqube;password=Admin@123;encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;
      SONARQUBE_JDBC_USERNAME: sonarqube
      SONARQUBE_JDBC_PASSWORD: Admin@123
      WEBSITES_PORT: 80
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_temp:/opt/sonarqube/temp   
    ulimits:
      nproc: 131072
      nofile:
        soft: 8192
        hard: 131072
    ports:
      - "80:9000"
volumes:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  sonarqube_temp:

The credential for the database is added in the docker-compose.yml file. This is needed when the app is started.

We can also configure the same from the Configuration.

Prerequisites

You can check SonarQube’s requirements here — https://docs.sonarqube.org/latest/requirements/requirements/

App Service

For the app to run in Azure App Service, we need a P2V2 plan. This is because the app internally has an Elastic Search service, and it needs more memory. Otherwise, you will see the app running and getting stopped after some time.

You can always use the Log Stream in the App Service to watch the logs from the app.

Database

MS SQL Database must have case-sensitive and accent-sensitive collation.

SQL_Latin1_General_CP1_CS_AS

When you start the application for the first time, it will ask you to reset the default password. Default credentials will be — username: admin, password: admin.

Integration

You have the below integration steps to do the SonarQube analysis,

1. Adding your DevOps repo in SonarQube

2. Updating your DevOps pipelines with SonarQube Analysis and Reporting tasks

Here is the SonarQube documentation for the same,

https://docs.sonarqube.org/latest/analysis/azuredevops-integration

Below you will see the simplified steps of the same documentation,

Prerequisites

1. Personal Access Token must be generated with Read and Write Access for the Code module. This is needed in the SonarQube project addition module.

2. Install the SonarQube extension in Azure DevOps — https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarqube

3. Access to your DevOps repo settings for adding the SonarQube service connection to it.

Adding your DevOps repo in SonarQube

Repo addition

Start by clicking on the “Add Project” button and selecting DevOps. This will be a self-explanatory form.

1. Feed in the PAT you obtained for your account in DevOps with Read and Write Access for the Code module.

2. Using the PAT, SonarQube will list the Projects in DevOps. Find your DevOps project and choose the repo.

This will create the project in SonarQube.

Updating your DevOps pipelines with SonarQube Analysis and Reporting tasks

Once you add the project, you can configure the analysis in your DevOps pipeline. Add the SonarQube server URL as a service connection in your project settings.

Configure Analysis

In your DevOps pipeline, do the following,

1. Add the SonarQube Preparation task before your Build task

2. Add the SonarQube Analysis task after your Build task

3. Add the SonarQube Publish task after the analysis task

SonarQube preparation task must be fed with the service connection we created in the previous step.

Now, if you run your pipeline, you should see the analysis report in the SonarQube project below,

Configuration of SonarQube rules

SonarQube has an inbuilt ruleset that is categorized in different facets, and it is synchronized with new SonarQube release versions too.

You will find detailed documentation here — https://docs.sonarqube.org/latest/user-guide/rules

Here we will see the simplified version of the same,

SonarQube has around 400+ rules spanning several types => bugs, vulnerability, code smell, and security hotspots for C#.

Hierarchically, rules come below Quality Profiles. Rules can be grouped under a Quality profile and these profiles can be assigned to the projects as needed.

SonarQube comes with a default quality profile for each language and cannot be edited. But it can be extended with new rules.

New Quality profiles can be created based on the existing ones. Under the new quality profiles, rules can be activated/deactivated based on the needs.

Activating/Deactivating a Rule in a Quality Profile

Steps,

1. Open the Quality Profile.

2. On the left side, you will the rule types with their active and inactive counts.

3. You can click on any of the counts to filter and see the rules that are active/inactive.

4. Once you are on the Rules page, make sure you are editing the correct Quality profile by seeing that on the left side.

5. You can also make bulk changes based on your needs.

Once the activation or deactivation of the rules is done, it will immediately reflect in your existing reports as well. So, everything is dynamic.

Even for your older analysis reports, you can activate new rules.

Quality Gates

This is an optional module that can be set up in your Azure DevOps branch policy to ensure that your repo is complying with all the rules you set up. This gate can be used to prevent the PR (Pull Request) from being merged.

As a process, you do not have to set this up initially and you will have to mandate this once you fix all the rules.

https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/

SonarQube Report summary in DevOps

You will always have a report summary in your pipeline, under extensions and you can open the SonarQube site report from here.

SonarLint Extension in VS

We can install the SonarLint extension in VS and get the analysis while doing the development itself.

Here is the link for SonarLint Extension,

https://marketplace.visualstudio.com/items?itemName=SonarSource.SonarLintforVisualStudio2022

As SonarQube supports different quality profiles for different projects, the project that you run in VS also needs the same Quality profile so that we can coordinate with the rule sets configured in the project. To do this, we can connect the SonarLint in VS to our SonarQube server.

Connect SonarLint to SonarQube Server

Here is the documentation on how to do this,

https://github.com/SonarSource/sonarlint-visualstudio/wiki/Connected-Mode

Here we will see the simplified version of the same,

1. Install SonarLint extension.

2. Go to Team Explorer in VS and select SonarQube.

3. Feed the credentials.

4. Select the appropriate project and that is all.

HTTPContext Extensions

Get Base Path

public static string GetBasePath(this HttpContext httpContext)
{
    return $"{httpContext.Request.Scheme}://{httpContext.Request.Host}";
}

Check if the Request Header has a particular key

public static bool HasRequestHeader(this HttpContext httpContext, string headerName)
{
    return httpContext.Request.Headers.ContainsKey(headerName);
}

Check if the Response Header has a particular key

public static bool HasResponseHeader(this HttpContext httpContext, string headerName)
{
    return httpContext.Response.Headers.ContainsKey(headerName);
}

Check if the Request Header key has the required value

public static bool HasRequestHeaderValue(this HttpContext httpContext, string headerName, string headerValue)
{
    return httpContext.Request.Headers.TryGetValue(headerName, out var header)
        && header.Any(a => a.Equals(headerValue, StringComparison.OrdinalIgnoreCase));
}

Check if the Response Header key has the required value

public static bool HasResponseHeaderValue(this HttpContext httpContext, string headerName, string headerValue)
{
    return httpContext.Response.Headers.TryGetValue(headerName, out var header)
        && header.Any(a => a.Equals(headerValue, StringComparison.OrdinalIgnoreCase));
}

IEnumerable Extensions

Convert any IEnumerable to CSV String

public static string ConvertToCSVString<T>(this IEnumerable<T> items)
{
    if (items.Any())
    {
        var lines = new List<string>();
        var header = string.Empty;

        if (items.FirstOrDefault().GetType() == typeof(JObject))
        {
            var jObject = (JObject)Convert.ChangeType(items.FirstOrDefault(), typeof(JObject));

            header = string.Join(",", jObject.Properties().Select(x => x.Name));

            lines.Add(header);

            ////DO NOT include the starting and ending quotes inside the $ string interpolation.
            var valueLines = items.Select(row =>
                                    string.Join(",", header.Split(',')
                                        .Select(a => "\"" + $"{((JObject)Convert.ChangeType(row, typeof(JObject))).GetValue(a)}"?
                                                        .Replace(Environment.NewLine, string.Empty, StringComparison.OrdinalIgnoreCase)
                                                        .Replace("\"", "\"\"", StringComparison.OrdinalIgnoreCase)
                                                        + "\""
                                                        )));

            lines.AddRange(valueLines);
        }
        else
        {
            var props = items.FirstOrDefault().GetType().GetProperties();

            header = string.Join(",", props.Select(x => x.Name));

            lines.Add(header);

            //DO NOT include the starting and ending quotes inside the $ string interpolation.
            var valueLines = items.Select(row =>
                                    string.Join(",", header.Split(',')
                                        .Select(a => "\"" + $"{row.GetType().GetProperty(a).GetValue(row, null)}"?
                                                        .Replace(Environment.NewLine, string.Empty, StringComparison.OrdinalIgnoreCase)
                                                        .Replace("\"", "\"\"", StringComparison.OrdinalIgnoreCase)
                                                        + "\""
                                                        )));

            lines.AddRange(valueLines);
        }

        var csvString = string.Join("\r\n", lines.ToArray());

        return csvString;
    }
    else
    {
        return string.Empty;
    }
}

Convert any IEnumerable to DataTable

public static DataTable ToDataTable<T>(this IEnumerable<T> items)
{
    DataTable dataTable = new DataTable(typeof(T).Name);

    PropertyInfo[] Props = typeof(T).GetProperties(BindingFlags.Public | BindingFlags.Instance);
    foreach (PropertyInfo prop in Props)
    {
        dataTable.Columns.Add(prop.Name);
    }
    foreach (T item in items)
    {
        var values = new object[Props.Length];
        for (int i = 0; i < Props.Length; i++)
        {
            values[i] = Props[i].GetValue(item, null);
        }
        dataTable.Rows.Add(values);
    }

    return dataTable;
}

Session Extensions

Replace a value in a Session key

public static void Replace(this ISession session, string key, object data)
{
    if (session.Keys.Any(x => x.Equals(key, StringComparison.OrdinalIgnoreCase)))
    {
        session.Remove(key);
    }

    session.SetString(key, JsonConvert.SerializeObject(data));
}

Get value from a Session key

public static bool TryGet<T>(this ISession session, string key, out T data, bool removeKey = false)
{
    if (session.Keys.Any(x => x.Equals(key, StringComparison.OrdinalIgnoreCase)))
    {
        var objString = session.GetString(key);

        data = JsonConvert.DeserializeObject<T>(objString);

        if (removeKey)
        {
            session.Remove(key);
        }

        return true;
    }

    data = default;
    return false;
}

ClaimsPrincipal Extensions

Check if the claims has a particular Role

public static bool HasRole(this ClaimsPrincipal principal, string role)
{
    return principal.HasClaim(c =>
                                    c.Type == ClaimTypes.Role &&
                                    c.Value.Equals(role, StringComparison.OrdinalIgnoreCase));
}

Get Roles from the claims

public static IEnumerable<string> GetRoles(this ClaimsPrincipal principal)
{
    return principal.Claims.Where(c => c.Type == ClaimTypes.Role).Select(s => s.Value);
}

Get a particular claim from the claims

 public static T GetClaim<T>(this ClaimsPrincipal principal, string claim)
 {
     var result = principal?.Claims?.FirstOrDefault(f => f.Type.Equals(claim, StringComparison.OrdinalIgnoreCase))?.Value;

     return (T)Convert.ChangeType(result, typeof(T));
 }

DateTime Extensions

Convert to a different TimeZone

public static DateTime ConvertToTimeZone(this DateTime dateTime, string timeZoneId)
{
    return TimeZoneInfo.ConvertTimeFromUtc(dateTime, TimeZoneInfo.FindSystemTimeZoneById(timeZoneId));
}

Check if a given DateTime is between a time range

public static bool IsBetweenTimeRange(this DateTime comparisonTime, DateTime? startDate, DateTime? endDate)
{
    return (startDate.HasValue ? comparisonTime >= startDate.Value : true) && (endDate.HasValue ? comparisonTime <= endDate.Value : true);
}

Check if a give DateTimeOffset is between a time range

public static bool IsBetweenTimeRange(this DateTime comparisonTime, DateTimeOffset? startDate, DateTimeOffset? endDate)
{
    return comparisonTime.IsBetweenTimeRange(startDate.HasValue ? startDate.Value.DateTime : null, endDate.HasValue ? endDate.Value.DateTime : null);
}

Convert to a DateTimeOffset based on a TimeZone

public static DateTimeOffset? ToDateTimeOffset(this DateTime? dateTime, string timeZoneId)
{
    return dateTime.HasValue ? new DateTimeOffset(dateTime.Value, TimeZoneInfo.FindSystemTimeZoneById(timeZoneId).BaseUtcOffset) : null;
}

Enum Extensions

Get display name of an Enum

public static string GetDisplayName(this Enum enumValue)
{
    var displayName = enumValue.GetType().GetMember(enumValue.ToString()).FirstOrDefault().GetCustomAttribute<DisplayAttribute>()?.GetName();

    return string.IsNullOrWhiteSpace(displayName) ? enumValue.ToString() : displayName;
}

HTTPResponseMessage Extensions

Ensure the HTTPResponseMessage has a Success Status code and log failures

public static async Task EnsureSuccessStatusCodeAndLogFailures(this HttpResponseMessage httpResponseMessage, ILogger logger)
{
    if (httpResponseMessage == null)
    {
        throw new ArgumentNullException(nameof(httpResponseMessage));
    }
    if (logger == null)
    {
        throw new ArgumentNullException(nameof(logger));
    }

    if (!httpResponseMessage.IsSuccessStatusCode)
    {
        var response = await httpResponseMessage.Content?.ReadAsStringAsync();

        var requestUri = httpResponseMessage.RequestMessage?.RequestUri;

        logger.LogError($"HTTP call to {requestUri} returned status code {httpResponseMessage.StatusCode} with response {response}");
    }

    httpResponseMessage.EnsureSuccessStatusCode();
}

TokenResponse Extensions

Ensure the TokenResponse has a Success Status and log failures

public static void CheckResponseAndLogFailures(this TokenResponse tokenResponse, ILogger logger)
{
    if (tokenResponse == null)
    {
        throw new ArgumentNullException(nameof(tokenResponse));
    }
    if (logger == null)
    {
        throw new ArgumentNullException(nameof(logger));
    }

    if (tokenResponse.IsError)
    {
        var response = JsonConvert.SerializeObject(tokenResponse);

        logger.LogError("Access Token call to returned with error and data: {data}", response);
    }
}

String Extensions

Slugify

public static string Slugify(this string phrase)
{
    if (string.IsNullOrWhiteSpace(phrase))
    {
        return string.Empty;
    }

    var output = phrase.RemoveAccents().ToLower();

    output = Regex.Replace(output, @"[^A-Za-z0-9\s-]", "");

    output = Regex.Replace(output, @"\s+", " ").Trim();

    output = Regex.Replace(output, @"\s", "-");

    return output;
}

public static string RemoveAccents(this string text)
{
    if (string.IsNullOrWhiteSpace(text))
        return text;

    text = text.Normalize(NormalizationForm.FormD);
    char[] chars = text
        .Where(c => CharUnicodeInfo.GetUnicodeCategory(c)
        != UnicodeCategory.NonSpacingMark).ToArray();

    return new string(chars).Normalize(NormalizationForm.FormC);
}

Check if a email is valid

public static bool IsValidEmail(this string email)
{
    var isValid = true;

    try
    {
        var emailAddress = new MailAddress(email.Trim());
    }
    catch
    {
        isValid = false;
    }

    return isValid;
}

This is a simple demo sample on implementing ABAC in a .Net Core API Application. This uses three main aspects of Attributes => ACCESS, SCOPE, and MODULE.

Key Points

1. Access, Scope, and Module attributes are used
2. It is possible to extend this sample to accommodate as many attributes as needed
3. No External libraries were used
4. Handled all the necessary authn and authz in the handlers itself.
5. Optional takeaway - added an additional path for restricting resources in PermissionsAuthHandler.cs#L60

To Explore

1. Clone and run the code
2. Generate a JWT token with email/sub and exp. Applicable emails can be found in TestUsers.cs
3. Add the generated JWT token in the swagger authorization menu and call the APIs

• Setup Azure App Configuration
• Setup Azure Key Vault
• Configuring a .Net Core project with sample code
  • Setting up access policies in Key Vault
  • Authenticating your application code to fetch secrets from Key Vault

Disclaimer: Probably, you could have seen this how-to information in the MSFT official documentation. But this blog will give you the curated steps removing all the clutters.

Prerequisites

Make sure you have access to do the below in Azure,

1. Create Azure App Configuration
2. Create Azure Key Vault
3. Edit Access policy in the newly created Key Vault
4. Enable System assigned managed identity for the Application hosted in Azure
5. Register an app in Azure Active Directory (optional)

Intro on the said Azure jargons

Azure App Configuration lets you maintain the config details of your app in Azure so that your app can be free of any environment dependency. It has labels that can be used to maintain values of different environments for a single config property.

Key Vault is a resource in Azure to store secret information that can be accessed by your apps through managed identities or service principal authentication.

Managed Identities are used to authenticate across azure resources through an identity thereby eliminating the need to manage credentials. In this blog, we will use the System-assigned managed identity of an Azure App Service which we will enable in it to access the secrets in a Key Vault.

Create Azure App Configuration

Follow this to create a new Azure App Configuration resource and add your config properties to the store.

Configuration Explorer under Operations, is where the config properties can be seen and edited.

Every key has options to add more values with different labels which can be used for different environments. Here is a screenshot of the Configuration Explorer displaying 2 values for a single key with one having a label and another empty.

To retrieve these values in an application, Connection String that is uniquely generated under Access Keys is needed. Get the connection string from this page which will be used in our application to connect to the App Configuration store.

Create Azure Key Vault

Follow this to create a new Azure Key Vault resource. For this blog, we will look into secrets alone to store our passwords/client secrets. Check this on how to create a secret in the Key Vault.

Retrieving secrets' value from the Key Vault can be done using the Azure.Identity package. But if you want to load the secrets in the ConfigurationSection, then there is a way in the ConfigurationBuilder to include both App Configuration key-values and Key Vault secrets.

To do this, the secrets are to be referenced in the App Configuration as a new key-value. Check this article on how to add a KV reference in the App Configuration.

App Configuration will use the identity that is used to load itself for accessing the secrets in the Key Vault. This is something we will set up in the next steps. As of now, your App Configuration should look something like the below screenshot,

Configuring a .Net Core project with sample code

Here is the sample app in GitHub.

https://github.com/venbacodes/AppConfigKVSample

To connect with the Azure App Configuration, you will need the package Microsoft.Extensions.Configuration.AzureAppConfiguration which has the extension method AddAzureAppConfiguration for the ConfigurationBuilder. This extension method will get the Connection String of the App Configuration and can also configure the Key Vault using the ConfigureKeyVault method in its options.

builder.Host.ConfigureAppConfiguration((webHostBuilderContext, config) =>
{
    var isDevelopment = webHostBuilderContext.HostingEnvironment.IsDevelopment();
    var environment = webHostBuilderContext.HostingEnvironment.EnvironmentName.ToLower();

    config
    .AddJsonFile("appsettings.json", false, true)
    .AddJsonFile($"appsettings.{webHostBuilderContext.HostingEnvironment.EnvironmentName}.json", true, true);

    var settings = config.Build();

    var appConfigConnectionString = settings.GetSection(AppConfigConnectionStringSection);

    if (appConfigConnectionString != null && !string.IsNullOrWhiteSpace(appConfigConnectionString.Value))
    {
        config.AddAzureAppConfiguration(options =>
        {
            options
            .Connect(appConfigConnectionString.Value)
            .ConfigureKeyVault(kv =>
            {
                if (isDevelopment)
                {
                                    ///You WON'T need this if you are logged into Visual Studio and your account has been setup 
                                    ///with access policy in the Key Vault you are trying to connect. You can just use the DefaultAzureCredential
                                    ///that is set in the else part.
                                    var cred = new ClientSecretCredential(
                        settings.GetSection("DevCredential:TenantId").Value,
                        settings.GetSection("DevCredential:ClientId").Value,
                        settings.GetSection("DevCredential:ClientSecret").Value);

                    kv.SetCredential(cred);
                }
                else
                {
                    kv.SetCredential(new DefaultAzureCredential());
                }
            })
            .Select(KeyFilter.Any, LabelFilter.Null)
            .Select(KeyFilter.Any, environment ?? LabelFilter.Null);
        });
    }
});

OK, here are the explanations on the above code,

This reads the app config connection string we have in our appsettings.json file

var appConfigConnectionString = settings.GetSection(AppConfigConnectionStringSection);

We will now use this connection string in the AddAzureAppConfiguration method,

options
.Connect(appConfigConnectionString.Value)

Now, we are configuring the Key Vault in the config builder to load its secrets also as configuration into the application's Configuration.

.ConfigureKeyVault(kv => {
  ///Code removed for simplicity
})

We are trying to connect to the Key Vault using our registered identity in AD for development and the default credential when not in development. We will see about this more in the next section.

While getting the data from the app config, we are actually filtering the keys and values based on the environment.

.Select(KeyFilter.Any, LabelFilter.Null)
.Select(KeyFilter.Any, environment ?? LabelFilter.Null)

The above code tries to filter the values based on the label filter. Actually, this will include all keys without any labels and all keys with the specified label and finally will overwrite the values in the first filter. The order of filters is important here.

Access Policies in Key Vault

Access policies section in the Key Vault is where we will assign permissions for applications and users using the managed identities that are formed from the Azure Active Directory.

Here is a screenshot of this section,

Azure AD Identities

You can either use an Azure App Services' System-assigned managed identity or your azure account's identity to connect to the Key Vault. I recommend using your own azure account to authenticate and connect to the Key Vault by logging into Visual Studio and using kv.SetCredential(new DefaultAzureCredential());

If you don't want to use your azure account, there is another possibility to register an App in the Azure AD and use its identity in this Access Policy.

App Registration in Azure AD

Follow this to register an application in the Azure AD and get the below details from it to set the credentials while configuring the KV.

TenantId - This will be the common id for your azure tenant
ClientId - This will be the unique id for the registered app
ClientSecret - You have to create this secret after registering the app. This is covered in the below link

https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret

Azure App Service System Assigned Managed Identity

To use the Azure App Services' identity, you would have to enable it as like below,

Once this is done, kv.SetCredential(new DefaultAzureCredential()); will automatically use the app's identity and try to authenticate and get values from the KV.

To complete a successful authentication, add this newly registered app in the access policy section under the KV as a principal and give access to read secrets.

Finally seeing the values from the app config

After completing the above steps, you can now access the Configuration with the key name ACDemo which I used in the App Configuration. For this demo, I have read the key during startup and added it to a singleton service so that I can get them injected in all places.

var acDemo = new ACDemo();
builder.Configuration.Bind("ACDemo", acDemo);

builder.Services.AddSingleton(acDemo);

I hope you also will find this helpful 🎉🎉🎉.

Counter function maintains a seed value that should be variable in your pipeline and will increment it on each pipeline run.

So, here is my complete pipeline yml file before going further,

name: '$(Build.DefinitionName)_$(SourceBranchName)_$(Year:yyyy).$(Month).$(DayOfMonth).$(revision)'

trigger:
    branches:
        include:
            - master
            - develop    

pool:
  vmImage: 'windows-latest'

variables:
  solution: '*/.sln'
  buildPlatform: 'Any CPU'
  buildConfiguration: 'Release'  
  buildNumber: 'Will be set dynamically'
  revision: $[counter(format('{0:dd}', pipeline.startTime), 1)]

steps:
- task: PowerShell@2
  displayName: 'Preparing Build Number'
  inputs:
    targetType: 'inline'
    script: |
      $currentDate = $(Get-Date)
      $year = $currentDate.Year
      $month = $currentDate.Month
      $day = $currentDate.Day
      Write-Host $currentDate
      Write-Host $day
      Write-Host $env:revision
      Write-Host "##vso[task.setvariable variable=buildNumber]$year.$month.$day.$env:revision"

- task: UseDotNet@2
  displayName: 'Use .NET 6'
  inputs:
    packageType: 'sdk'
    version: '6.0.x'
    includePreviewVersions: true

- task: NuGetToolInstaller@1
  displayName: 'Update Nuget'
  inputs:
    checkLatest: true

- task: NuGetCommand@2
  displayName: 'NuGet restore'
  inputs:
    command: 'restore'
    restoreSolution: '$(solution)'
    feedsToUse: config
    nugetConfigPath: nuget.config

- task: DotNetCoreCLI@2
  displayName: Build
  inputs:
    projects: 'ProjectName.csproj'
    arguments: '--configuration $(buildConfiguration) /p:AssemblyVersion=$(buildNumber)'

- task: DotNetCoreCLI@2
  displayName: Publish
  inputs:
    command: publish
    publishWebProjects: false
    projects: 'ProjectName.csproj'
    arguments: '--configuration $(BuildConfiguration) --output $(build.artifactstagingdirectory) /p:Version=$(buildNumber)'
    zipAfterPublish: True

- task: PublishBuildArtifacts@1
  displayName: 'Publish Artifact'
  inputs:
    PathtoPublish: '$(build.artifactstagingdirectory)'
  condition: succeededOrFailed()

We will focus only on the variables section and the PowerShell task in this blog.

In the variables section, I have added a variable revision that is set from the counter function.

revision: $[counter(format('{0:dd}', pipeline.startTime), 1)]

This counter function is using startTime of the pipeline in the format of day number as its seed. The counter starts from 1.

On each pipeline run, the counter will check for changes in the day number in the pipeline.startTime, and if it's new, the counter will reset to the default value which is 1.

As of now, we have achieved a revision number that gets incremented on each pipeline run on the same day and also resets to 1 on the next day.

Now, in the PowerShell task, we are going to use this revision to form a build number for our assembly.

Write-Host "##vso[task.setvariable variable=buildNumber]$year.$month.$day.$env:revision"

We are trying to achieve a build number in this format - yyyy.mm.dd.revision => 2021.12.26.13

In the above Write-Host command, we are not printing any values to the output console, instead, we are using the logging command #vso to set the variable buildNumber with our required value.

Finally, in the build and publish tasks, I passed the buildNumber to the /p:AssemblyVersion and /p:Version properties respectively.

You can write your own logic to set the buildNumber using the counter function and achieve build numbers in any format you want.

Follow me on the below places for more of my blog posts,

dev.to

hashnode

Medium

Here is the sample project I did on GitHub.

https://github.com/venbacodes/ImpersonationSample-IdentityServer4

This is a sample application to show a way to implement impersonation when using Identity Server.

Key Points

1. Authorization policy has been set up to restrict impersonation to users with specific roles.
2. Admin users' email is added as a claim while impersonating so that it can be used while ending the impersonation.
3. Logic is simple as authenticating with the victim users' email for impersonation with additional claims to track the impersonation and the impersonating user.

Before going into the actual blog, I wanted to explain the Azure resources that we are going to discuss in simple words,

Key Vault is a resource in Azure to store secret information that can be accessed by your apps through managed identities or service principal authentication.

Azure Automation is a service that gives you the ability to automate tasks, do configuration changes, do updates to your azure resources using Az Cmds through runbooks in it. So, practically, we can run any automation using the Az cmds.

Azure Event Grid is a service that fires events to your chosen event handlers or webhooks for the events that happen in your Azure resources. In this blog, we are going to have KVs as the event source and Webhooks as the handler.

Now, in this blog, I am going to explain how you can use Azure Automation to detect changes in a KV and update the secret value in another KV.

Why would someone do that? OK, consider having 100s of KVs in Azure and are being used by 100s of apps. If you have a secret value that is in all these KVs and you don't want your apps connecting to multiple KVs, then it's muscle work to update the secret value in that many KVs.

So, Azure Automation and Event Grid subscriptions come in to help us detect the new version of the secret in a KV and update its value in the other KVs.

Prerequisites

Make sure, you have access to do the below in Azure,

1. Create Automation resource
2. Create Key Vault
3. Create Events in Key Vault
4. Edit Access Policies in Key Vault

Step 1: Create Azure Automation

Follow this to create a new Azure Automation account with System assigned identity. We will use this system assigned identity to access the secrets in the KV.

By default, the Azure Key Vault module is enabled in the Azure Automation. Make sure you have it in the Modules section. I am using the Runtime version 5.1 for this blog.

Step 2: Create Key Vaults

Follow this to create a new KV. For this blog, I am creating 2 Key vaults - 1 for parent and 1 for children. I want to update the secret in child KVs when there is a new version of the secret in the parent.

Both the parent and child KVs needs to be set up with Access policies including the Automation account we created in Step 1 as like in the below pic,

Populate the KVs with secrets in it by following this.

Step 3: Create Runbook in the Azure Automation account

Follow this to create a new Runbook in the Azure Automation account. For this blog, we will use the PowerShell workflow runbook and we will use the Az cmds.

Follow this to create a Webhook under the newly created Runbook. Make sure you copy the Webhook URL while creating, as it cannot be retrieved later. We will need this URL to be added to the KV's Event Handler.

Step 4: Setup Event Subscription and handlers in Parent KV

1. Go to your parent KV.
2. Select Events from the left section.
3. Create an Event Subscription.
4. Give the subscription and the topic unique names.
5. For the Event Types, choose "Secret New Version Created" as this is what we are going to monitor in this blog.
6. For the Endpoint Type, choose "WebHook" and type in the URL we got from Step 3 for the endpoint.
7. Click on create to save the Event Subscription

As of now, we have subscribed to the new secret version create an event in the KV, and set Runbook's Webhook as the event handler.

Step 5: Catch the event data in the Azure Automation Runbook

In this step, we will catch the event data in the webhook as use Az cmds for setting the secret value in our child KV.

Go to your Runbook's Edit window and type in the below PS code in it.

param
(
[Parameter (Mandatory = $false)]
[object] $WebhookData
)

if ($WebhookData) 
{
    Write-Output $WebhookData.RequestBody

    $bodyJson =  $WebhookData.RequestBody | ConvertFrom-Json # Converting to json for easier manipulation

    # Getting the KV's name, Secret's name and the Event Type
    $secretName = $bodyJson[0].data.ObjectName
    $parentKv = $bodyJson[0].data.VaultName    
    $eventType = $bodyJson[0].eventType
    $childKv = ""

    if($eventType -eq "Microsoft.KeyVault.SecretNewVersionCreated")
    {
        # Authenticate using the System assigned identity of the Azure Automation account
        Connect-AzAccount -Identity

        # Using Az cmd for getting the secret's latest version value from the KV
        $secretValue = Get-AzKeyVaultSecret -VaultName $parentKv -Name $secretName -AsPlainText

        Write-Output "A new version for secret $($secretName) has been created in KV - $($parentKv) with value - $($secretValue)"

        if($secretName -eq "secret-child-1")
        {
            $childKv = "child-1-kv"           
        }
        elseif($secretName -eq "secret-child-2")
        {
            $childKv = "child-2-kv"
        }

        if($childKv -eq "")
        {
            Write-Output "No secrets have been set in the child KVs as the updated key in parent is not associated with the children"
        }
        else
        {
            # Setting the child KV with the secret value that is set in the parent KV
            $Secret = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
            Set-AzKeyVaultSecret -VaultName $childKv -Name $secretName -SecretValue $Secret

            Write-Output "A new version of secret $($secretName) has been created in KV - $($childKv) with value - $($secretValue)"
        }        
    }
}
else
{
    write-Error "No input data found." 
}

$WebhookData is the parameter where we will get the event data. I have converted the data into JSON for easier manipulation and ripped the KV's name, Secret name and event type.

$bodyJson =  $WebhookData.RequestBody | ConvertFrom-Json
$secretName = $bodyJson[0].data.ObjectName
$parentKv = $bodyJson[0].data.VaultName    
$eventType = $bodyJson[0].eventType

After checking the event type we needed, I am using the Az cmd to authenticate the current execution.

Connect-AzAccount -Identity

Getting the secret's latest version value from the KV

$secretValue = Get-AzKeyVaultSecret -VaultName $parentKv -Name $secretName -AsPlainText

Setting the child KV with the secret value that is set in the parent KV

$Secret = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $childKv -Name $secretName -SecretValue $Secret

Publish this runbook and we shall test the setup in the next step. For this blog, I have hardcoded the secret names; you can change the logic as per your need.

Step 6: Test the setup

Now, create a new version in the Parent KV's secret. This will fire an event to the Webhook. You can monitor this in the KV's metric as like in the below pic,

You can also check the Webhook for the Last triggered value,

Output section in the Jobs section will give you the output of the PS code that was executed for the event. Here is the example output,

[{"id":"6e1c172c-26f5-49e6-a065-f9ee3818b7e1","topic":"Removing this for security","subject":"secret-child-2","eventType":"Microsoft.KeyVault.SecretNewVersionCreated","data":{"Id":"Removing this for security","VaultName":"parent-kv","ObjectType":"Secret","ObjectName":"secret-child-2","Version":"Removing this for security","NBF":null,"EXP":null},"dataVersion":"1","metadataVersion":"1","eventTime":"2021-12-03T12:18:25.6002045Z"}]


Environments                                                                                                            
------------                                                                                                            
{[AzureChinaCloud, AzureChinaCloud], [AzureCloud, AzureCloud], [AzureGermanCloud, AzureGermanCloud], [AzureUSGovernme...

A new version for secret secret-child-2 has been created in KV - parent-kv with value - 741258963


SecretValue : System.Security.SecureString
Attributes  : Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecretAttributes
Enabled     : True
Expires     : 
NotBefore   : 
Created     : 12/3/2021 12:18:30 PM
Updated     : 12/3/2021 12:18:30 PM
ContentType : 
Tags        : 
TagsTable   : 
VaultName   : child-2-kv
Name        : secret-child-2
Version     : Removing this for security
Id          : Removing this for security

A new version of secret secret-child-2 has been created in KV - child-2-kv with value - 741258963

This is a requirement I had for one of my projects where we retrieve app insights data from several azure web apps on their flow performances. I used App Insights API for posting the KQL query and the timespan to get the flow performances which are logged using custom dimensions in the specific insights' logs.

I also had a requirement where I had to give the users who are seeing the data, the ability to see the query and timespan I used for retrieving the data they are seeing. There is no direct way Azure gives you this ability. So, I researched the Log Analytics 'Share' functionality on how they are sharing the queries in the URLs.

Here is the format they are using,

https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F{subscriptionId}%2FresourceGroups%2F{rg}%2Fproviders%2Fmicrosoft.insights%2Fcomponents%2F{resourcename}/source/LogsBlade.AnalyticsShareLinkToQuery/query/{query}

The values you see inside {} are to be replaced with actuals. However, for {query}, it does not take the KQL directly.

I eventually found that they are converting the KQL into Base64 bytes and compressing them. They have this property by default set to true => isQueryBase64Compressed=true in the query string.

So, the URL would become like this,

https://portal.azure.com/#blade/Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F{subscriptionId}%2FresourceGroups%2F{rg}%2Fproviders%2Fmicrosoft.insights%2Fcomponents%2F{resourcename}/source/LogsBlade.AnalyticsShareLinkToQuery/query/{query}/isQueryBase64Compressed/true

OK, Here is the code for that KQL query conversion to fit into this URL.

var queryBytes = Encoding.UTF8.GetBytes(query);
var memoryStream = new MemoryStream();
var gZipStream = new GZipStream(memoryStream, CompressionMode.Compress);

gZipStream.Write(queryBytes, 0, queryBytes.Length);
gZipStream.Close();

var compressedData = memoryStream.ToArray();

var encodedText = Convert.ToBase64String(compressedData);
encodedText = encodedText.Replace("/", "%2F");
encodedText = encodedText.Replace("+", "%2B");
encodedText = encodedText.Replace("=", "%3D");

var portalUrl = "https://portal.azure.com/#@sample.onmicrosoft.com/resource/subscriptions/guid-guid-guid-guid-guid/resourceGroups/rg-name/providers/microsoft.insights/components/app-insights-name/overview";

var (subscriptionId, rg, resourcename) = GetAzureResourceDetailsFromLogUrl(portalUrl);

url = "https://portal.azure.com/#blade/" + $"Microsoft_Azure_Monitoring_Logs/LogsBlade/resourceId/%2Fsubscriptions%2F{subscriptionId}%2FresourceGroups%2F{rg}%2Fproviders%2Fmicrosoft.insights%2Fcomponents%2F{resourcename}/source/LogsBlade.AnalyticsShareLinkToQuery/query/{encodedText}/isQueryBase64Compressed/true";

Additional Perks Here is an additional perk for getting the Subscription Id, Resource Group Name, and the Resource Name from an Azure App Insights resource URL.

private static (string, string, string) GetAzureResourceDetailsFromLogUrl(string portalUrl)
{
  var uri = new Uri(portalUrl.Replace("#", ""));

  var subscriptionId = uri.Segments[uri.Segments.ToList().FindIndex(f => f.Equals(SubscriptionsUrlSegment, StringComparison.OrdinalIgnoreCase)) + 1].Replace("/", "");

  var rg = uri.Segments[uri.Segments.ToList().FindIndex(f => f.Equals(RGUrlSegment, StringComparison.OrdinalIgnoreCase)) + 1].Replace("/", "");

  var resourceName = uri.Segments[uri.Segments.ToList().FindIndex(f => f.Equals(ComponentUrlSegment, StringComparison.OrdinalIgnoreCase)) + 1].Replace("/", "");

  return (subscriptionId, rg, resourceName);
}

As a web developer, I too had a chance to work in the build automation systems,

1. FinalBuilder - with a GUI, it was too easy to prepare and run the builds.
2. PowerShell - build system with PowerShell scripts was powerful yet complex to write.
3. Cake (C# Make) - simple, easy to set up, and with a lot of extensions scripting with C#.

BUT, now I had the opportunity to use Nuke.Build for my build system and I am obsessed heavily with it that I love it so much.

Comparing all these 4 build systems, from my point of view, I would recommend Nuke. We would not need a separate build team while using Nuke as it is coupled with your project itself. You would be able to debug Nuke targets in your own IDE.

Here is a sample nuke project for your reference. https://github.com/vengi83644/nuke-build-sample

Similar blog: https://pknopf.com/post/2019-03-10-you-dont-need-cake-anymore-the-way-to-build-dotnet-projects-going-forward/