Application Security Testing: An Integral Part of DevOps
MSBuild is supposed to be powerful. However, its integration into Visual Studio does not seem intuitive. Sometimes, changing the simplest things—like the text that shows up on the opening screen of the install—seems to be challenging.
MSBuild has a lot of potential, and the integration in .NET is confusing, so I think. However, adding custom actions lets you do just about anything you want to do. One of the things that you might want to do is let the user define the database connection, and if you are security conscious—and we all should be—you might want to encrypt that connection string. In this article, you will define a setup project with a custom action that lets the user define the connection string using the Data Links dialog and encrypts that connection string using RSA encryption.
Creating a Simple Database Project
Listing 1: A sample application that tests the correct deployment of the encrypted connection string.
Imports System.Data Imports System.Data.SqlClient Imports System.Configuration Module Module1 Sub Main() Using connection As _ New SqlConnection(My.MySettings.Default.MyConnectionString) connection.Open() Console.WriteLine(connection.ConnectionString) Console.WriteLine(connection.State = ConnectionState.Open) Console.ReadLine() End Using End Sub End Module
Adding an Application Connection String
You can use the Visual Studio properties editor to define the connection string referred to (in Listing 1 as My.MySettings.Default.MyConnectionString). The connection string property referred to in the sample application is the same value you want to write in the setup project. To add a connection string in the settings editor (shown in Figure 1), follow the steps listed next:
- Click the Project|appname Properties menu item.
- Click the Settings tab (see Figure 1).
- In the Name field type "MyConnectionString".
- In the Type column select "(Connection string)".
- In the Scope column, select Application.
- In the Value column click the button with the ellipses and use the Connection Properties dialog (see Figure 2) to define the connection string
Figure 1: Use the Settings tab to define a connection string.
Figure 2: The connections property dialog supports defining a connection string.
Reading the Connection String from MySettings
When you set a connection string in the Properties|Settings tab, you can read this value with My.MySettings.Default.settingsname. In the example, the settingsname part is the value provided, MyConnectionString. (Refer to Listing 1 for an example that demonstrates using the My feature and accessing connection strings.)
Connecting to a Database
The using statement is syntactic sugar for the try finally block. (Sugar in moderation is good.) The using clause is designed to invoke Dispose on classes that implement IDisposable. In the case of the SqlConnection class, the Dispose method closes an open connection. Refer to Listing 1 for an example of the using statement.
Implementing a Custom Action
A custom action is a class that inherits from the System.Configuration.Install.Installer class. Because an installer is just a class, you can define any behaviour your solution requires. In the example, you will run the Data Links dialog to help configure the connection string. You'll remove the provider clause from the connection string, and you'll use .NET's built-in support for encrypting a config section.
Creating an Installer Project
An installer is a template in Visual Studio. To create the installer, add a Class Library project to the solution. From the Project|Add New Item, select the Installer Class (see Figure 2). The installer is a component that includes a partial class. The generated partial class—in filename.designer.vb—contains the RunInstaller(True) attribute and the Inherits from System.Configuration.Install.Installer statement. All you have to do is override the Install method and add the desired behavior.
Figure 2: The Add New Item dialog includes an Installer template.