.net 8 security #203

christiannagel · christiannagel · commit a44dd16e111d · 2025-02-09T14:28:30.000+01:00
diff --git a/2_Libs/Security/ASPNETCoreMVCSecurity/ASPNETCoreMVCSecurity.csproj b/2_Libs/Security/ASPNETCoreMVCSecurity/ASPNETCoreMVCSecurity.csproj
@@ -1,14 +1,11 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
-
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
-
   <ItemGroup>
-    <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.3" />
-    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="7.0.0" />
+    <PackageReference Include="Microsoft.Data.SqlClient" Version="6.0.1" />
+    <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="8.0.7" />
   </ItemGroup>
-
-</Project>
+</Project>
diff --git a/2_Libs/Security/ASPNETCoreMVCSecurity/Controllers/HomeController.cs b/2_Libs/Security/ASPNETCoreMVCSecurity/Controllers/HomeController.cs
@@ -8,17 +8,8 @@
 
 namespace ASPNETCoreMVCSecurity.Controllers;
 
-public class HomeController : Controller
+public class HomeController(ILogger<HomeController> logger, IConfiguration configuration) : Controller
 {
-    private readonly ILogger<HomeController> _logger;
-    private readonly IConfiguration _settings;
-
-    public HomeController(ILogger<HomeController> logger, IConfiguration configuration)
-    {
-        _logger = logger;
-        _settings = configuration;
-    }
-
     public IActionResult Index() => View();
 
     public IActionResult Privacy() => View();
@@ -35,7 +26,7 @@ public IActionResult EchoWithView(string x)
 
     public IActionResult SqlSample(string id)
     {
-        string connectionString = _settings.GetConnectionString("InjectionConnection") ?? throw new InvalidOperationException("can't find InjectionConnection");
+        string connectionString = configuration.GetConnectionString("InjectionConnection") ?? throw new InvalidOperationException("can't find InjectionConnection");
         SqlConnection sqlConnection = new(connectionString);
         SqlCommand command = sqlConnection.CreateCommand();
 
diff --git a/2_Libs/Security/ASPNETCoreMVCSecurity/Models/Book.cs b/2_Libs/Security/ASPNETCoreMVCSecurity/Models/Book.cs
@@ -1,3 +1,3 @@
 ﻿namespace ASPNETCoreMVCSecurity.Models;
 
-public record Book(string Title, string? Publisher);
+public record class Book(string Title, string? Publisher);
diff --git a/2_Libs/Security/HackingSite/HackingSite.csproj b/2_Libs/Security/HackingSite/HackingSite.csproj
@@ -1,9 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
-
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
-
-</Project>
+</Project>
diff --git a/2_Libs/Security/IdentitySample/IdentitySample.csproj b/2_Libs/Security/IdentitySample/IdentitySample.csproj
@@ -2,15 +2,15 @@
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
     <UserSecretsId>1dd61b86-5b54-4a6a-bed2-fefbe07d2273</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Hosting" Version="7.0.0" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.68.0" />
   </ItemGroup>
 
 </Project>
diff --git a/2_Libs/Security/SecureTransfer/AliceRunner.cs b/2_Libs/Security/SecureTransfer/AliceRunner.cs
@@ -26,7 +26,7 @@
         aes.GenerateIV();
         using ICryptoTransform encryptor = aes.CreateEncryptor();
         using MemoryStream ms = new();
-        using (CryptoStream cs = new(ms, encryptor, CryptoStreamMode.Write))
+        using (CryptoStream cs = new(ms, encryptor, CryptoStreamMode.Write, leaveOpen: true))
         {
             await cs.WriteAsync(plainData.AsMemory());
         } // need to close the CryptoStream before using the MemoryStream
diff --git a/2_Libs/Security/SecureTransfer/SecureTransfer.csproj b/2_Libs/Security/SecureTransfer/SecureTransfer.csproj
@@ -9,7 +9,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
   </ItemGroup>
 
 </Project>
diff --git a/2_Libs/Security/SigningDemo/AliceRunner.cs b/2_Libs/Security/SigningDemo/AliceRunner.cs
@@ -9,7 +9,7 @@
 
     public (byte[] Data, byte[] Sign) GetDocumentAndSignature()
     {
-        _logger.LogInformation($"Using this ECDsa class: {_signAlgorithm.GetType().Name}");
+        _logger.LogInformation("Using this ECDsa class: {Type}", _signAlgorithm.GetType().Name);
 
         byte[] aliceData = Encoding.UTF8.GetBytes("I'm Alice");
         byte[] aliceDataSignature = _signAlgorithm.SignData(aliceData, HashAlgorithmName.SHA512);
diff --git a/2_Libs/Security/SigningDemo/SigningDemo.csproj b/2_Libs/Security/SigningDemo/SigningDemo.csproj
@@ -8,7 +8,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
   </ItemGroup>
 
 </Project>
diff --git a/2_Libs/Security/WebAppWithADSample/Pages/Index.cshtml.cs b/2_Libs/Security/WebAppWithADSample/Pages/Index.cshtml.cs
@@ -2,12 +2,8 @@
 
 namespace WebAppWithADSample.Pages;
 
-public class IndexModel : PageModel
+public class IndexModel(ILogger<IndexModel> logger) : PageModel
 {
-    private readonly ILogger<IndexModel> _logger;
-
-    public IndexModel(ILogger<IndexModel> logger) => _logger = logger;
-
     public void OnGet()
     {
 
diff --git a/2_Libs/Security/WebAppWithADSample/Program.cs b/2_Libs/Security/WebAppWithADSample/Program.cs
@@ -1,16 +1,52 @@
-namespace WebAppWithADSample;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Identity.Web;
+using Microsoft.Identity.Web.UI;
 
-public class Program
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
+    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
+
+builder.Services.AddAuthorization(options =>
 {
-    public static void Main(string[] args)
+    options.AddPolicy("Developers", policy =>
     {
-        CreateHostBuilder(args).Build().Run();
-    }
-
-    public static IHostBuilder CreateHostBuilder(string[] args) =>
-        Host.CreateDefaultBuilder(args)
-            .ConfigureWebHostDefaults(webBuilder =>
-            {
-                webBuilder.UseStartup<Startup>();
-            });
+        policy.RequireRole("DevGroup");
+    });
+    options.AddPolicy("Employees", policy =>
+    {
+        policy.RequireClaim("EmployeeNumber");
+    });
+    // By default, all incoming requests will be authorized according to the default policy
+    options.FallbackPolicy = options.DefaultPolicy;
+});
+
+builder.Services.AddRazorPages()
+    .AddMvcOptions(options => { })
+    .AddMicrosoftIdentityUI();
+
+var app = builder.Build();
+
+if (app.Environment.IsDevelopment())
+{
+    app.UseDeveloperExceptionPage();
 }
+else
+{
+    app.UseExceptionHandler("/Error");
+    // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
+    app.UseHsts();
+}
+
+app.UseHttpsRedirection();
+app.UseStaticFiles();
+
+app.UseRouting();
+
+app.UseAuthentication();
+app.UseAuthorization();
+
+app.MapRazorPages();
+app.MapControllers();
+
+app.Run();
diff --git a/2_Libs/Security/WebAppWithADSample/Startup.cs b/2_Libs/Security/WebAppWithADSample/Startup.cs
diff --git a/2_Libs/Security/WebAppWithADSample/WebAppWithADSample.csproj b/2_Libs/Security/WebAppWithADSample/WebAppWithADSample.csproj
@@ -1,17 +1,14 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
-
   <PropertyGroup>
-    <TargetFramework>net7.0</TargetFramework>
+    <TargetFramework>net8.0</TargetFramework>
     <UserSecretsId>aspnet-WebAppWithADSample-D3F1D045-6494-4AF9-ABF2-19D69C600B1D</UserSecretsId>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
   </PropertyGroup>
-
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="7.0.0" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="7.0.0" NoWarn="NU1605" />
-    <PackageReference Include="Microsoft.Identity.Web" Version="1.25.5" />
-    <PackageReference Include="Microsoft.Identity.Web.UI" Version="1.25.5" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.12" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.12" NoWarn="NU1605" />
+    <PackageReference Include="Microsoft.Identity.Web" Version="3.7.0" />
+    <PackageReference Include="Microsoft.Identity.Web.UI" Version="3.7.0" />
   </ItemGroup>
-
-</Project>
+</Project>
diff --git a/2_Libs/Security/X509CertificateSample/KeyVaultService.cs b/2_Libs/Security/X509CertificateSample/KeyVaultService.cs
@@ -34,7 +34,7 @@ public KeyVaultService(IConfiguration configuration, ILogger<KeyVaultService> lo
         _vaultUri = configuration["VaultUri"] ?? throw new InvalidOperationException("VaultUri configuration missing");
         _logger = logger;
         _azureEventSourceListener = new AzureEventSourceListener((eventArgs, message) 
-            => _logger.Log(eventArgs.Level.ToLogLevel(), message), EventLevel.Verbose);
+            => _logger.Log(eventArgs.Level.ToLogLevel(), "{Message}", message), EventLevel.Verbose);
     }
 
     public void Dispose()
diff --git a/2_Libs/Security/X509CertificateSample/X509CertificateSample.csproj b/2_Libs/Security/X509CertificateSample/X509CertificateSample.csproj
@@ -8,10 +8,10 @@
 	</PropertyGroup>
 
 	<ItemGroup>
-		<PackageReference Include="Azure.Identity" Version="1.11.4" />
-		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.5.1" />
-		<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
-		<PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.0" />
+		<PackageReference Include="Azure.Identity" Version="1.13.2" />
+		<PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.7.0" />
+		<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
+		<PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
 	</ItemGroup>
 
 	<ItemGroup>

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`namespace ASPNETCoreMVCSecurity.Models;`
`2`	`2`
`3`		`-public record Book(string Title, string? Publisher);`
	`3`	`+public record class Book(string Title, string? Publisher);`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`aes.GenerateIV();`
`27`	`27`	`using ICryptoTransform encryptor = aes.CreateEncryptor();`
`28`	`28`	`using MemoryStream ms = new();`
`29`		`- using (CryptoStream cs = new(ms, encryptor, CryptoStreamMode.Write))`
	`29`	`+ using (CryptoStream cs = new(ms, encryptor, CryptoStreamMode.Write, leaveOpen: true))`
`30`	`30`	`{`
`31`	`31`	`await cs.WriteAsync(plainData.AsMemory());`
`32`	`32`	`} // need to close the CryptoStream before using the MemoryStream`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`
`10`	`10`	`public (byte[] Data, byte[] Sign) GetDocumentAndSignature()`
`11`	`11`	`{`
`12`		`- _logger.LogInformation($"Using this ECDsa class: {_signAlgorithm.GetType().Name}");`
	`12`	`+ _logger.LogInformation("Using this ECDsa class: {Type}", _signAlgorithm.GetType().Name);`
`13`	`13`
`14`	`14`	`byte[] aliceData = Encoding.UTF8.GetBytes("I'm Alice");`
`15`	`15`	`byte[] aliceDataSignature = _signAlgorithm.SignData(aliceData, HashAlgorithmName.SHA512);`
Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,8 @@`
`2`	`2`
`3`	`3`	`namespace WebAppWithADSample.Pages;`
`4`	`4`
`5`		`-public class IndexModel : PageModel`
	`5`	`+public class IndexModel(ILogger<IndexModel> logger) : PageModel`
`6`	`6`	`{`
`7`		`- private readonly ILogger<IndexModel> _logger;`
`8`		`-`
`9`		`- public IndexModel(ILogger<IndexModel> logger) => _logger = logger;`
`10`		`-`
`11`	`7`	`public void OnGet()`
`12`	`8`	`{`
`13`	`9`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ public KeyVaultService(IConfiguration configuration, ILogger<KeyVaultService> lo`
`34`	`34`	`_vaultUri = configuration["VaultUri"] ?? throw new InvalidOperationException("VaultUri configuration missing");`
`35`	`35`	`_logger = logger;`
`36`	`36`	`_azureEventSourceListener = new AzureEventSourceListener((eventArgs, message)`
`37`		`- => _logger.Log(eventArgs.Level.ToLogLevel(), message), EventLevel.Verbose);`
	`37`	`+ => _logger.Log(eventArgs.Level.ToLogLevel(), "{Message}", message), EventLevel.Verbose);`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`public void Dispose()`