I would like to override some defaults in the app under test so we can redirect network traffic. How can I configure the platform configuration to set environment variables on the App under test?
For example, I have a default api endpoint and I'd like to pass a stub/mock endpoint url in to the application for the test run. Then the mobile app would select the endpoint like the following.
var endpoint = Environment.GetEnvironmentVariable("TEST_API_ENDPOINT") ?? DEFAULT_ENDPOINT;
return new NetworkClient(nativeHttpHandler, BaseUrl.Create(endpoint));
And the UI Test could configure the stub API to return specific scenarios like locked out accounts or network outages or specific user data without having to modify data on a staging server to which my team doesn't have direct access.
Related
in order to programmatically retrive some AppTraces and AppExceptions info from an Azure Application Insights Logs resource, we followed the instructions included in the following article advicing to adopt the new Azure Monitor Query client library for .NET to fulfill the purpose.
https://learn.microsoft.com/it-it/dotnet/api/overview/azure/Monitor.Query-readme?view=azure-dotnet
Strictly following the above article instructions (and using the DefaultAzureCredential object to authenticate), we managed to get the client library's LogsQueryClient object working fine in the local version of the developed web api (ASP .NET Core 6.0). And so, locally we are eable to fetch the logs info we need.
But once we published the web api on the Cloud (under the same Azure subscription of the Application Insights target resource) we started to get the following error:
Message: The provided credentials have insufficient access to perform the requested operation
Status: 403 (Forbidden)
ErrorCode: InsufficientAccessError
N.B.
Surprisingly we didn't find any thread explaining, step by step how to fix the problem with specific reference to the new Azure Monitor Query client library.
To fix the issue, we tried replacing the class DefaultAzureCredential with the class ClientSecretCredential generating and assigning it a new client secret.
Here are the details concerning the steps we followed to implement the ClientSecretCredentials.
In particular, we have:
Setup a new Azure AD Application.
Assigned it the required permissions ==> Data.Read (Read Log Analytics data - Granted from Admin).
Assinged to the Registered App (AAD Application) the Reader Role from the Application Insights Resource's Access control (IAM) section of the Azure Portal.
Created a new client secret for the AAD Application.
Created a new Azure Web API, on witch we Installed the Azure Monitor Query client library for .NET.
To retrive Logs data, we programmatically istantiated a new Azure.Identity.ClientSecretCredential object, assigning it the right tenantId, the client (application) ID of the AAD Application and the client secret previously generated for the App Registration.
In the Program.cs file of the web api we created a singleton instance of the class LogsQueryClient assigning it the above ClientSecretCredential object.
And finally we invoked the QueryWorkspaceAsync method of the class LogsQueryClient, passing it the WorkSpaceId of the Application Insights Resource (whom logs have to be read) and the query to retrive.
Unfortunately, replacing the class DefaultAzureCredential with ClientSecretCredential didn't work and the error message keeps to be the same.
N.B.
The AAD User Type of the user who: developed and released the web api, registered the new Azure AD Application and granted it the necessary permissions is "Member".
The above user, refers to the same tenant id as the resources he managed in the above steps (Web Api, AAD Application etc).
During the release process of the web api, a new API Management service was specifically created by the same user releasing the app.
Here are the code snippets:
Program.cs
builder.Services.AddAzureClients(builder =>
{
static LogsQueryClient func(LogsQueryClientOptions options)
{
options.Retry.Mode = Azure.Core.RetryMode.Exponential;
options.Retry.MaxRetries = 5;
var csc = new ClientSecretCredential(tenantId, clientId, clientSecret);
return new LogsQueryClient(csc, options);
}
builder.AddClient<LogsQueryClient, LogsQueryClientOptions>(func);
var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
builder.UseCredential(credentials);
});
Controller.cs (get logsQueryClient through dependency injection)
Response<LogsQueryResult> response = await logsQueryClient.QueryWorkspaceAsync(workSpaceId, query);
The provided credentials have insufficient access to perform the requested operation
The error clearly shows that it doesn't have a sufficient access to process the request.
To identify the new RBAC permission, Azure App Insights REST API takes an hour to sync with AAD and it throws Status 403 as error code without complete sync. Refer MS-DOC for related stuff
Basically, this error can happen when the user doesn't have access to authorize Access token with AAD
Provide the required access to the user which you want to authorize.
Make sure to check your request are valid before processing your APi request in Production Environment. (Token, GUID, etc.,).
Thanks for your appreciated help.
We finally managed to spot where the problem was.
After the point 3 listed in our original post:
<<Assign to the Registered App (AAD Application) the "Reader Role" for the Application Insights acting from the resource's Access control (IAM) section of the Azure Portal.>>
... We omitted to do the same thing for the Log Analytics workspace.
Each Application Insight resource refers infact to a specific Workspace.
For that reason, it is necessary to assign the same reader role to the Registered App also for the above workspace.
Log Analytics workspaces too have infact an Access control (IAM) section in the Azure Portal, just like the other resources.
Assigning this role to the AAD registered app the issue was fixed.
Connection works fine following this tutorial when using:
var connection = (SqlConnection)Database.GetDbConnection();
connection.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
But now the docs say "Microsoft.Azure.Services.AppAuthentication is no longer recommended"
So changing my connection as described in Using Azure Active Directory authentication with SqlClient I get the following errors:
Using Active Directory Integrated authentication
Integrated Windows Auth is not supported for managed users.
Using Active Directory Managed Identity authentication
Tried to get token using Managed Identity. Access token could not be acquired. A socket operation was attempted to an unreachable network. (169.254.169.254:80)
Nothing is blocking that address, but also where is it getting that IP from? The tutorial's code used https://database.windows.net/ to get the token (which resolves 65.55.23.107).
Can/should I override that address somewhere?
Any other config missing?
These auth ways apply to different scenarios, for example, if you want to use Active Directory Integrated authentication, you need to federate the on-premises AD with Azure AD via ADFS, if you want to use Active Directory Managed Identity authentication, you must run your code in an Azure service which supports MSI(need to enable MSI first), because the code essentially makes an API call to the azure instance metadata endpoint to get the access token, then use the token to auth, it is just available in the MSI-supported service.
So if you want to migrate the code from the old sdk to the new one, you need to choose the correct auth way that applies to your scenario. Here I recommend you to use the Active Directory Service Principal authentication, it can apply to any scenario, please follow the steps below.
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Grant the permission to the service principal with CREATE USER [Azure_AD_Object] FROM EXTERNAL PROVIDER.
4.Then use the code here, fix the values with yours and got from step 2.
string ConnectionString = #"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=AppId; Password=secret";
using (SqlConnection conn = new SqlConnection(ConnectionString)) {
conn.Open();
}
Currently, I use Consul for storing App Settings and Configurations for ASP.NET Web application. But I got performance issue when every request need to query from Consul service.
I see Consul have watch feature in server but I did not know how to use it in Windows and how to announce Web Application know when key/value data change
As far as I know, watches allow you to invoke some handlers, which must be some executables. So you have to provide some API in your web-app to allow remotely call to reload configuration, for example, some kind of REST web service or something else, what can be called from outside.
Next you have to create some executable script on your agent's host and provide a logic to call this remote API of your web-app.
And finally you have to register a new watch, providing your script file as an executable.
How to prevent someone just taking my API keys from the client side javascript code and starting to use my HERE subscription for some other use.
I noticed HERE provide an option to secure the API keys for a certain domain on the applications management page: "Secure app credentials against a specific domain". I have set up this option and also put domain there but I do not see any change on my app behavior.
The application still continue working fine on my PC. Shouldn't the HERE API stop working as web server is running on localhost and not on the defined domain.
My app is running fully on browser, and only static files come from the server (http://localhost:8083/index.html). I am using the HERE javascript API.
I tested also running the app on external cloud service on different domain than localhost. Results are the same. My conclusion is that the setting "Secure app credentials against a specific domain" just has no impact and does not work. Checked also the api response headers and all origins are accepted.
Access-Control-Allow-Origin: *
In your HERE dashboard, you can set the application id and application code to only work on a particular domain or set of domains. If the tokens are fixed to a domain, it won't matter if someone takes your tokens because only the listed domains can use them. If you don't secure the tokens to a domain, then someone will be able to use your tokens if they find them.
I have an app buit with Firebase I want to deploy using Trigger.io.
In the App I'm using the auth.login('twitter') function.
What domain name shall I put in the Auth setting of my app?
Thanks a lot !
Following up on this thread in case anyone else is looking for the answer to this.
The OAuth-based authentication providers in Firebase Simple Login use pop-ups (via window.open(...) to initiate login flows, and window.postMessage to safely communicate between the two frames.
In order to enable these social, OAuth-based providers in Firebase Simple Login in the Trigger.io environment, there are a few steps:
Ensure you're loading the latest Firebase Simple Login client from the Firebase CDN, at https://cdn.firebase.com/v0/firebase-simple-login.js.
The Trigger.io environment support does not require an authorized domain configuration in Forge, but still will require that you configure your Facebook / Twitter / GitHub application to use the appropriate https://auth.firebase.com/auth/... redirect URL, as documented.
Ensure that any required Trigger.io JavaScript libraries are included (the forge global variable should be set in your application - test with console.log(forge) in your client code).
Lastly, and most important, the Trigger.io Tabs Module must be enabled in your application config.