Setting Up SonarQube in Azure with Azure AD Integration

Installing SonarQube

Go to the marketplace and install SonarQube from Bitnami – https://bitnami.com/stack/sonarqube/cloud/azure with the following:

  • resize to D1_v2
  • if desired, configure any NSG restrictions

After creation, set a DNS name label for the IP address.

Access using the domain name, and follow the directions in the link above to log in.

Setting up Azure AD Integration

Setting up HTTPS

To be able to use Azure AD, you have to use HTTPS.

Set up the Server base URL to be the configured HTTPS address in Administration → Configuration → General → Server base URL:

SSH into the server and set up a Let’s Encrypt script and enforce redirection to HTTPS here (make sure you aren’t behind a firewall to allow for Let’s Encrypt).

Restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

Verify that trying to access the HTTP version of SonarQube automatically redirects you to the HTTPS version.

Creating App Registration in Azure

Run the following command in CLI to generate a service principal:

az ad sp create-for-rbac --name="{NAME}" --role="Contributor" --scope="/subscriptions/{SUBSCRIPTION_ID}" --years=100

You should receive some output data, which you will use when filling out info in SonarQube:

Set the Reply URL of the application to https://<URL>/oauth2/callback/aad:

Set the required permissions:

  • Sign in and read user profile
  • Read all users’ basic profiles

Installing Plug-in

Install the Azure Active Directory (AAD) Authentication Plug-in for SonarQube (restarting when requested):

Configure in Administration → General Settings → Azure Active Directory:

  1. Activate Azure AD
  2. Use the value in “appId”
  3. Use the value in “password”
  4. Use the value in “tenant”
  5. Allow users to sign-up.

Log out as admin, and verify the ability to log in as an Azure AD user.

Create Multiple Terraform Resources with a Map

I recently worked through a case in Terraform where I wanted to be able to pass in a map for Terraform to allow creating secrets in an Azure Key Vault. We’ll use the count, keys(, and values( helpers to iterate through the map.

This code sample will show a way to dynamically determine the amount of resources needed. In this case, this will create secrets based on the map provided in the Terraform variable:

variable "vault_secrets" {
  secret_name_1 = "secret_value_1"
  secret_name_2 = "secret_value_2"
  secret_name_3 = "secret_value_3"
}

resource "azurerm_key_vault" "vault" {
  name                = "example-vault"
  location            = "${var.rg_location}"
  resource_group_name = "${var.rg_name}"
  tenant_id           = "00000000-0000-0000-0000-000000000000"

  sku {
    name = "standard"
  }
}

resource "azurerm_key_vault_secret" "secret" {
  count = "${length(keys(var.vault_secrets))}"

  name         = "${element(keys(var.vault_secrets), count.index)}"
  value        = "${element(values(var.vault_secrets), count.index)}"
  key_vault_id = "${azurerm_key_vault.vault.id}"
}

Creating a nopCommerce Plugin in version 3.90 and below

I recently worked with a client using an older version of nopCommerce that needed to have a plugin made for functionality. In particular, this plugin integrates with updown.io to allow for turning checks on and off during scheduled maintenance.

To do this, you’ll need to have the nopCommerce source code available for use.

Creating the Plugin

To get started, create a Class Library in the Plugins folder:

  • Make sure to change the location to the plugin folder below the name.
  • Use naming convention Nop.Plugin.{category}.{name}
  • The categories you can use include:
    • ExternalAuth
    • Widgets
    • ExchangeRate
    • DiscountRules
    • Payments
    • Shipping
    • Tax
    • Misc

Next, go into properties and make sure your Target framework is .NET Framework 4,.5.1.

Next, change the output path for all configurations to deploy to:

..\..\Presentation\Nop.Web\Plugins\{group}.{name}\

This will build the output of the plugin into the Web project, which will ultimately deploy to the nopCommerce application.

After that, copy a web.config file from another plugin.

Next, create a Description.txt file with the following content:

Group: {group}
FriendlyName: {friendly name}
SystemName: {group}.{name}
Version: 0.1
SupportedVersions: {your version of nopCommerce}
Author: {you}
DisplayOrder: 1
FileName: Nop.Plugin.{group}.{name}.dll
Description: {a description}

Set both the web.config and Description.txt files to ‘Copy if newer’.

Finally, there is a Class.cs file that was created when creating the Class Library. Rename the file to {name}Plugin.cs and use the following code snippet:

public class YourPlugin : BasePlugin, IMiscPlugin
    {
        public void GetConfigurationRoute(out string actionName, out string controllerName, out RouteValueDictionary routeValues)
        {
            actionName = "Configure";
            controllerName = "Your";
            routeValues = new RouteValueDictionary()
            {
                { "Namespaces", "Nop.Plugin.Misc.Your.Controllers" },
                { "area", "" }
            };
        }
    }

Once this is done, you should be able to clean, build, and publish the project. Check the plugins list of the admin backend to see your plugin listed:

Just to ensure everything is working, go ahead and install the plugin. The plugin should install successfully, and the plugin will then be running on your site. You’re now ready to make changes to the plugin to modify NopCommerce capabilities.

Next Steps

After the initial plugin was created, next steps include:

  • Creating a logo named logo.png and upload it to the plugin. Set the image to ‘Copy if newer’ and size the image to around 50×50.
  • Set up a configuration page to allow for customizing data on the plugin (notice that for now, clicking on ‘Configure’ if applicable will crash the site.)

Reference: 
http://docs.nopcommerce.com/pages/viewpage.action?pageId=22675509

Setting up WordPress in Azure with SSL for ~$8 a Month

  • Basic plan (allowing for Always on and SSL): ~$50/month
  • MySQL for Azure: ~$25
  • With this solution, you will create everything on one virtual machine, allowing for dynamic scaling as needed for the machine. This does of course come with some downside:

    • You will need to handle backing up of both the files on the server and the data in the database.

    Creating the VM

    First, create the VM and Resource Group:

    • RG name: <app>-<env>-<location>-rg
    • VM name: <app>-<env>-<location>-vm
    • Image: Ubuntu 18.04 LTS
    • VM size: B1s
    • VNet name: <app>-<env>-<location>-vnet
    • Diagnostics Storage Account: <app><env><location>vmdiag
    • Allow Inbound Port Access for HTTP, HTTPS, SSH
    • Login access through Azure Active Directory

    Once the VM is created, access the NSG and add a restriction to IP to only allow your local IP to access:

    Access VM and Install LAMP Server

    Retrieve the public IP address and SSH into the server:

    ssh <user>@<public_ip>

    Install LAMP Server:

    sudo apt update && sudo apt install lamp-server^

    To ensure the installation happened successfully, run the following commands:

    apache2 -v
    mysql -V
    php -v

    Once LAMP server is installed, verify that you can connect to HTTP using the public IP address – you should see the Apache2 Ubuntu Default Page:

     

    Set up MySQL

    Once the web server is running, the next step is configuring MySQL. Run the following command, installing the Validate Password Plugin and using “Medium” policy:

    sudo mysql_secure_installation

    When installing, use medium strength, and default yes to all options except “Disallow root login remotely?” Generate a password.
    The next step is configuring access to MySQL through external servers (such as from a VPN). This assumes you’ll be using the NSG from Azure to restrict access based on desired IP addresses.
    Run a query to allow access:

    sudo mysql -u root -p
    GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES;

    Edit MySQL configuration:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    Comment out the line that says ‘bind-address’.
    After making that change, restart MySQL:

    sudo service mysql restart

    Finally, create an NSG rule that allows for external access to port 3306:

    Once the installation is done, let’s verify that the MySQL server can be accessed. I usually use MySQL Workbench and connect to the server using the following information:

    • Hostname: public IP

    After MySQL is set up, set up any database that may be needed.
    Here, you’ll want to set up the WordPress database server, whether you are starting fresh or migrating from an old instance.
    If running into an issue with packet size, run the following command in MySQL and restart:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    The final step is creating a DB user specifically for the WordPress installation – this use would only have access to the specific database that WordPress uses. Create a user with the following:

    • Allow access to the DB used for the WordPress installation.

    Installing WordPress

    After finishing setting up the LAMP server, next is installing WordPress. Assuming you’ve downloaded the source, you can use the following:

    scp -r .\wordpress-download\ vmadmin@YOUR_SERVER_IP:~

    Now you’ll need to SSH into the server and move the files into /var/www/html:

    sudo mv -v ~/wordpress-download/* /var/www/html/

    Before doing the 5-minute install, run the following to allow for Apache to have write permissions:
    Check the group that Apache is running under:

    cat /etc/apache2/apache2.conf | grep ^Group -B 2
    cat /etc/apache2/envvars | grep GROUP
    # Give that group access
    sudo chown -R www-data:www-data /var/www/html
    sudo find /var/www/html -type d -exec chmod 755 {} \;
    sudo find /var/www/html -type f -exec chmod 644 {} \;
    

    Now perform the 5-minute install to ensure everything is working, you can access the site using the IP address to ensure everything in place.
    While doing this, make sure you can do the following:

    • Configure Apache to use .htaccess files. Change the following in apache2.conf to change AllowOverride to All:
      • <Directory /var/www/>
          Options Indexes FollowSymLinks
          AllowOverride None
          Require all granted
        </Directory>
    • Access a page outside of the home page (sudo a2enmod rewrite && sudo systemctl restart apache2)
    • Upload a media file to test uploads

    Enabling Mail (using G Suite)

    First, set up DNS to use email. For this example, we are using Google Suite for email. Add the following 5 MX records:

    • Host: @
    • Records (priority-URL)
      • 1-ASPMX.L.GOOGLE.COM.
      • 5-ALT1.ASPMX.L.GOOGLE.COM.
      • 5-ALT2.ASPMX.L.GOOGLE.COM.
      • 10-ALT3.ASPMX.L.GOOGLE.COM.
      • 10-ALT4.ASPMX.L.GOOGLE.COM.

    Then, do the following:
    https://wpforms.com/how-to-securely-send-wordpress-emails-using-gmail-smtp/

    Setting up SSL

    Once the web server can be reached and LAMP is installed, the next step is securing the site using SSL. Run the following to enable SSL, enable the SSL site, and restart Apache:

    sudo a2enmod ssl
    sudo a2ensite default-ssl
    sudo systemctl reload apache2

    Once that’s done, access the public IP using HTTPS – you should get an insecure cert warning.
    Now that we’ve determined the port is listening, let’s set up Let’s Encrypt. Using CertBot usually makes this much easier. Since in this case, we’re using Apache and Ubuntu 18.04, we just need to populate those values and run the commands provided by CertBot:

    With these commands, you’ll also need to set up DNS for the domain to use. With the public IP address, create the following:

    • create an A record with the host as @ and the IP address as the web server IP address.

    After this finishes, run the CertBot job to create the certificate. After that finishes, allow for the ability to redirect to HTTPS using the CertBot plugin.
    Reference:

    ]]>

    Create a Java Web App with Spring Boot Starter, Gradle, and Azure Active Directory

    Working on a project that would eventually use Azure Active Directory for authentication, I wanted to use Microsoft’s guide to get started with an app that could authenticate. However, the guide is written using Maven – and in our case, we are using Gradle for builds across the ecosystem.

    I was able to mostly follow the guide provided, but ran into a gotcha – involving having to add a fixed dependency to get the system working. In addition, I added a secondary API endpoint to allow for testing both with and without group authentication.

    To get started, you’ll need the following:

    Create an App With Spring Initializr

    To get started, create an app at https://start.spring.io/ with the following information:

    • Project: Gradle
    • Project Metadata Artifact: oauth2-demo-gradle
    • Dependencies: Web, Security, Azure Active Directory

    After clicking ‘Generate Project’, a ZIP file will be created. Extract this file to someone on your local machine, as you’ll be configuring it later.

    Set Up Azure Active Directory

    After the app is created, the next step is setting up Azure Active Directory for authentication. Follow the Create Azure Active Directory instance section, taking note of the App Registration information provided.

    Once you get to the section involving configuration of the app, come back to this guide – you’ll make specific changes to make the testing experience both compatible with Gradle and a little more user-friendly.

    Configure and Compile the App

    Once Azure Active Directory is configured, open your Java IDE and import the build.gradle file as a project. After that’s done, there are a few files to configure/create.

    Add the following dependencies into the build.gradle file (notice the third dependency, if this one is not added, you’ll run into an exception when testing):

    implementation 'org.springframework.security:spring-security-oauth2-client'
    implementation 'org.springframework.security:spring-security-oauth2-jose'
    implementation 'com.nimbusds:oauth2-oidc-sdk:5.64.4'

    Edit /src/main/resources/application.properties to look like the following:

    # Specifies your Active Directory ID:
    azure.activedirectory.tenant-id=22222222-2222-2222-2222-222222222222
    
    # Specifies your App Registration's Application ID:
    spring.security.oauth2.client.registration.azure.client-id=11111111-1111-1111-1111-1111111111111111
    
    # Specifies your App Registration's secret key:
    spring.security.oauth2.client.registration.azure.client-secret=AbCdEfGhIjKlMnOpQrStUvWxYz==
    
    # Specifies the list of Active Directory groups to use for authorization:
    azure.activedirectory.active-directory-groups=Users

    Create a file called /controller/HelloController.java and add the following:

    package com.example.oauth2demogradle.controller;
    
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RestController;
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.access.prepost.PreAuthorize;
    
    @RestController
    public class HelloController {
        @Autowired
        @RequestMapping("/version")
        public String helloWorld() {
            return "Hello World! (no auth required)";
        }
    
        @Autowired
        @RequestMapping("/secure")
        public String helloWorldSecure() {
            return "Hello World! (authenticated in Azure AD)";
        }
    
        @Autowired
        @PreAuthorize("hasRole('bams-devops')")
        @RequestMapping("/secureByGroup")
        public String helloWorldByGroup() {
            return "Hello World! (pre-authorized via AD group)";
        }
    }

    Create another file called security/WebSecurityConfig.java and add the following:

    package com.example.oauth2demogradle.security;
    
    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
    import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
    import org.springframework.security.oauth2.core.oidc.user.OidcUser;
    
    @EnableWebSecurity
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/version").permitAll()
                    .anyRequest().authenticated()
                    .and()
                    .oauth2Login()
                    .userInfoEndpoint()
                    .oidcUserService(oidcUserService);
        }
    }

    Build and Verify App

    Now that the configuration is complete, next step is building and testing. Run the following Gradle commands (easy way to do this is through the IDE):

    clean
    build
    bootRun

    You should end up with a log like the following:

    Once this is confirmed, access http://localhost:8080/version. You should be able to access without logging into Azure.

    Next, check http://localhost:8080/secure. You should receive a request to log in to Azure services. Log in as the user created in the step above, and you should be able to get a Hello World message.

    Finally, confirm that the /secureByGroup endpoint is also working. This endpoint will verify the logged in user is part of a verified group.

    This code can be found at

    Reference: https://docs.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable

    ]]>

    Setting up OpenVPN on Azure From Scratch

    Why do this? One of the major benefits being able to use the internet with a specified IP address. If you’re going to be working systems that whitelist specific IP addresses, you can use this solution to allow for access regardless of both machine and location.

    This guide assumes that you:

    • Have an Azure subscription in place.
    • Have a means of SSHing into a virtual machine, such as OpenSSH.

    Creating the Virtual Machine

    First, access the Azure Marketplace image for OpenVPN.

    Next, fill out the form to create a virtual machine with OpenVPN pre-installed. The following information

    Once you’re finished, it should look like this:

    After creating the virtual machine, access it via the Azure portal and take note of the Public IP address – you’ll use this to SSH into the server and complete the installation:

    Creating and Securing the Domain Using Let’s Encrypt

    You may want to run OpenVPN using a domain. You have two options:

    1. Use the domain provided by Azure.
    2. Add a CNAME record to a domain you already own.

    Access the Public IP and create a DNS name label.

    Verify you can access the OpenVPN server using the domain provided by Azure (making sure to use HTTPS).

    If desired, you can also create a subdomain (such as vpn.<your-domain>.com). Create a CNAME record that looks like the following:

    • Host: vpn
    • Value: use the Azure domain provided above.

    Let DNS propagate (might take a second), and try accessing with your own domain.

    Now, whether you use Azure’s domain or your own, the next step is to set up a certificate with Let’s Encrypt:

    SSH into the server using OpenSSH and the admin credentials created when creating the virtual machine:

    ssh <ADMIN_NAME>@<YOUR_DOMAIN_NAME>

    Use the CertBot site to generate instructions for installation, using the following commands for guidance (you are using ‘None of the above’ for the software)

    lsb_release -a #determine the OS

    Before starting, you will need to run the following to allow for DNS:

    echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf > /dev/null

    Run the commands provided by CertBot to obtain your cert (spin up a temporary webserver). When doing this, you will need to open Port 80 to allow Let’s Encrypt to connect.

    Verify that accessing the site using HTTPS will result in a secure connection.

    Running The OpenVPN Installation

    Once SSHed into the virtual machine, you’ll be asked to complete the OpenVPN installation. For most settings, you’ll just use default options. After the installation is complete, you’ll need to reset the admin password:

    sudo su -
    passwd openvpn

    Once this is done, verify the installation is complete and access the OpenVPN admin section at the following URL: https://<YOUR_PUBLIC_IP>/admin. Log in using the following credentials:

    • Username: openvpn
    • Password: the password generated in the step above.

    Once this is done, you’ll want to change the server name to the generated public IP address from Azure. Go to ‘Network Settings’ and change the IP address to reflect your public IP, alongside making the following changes:

    Setting up OpenVPN Connect

    To verify that VPN is working and that you can connect, access the URL https://<PUBLIC_IP>. Log in using the same credentials above and download the OpenVPN Connect application for your operating system.

    Once this is done, you can import the record from the server, and log in using the credentials provided above.

    Finally, you can verify everything is working by checking your IP again. If your IP address matches the VPN server, you’ve successfully set up the VPN!

    Next Steps

    • Remove SSH access to the server, requiring whitelisting again from Azure to allow for configuration.

    ]]>

    Upgrading Jenkins On Azure

    Jenkins Azure Marketplace to create the Jenkins instance.  This assumes you’ve already created a Jenkins virtual machine on Azure.  In addition, the initial set up should be complete.   If not, you can check out some more information within the Microsoft documentation.

    SSH into the Virtual Machine

    If you’ve been using this instance, you should be familiar with SSH forwarding and being able to access Jenkins using localhost.  If this is new, you can read this Jenkins article on the security setup for the Azure Jenkins Marketplace instance.
    Use this command in a command line interface to log in to your virtual machine:

    ssh -L 127.0.0.1:8080:localhost:8080 <username>@<domain_name>

    Replace the following:

    • Username – the server admin username created when creating the Azure VM.
    • Domain Name – the domain name to access the virtual machine.

    You’ll be asked for a password – use the password provided alongside the username when creating the virtual machine.
    After logging in you’ll see a screen like below.  This verifies you are connected to the virtual machine.
    logged into the virtual machine
    Access http://localhost:8080 and verify you can access the Jenkins interface:
    Jenkins interface via localhost

    Download Newest JAR

    After logging into the server, you’ll use the following command to download the latest version of Jenkins:

    sudo wget http://mirrors.jenkins-ci.org/war/latest/jenkins.war

    Assuming all is successful, you should see the following
    Downloaded newest Jenkins JAR
    After downloading the .war file, copy it to the Jenkins directory:

    sudo mv jenkins.war /usr/share/jenkins/jenkins.war

    (if you need to know the location of the WAR file on the server, you can check it in Manage Jenkins -> System Information)
    And finally, with the new .war in place, restart Jenkins:

    sudo systemctl restart jenkins

    Verification of the installation is simple. Access Jenkins and check the bottom right to see the updated version number:
    Checked for latest Jenkins installation

    Reference

    Upgrade Jenkins server to a new version
    https://wiki.jenkins.io/display/JENKINS/Automated+Upgrade]]>