F# Weekly #46, 2019 – F# 4.7 docs update and new FSCS & Ionide

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #45, 2019Subscribe

F# Weekly #45, 2019 – #FsAdvent, .NET Jupyter Notebooks, ML.NET 1.4, MS Ignite Videos

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Microsoft Ignite Videos

Blogs

F# vNext

GitHub projects

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #44, 2019Subscribe

F# Advent Calendar in English 2019

Update 2019/11/14: As well as year before we will do extra slots again. We will start from slot for [Dec 18 – Dec 24] week, and when they are filled I will add slots for [Dec 11 – Dec 17], then for [Dec 1 – Dec 10] and finally [Dec 25-Dec 31].

F# Advent Calendar is a long tradition in F# community

that became an inspiration for C# Advent Calendar and for Q# Advent Calendar.

Advent 2019 is coming, this year we have 56 free slots. Please join, reserve a slot and spread your thoughts and love to F# with the community.

This year I completely forgot to celebrate 7th birthday of F# Weekly. The very first F# Weekly #43, 2012 was published at 29/10/2012. Since than every 43th edition was an anniversary edition. Help me please celebrate the date – book your slot in #FsAdvent and deliver post in time!

7years.png

Join F# Advent Calendar today!

Rules

  1. Choose F# related topic for your blog post and reserve the slot on Twitter or leave a comment to this post. Please note that you do not have to announce the topic until the date (but you can).
  2. Prepare a blog post in English.
  3. Publish your post on a specified date (according to the calendar).
  4. Post the link to your post on Twitter with hashtags #fsharp and #FsAdvent.

Calendar

ID Date Author Post Title
#01 Dec 01 (Sun) Nick Blair A functional wrapper around the .net AWS DynamoDB SDK
#02 Dec 01 (Sun) Santa Brings Cloud to Every Developer
#03 Dec 02 (Mon) Steffen Forkmann Announcing Paket 6 alpha
#04 Dec 02 (Mon) Refactoring registration flow to functional architecture
#05 Dec 03 (Tue) Web Crawling Using F#
#06 Dec 03 (Tue) Jonas Juselius AzureAd Authentication with F#
#07 Dec 04 (Wed) Andrew Meier Functional Agent
#08 Dec 04 (Wed) Mathias Brandewinder Santa’s Mailbox
#09 Dec 05 (Thu) Dependency Injection in F# Web APIs
#10 Dec 05 (Thu) Reliability with Intents
#11 Dec 06 (Fri) Peder Klokmose Sørensen Formatting F# Interactive Output
#12 Dec 06 (Fri) Solving reverse polish notation equations in WebAssembly using F#
#13 Dec 07 (Sat)
#14 Dec 07 (Sat) Building custom fibers library in F#
#15 Dec 08 (Sun) FSharp noob’s 4 minute overview of development test workflows
#16 Dec 08 (Sun) Introduction to types – how to program safely from one checkpoint to another
#17 Dec 09 (Mon) John Azariah Lego, Railway Tracks and Origami – Post 1
#18 Dec 09 (Mon) Ian Russell Functional Validation in F# using Applicatives
#19 Dec 10 (Tue) Florian Verdonck Using Create React App with Fable
#20 Dec 10 (Tue) Finding Bacon Numbers using Azure Cosmos DB and F#
#21 Dec 11 (Wed) Tim Forkmann Keep track of your Christmas present production with Chia and Azure Event Hubs
#22 Dec 11 (Wed) Creating a Lego Mindstorms DSL in F#
#23 Dec 12 (Thu) Active Parsers
#24 Dec 12 (Thu) Joe Tremblay A Journey Towards Functional Programming
#25 Dec 13 (Fri) Dave Curylo Azure Alerts to Slack with F#
#26 Dec 13 (Fri) Full F# Blog – Part 3
#27 Dec 14 (Sat) Krzysztof Madej DB deployments with FAKE tool
#28 Dec 14 (Sat) Tom Dodson [cancelled]
extra Dec 14 (Sat) Isaac Abraham Announcing a VS Code and Ionide video series
#29 Dec 15 (Sun) Matt Eland A .NET Manager’s Perspective on F#
#30 Dec 15 (Sun) Kai Ito Type safe SQL Queries using Rezoom.SQL
extra Dec 15 (Sun) Tonino Lucca Transport Tycoon DDD exercises
#31 Dec 16 (Mon) Kevin Avignon Experiments and Adventures in 2019 with F#
#32 Dec 16 (Mon) Mark Pattison Fable Reversi
extra Dec 16 (Mon) Chris Roff Functional BDD Part 2: The Gherkin Type Provider
#33 Dec 17 (Tue) Kunjan Dalal F# on Jupyter
#34 Dec 17 (Tue) Loïc Denuzière Managing page-specific models in Elmish
extra Dec 17 (Tue) Advanced F# Interop
#35 Dec 18 (Wed) Mark Allibone Creating a Fabulous Xamarin app on a budget using F# Data
#36 Dec 18 (Wed)
extra Dec 18 (Wed) dotnetlinux (a bad named repo…)
#37 Dec 19 (Thu) Reed Copsey, Jr. F# Basics – From loops to folds
#38 Dec 19 (Thu) ValidationBlocks
extra Dec 19 (Thu) Use machine learning to categorize web links with F# and ML.NET
#39 Dec 20 (Fri) Scott Wlaschin Against Railway-Oriented Programming
#40 Dec 20 (Fri) Evgeniy Andreev [may be delayed]
extra Dec 20 (Fri) Introduction to F# Type Providers
#41 Dec 21 (Sat) Timothé Larivière How to become a Fabulous developer
#42 Dec 21 (Sat) Riccardo Terrell Distributed Fractal Image processing with Akka.Net Clustering and Docker
extra Dec 21 (Sat) [delayed]
#43 Dec 22 (Sun) Dave Shaw Xmas List Parser
#44 Dec 22 (Sun) Eriawan Kusumawardho Revisiting Windows Forms and WPF in F# on .NET Core 3.1
extra Dec 22 (Sun) Paweł Stadnicki [delayed]
#45 Dec 23 (Mon) @TeaDrivenDev Paying It F#rward
#46 Dec 23 (Mon) Building a Simple Recommendation System in FSharp
extra Dec 23 (Mon) Use the F#orce
#47 Dec 24 (Tue) David Nazarov [delayed]
#48 Dec 24 (Tue) F# metablogging: introducing BlogEngine for your static markdown-based F# blog
extra Dec 24 (Tue) Using FAKE in a Build Server
#49 Dec 25 (Wed) Elliott V. Brown Dawn of the F# Domain Types
extra Dec 25 (Wed) Chester Burbidge Automating .net library versioning – Syntactic Versioning
#50 Dec 26 (Thu) Ronald Schlenker Jingle Bells: Music in F#
#51 Dec 27 (Fri) Steve Smock Getting Scores and Runners-Up in ML.NET Multiclass Applications
#52 Dec 28 (Sat) Fun with Languages and Pattern Matching!
#53 Dec 29 (Sun) Roman Sachse Getting rid of null – Is Maybe an Option Episode 1/3
#54 Dec 30 (Mon) Michael Kohl Learning F# — Writing A Ray Tracer
#55 Dec 31 (Tue) Brett Rowberry My F# Path Continues
#56 Jan 01 (Wed) FSSF Welcome to 2020!

 

F# Weekly #44, 2019 – Oryx, FSharp.JsonApi and major Fabulous update

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

GitHub projects

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #43, 2019Subscribe

F# Weekly #43, 2019 – New Rider EAP and F# eXchange CFP

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

GitHub projects

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #42, 2019Subscribe

F# Weekly #42, 2019 – Fantomas 3.0 and Saturn with Giraffe 4.0

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

GitHub projects

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #41, 2019Subscribe

F# Weekly #41, 2019 – CapitolFSharp CFP & Mono 6.4.0

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

GitHub projects

  • Feliz – A fresh retake of the base React DSL to build React applications, optimized for happiness
  • Oldpug/Bfi – Optimizing Brainfuck interpreter

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #40, 2019Subscribe

HashiCorp Vault and TLS Certificate Authentication for .NET Applications (Comprehensive guide)

HashiCorp Vault is a tool for secrets management, encryption as a service, and privileged access management. It is quite popular nowadays, especially if you own your own infrastructure, private cloud or just cannot store your secrets using Key Vault services provided by Azure/AWS/GCP.

I assume that you already have one up and running instance of HashiCorp Vault, otherwise you may install one using official Installing Vault guide.

Why TLS certificate authentication?

Vault supports many Auth Methods. But what if you are still deploying your app on plain old Windows Server VMs or develop SharePoint application (like I am 😝).

The challenge in this case, that you have to authenticate in Vault in order to get a secret. This means that we need to choose auth method that protects our auth secrets from an  accident IT guys who may login on the VM (or malicious code that may find it on file system)

TLS Certificate Auth is a good solution candidate, because we can install certificate into windows certificate store, protect private key (mark it as not-exportable) and even specify list of service accounts, allowed to use this certificate for authentication.

TLS certificate generation

I will be using ssh command on my macOS for certificate generation and Vault configuration, but you can repeat the same step from Window for sure.

For our needs we will use self-signed certificate. You can generate one using OpenSSL. If you do not have OpenSSL installed, you can install from Homebrew.

brew install openssl

First of all we generate private key (it is highly secured, do not share it)

openssl genrsa 2048 > vault_private.pem

Then we generate public part of the key in .pem format (.pem file will be uploaded to Vault for client validation during authentication)

openssl req -x509 -new -key vault_private.pem -out vault_public.pem -days 365

Answer all questions properly, it will help you identify this certificate in future (I’ve created certificate that is valid for 365 days, but you should follow security standards defined in you company).

vault-cfg_sh_—_private-key.png

Note: Common Name cannot be empty, otherwise you will not be able to use this certificate to retrieve the secret (Vault returns ‘missing name in alias’ error). Thank you  Vadzim Makarchyk for this note.

The final step is to archive both parts in .pfx format (.pfx file will be deployed into Windows Server certificate store on all machines from where our code should have access to Vault)

openssl pkcs12 -export -in vault_public.pem -inkey vault_private.pem -out vault.pfx

vault-cfg_sh_—_vault-cfg.png

Remember the password entered during *.pfx creation, you’re gonna need it every time you decide to install it on Windows machine.

Vault configuration

In order to configure HashiCorp Vault we will use Vault CLI interface, that can be installed from Homebrew on macOS.

brew install vault

Vault CLI uses environment variables for configuration. My Vault server is hosted on different machine so I need to provide server Url.

VAULT_ADDR=https://my.server.com:8200

export VAULT_ADDR
I uses Enterprise version of Vault that is used by several teams, that it why I also specify namespace (aka folder for my secrets)
VAULT_NAMESPACE=dev/my-team

export VAULT_NAMESPACE

I am lazy to properly setup certificates for Vault CLI, that is why I skip certificate validation (never repeat it in production 😉)

VAULT_SKIP_VERIFY=true

export VAULT_SKIP_VERIFY

We are almost ready to login. The easiest option is to login using Web UI and then reuse issued token in the terminal. Login using your favorite browser, pass authentication and copy token in buffer.

EPAM_Laptop

vault login s.fJTY5S51oIfXKnBAG3Qq5eWp.9GKyY

That is it! Token is saved into ~/.vault-token and CLI is ready to use!

Key/Value secret engine creation

Vault supports multiple Secret Engines, but for our demo we create simple Key/Value storage for secrets (for example to store logins and passwords)

vault secrets enable -path=kv kv
This command enable key/value engine (V1) and name kv (-path param)
NOTE: The kv secrets engine has two versions: kv and kv-v2. To enable versioned kv secrets engine, pass kv-v2 instead.

Engine is ready, but it is empty – let’s fix it.

vault write kv/my-secret value="s3c(eT"

This command effectively creates my-secret secret inside kv secret engine and store one key/value pair inside value=”s3c(eT”

ACL Policy creation

Secret engine is secured, nobody (except you, admin) has access to secrets. We need to create rules/policy that define what access we want to provide. Create new files policy-file.hcl and put following content inside.

path "kv/*" {
  capabilities = ["read", "list"]
}

This policy allows to read and list all secrets inside kv secret engine. All users with this policy will be able to read secrets from our engine. Read more about policies.

Write this policy to the server (and name it policy-name)

vault policy write policy-name policy-file.hcl

TLS Certificates – Auth Method

The last step is to assign this policy. But we want to assign it to all clients authenticated in Vault using TLS certificate created by us earlier.

Fist of all we need to enable certificate authentication in our namespace

vault auth enable cert

and create certificate auth in Vault (name it app), assign policy-name to it and upload the public part of generated key (vault_public.pem)

vault write auth/cert/certs/app policies=policy-name certificate=@vault_public.pem

That is it! Vault is configured and waiting for first connection.

TLS certificate deployment

TLS certificate allows us to deploy it to certain set of machines that should have access to the Vault and then specify which accounts (on these machines) may use it for authentication.

If you are lucky enough and your deployment is automated you can add one more build step in your deployment process that ensures that certificate is provisioned on all target machines. Octopus Deploy is one of such tools that provides built-in template for certificate provisioning. (BTW, it is free for small teams starting from Sept 2, 2019)

importcert.png

On the screenshot you see the step that imports certificate on all target machines with tag SharePoint (in my case) to LocalMachine certificate store to My/Personal store, mark private-key as not exportable and provide access to private key to 2 service accounts.

If your deployment is not automated, you may script the same steps using PowerShell and run it on all machines.

If you are brave, you can click it even manually! 🙈

  1. Double click on vault.pfx file and choose LocalMachine store location
    store.png
  2. Click Next, Next and type password used during *.pfx creation and Next again.
  3. Choose Personal certificate store.
    EPAM_Laptop
  4. Click Next, Finish, OK – your certificated in the store!
  5. Execute mmc (Microsoft Managed Console) from start menu.
  6. File -> Add/Remove Snap-in …
    addmmc.png
  7. Certificate, Add, Computer account and click Next & Ok
    certaddacc.png
  8. Find our certificate and click Manage Private Keys…
    prk.png
  9. On this screen you can manage the list of accounts that will be able to  use this certificate for authentication on the current machine.
    acl.png

.NET client application

Vault is ready, machine is ready (service account / current user is allowed to use certificate from the LocalMachine/Personal store).  Few lines of code are separating us from success 😊.

I will use VaultSharp NuGet Package. It is more or less up to date, it supports namespaces feature and starting from next release usage of namespaces will become even more intuitive.

VaultSecretProvider find X509 certificate in StoreName.My / StoreLocation.LocalMachine, then create CertAuthMethodInfo using certificate and VaultClient that X-Vault-Namespace header to each request with vaultNamespace name.

Using configured instance of VaultClient we can request our secret from Vault _vaultClient.V1.Secrets.KeyValue.V1.ReadSecretAsync(path, mountPoint) specifying path to the secret and mountPoint (name of secret engine).

We are ready to call and receive secrets

Conclusion

Wow, this became a long read, but I hope it was a good one.

TLS certificate authenctication in Vault is a good option for apps that uses Full .NET Framework and runs inside Windows Server VMs.

Just do not forget renew/replace certificates regularly.

F# Weekly #40, 2019 – Giraffe 4.0, F# 4.7 in Fable REPL, Try-Convert and new FSAC!

Welcome to F# Weekly,
A roundup of F# content from this past week:

News

Videos & Slides

Blogs

F# vNext

GitHub projects

New Releases

That’s all for now. Have a great week.

Previous F# Weekly edition – #39, 2019Subscribe