Sequel Security Tool for developers¶

Installation¶

sequel-security is a global tool implemented using the Global Tools feature in .NET Core 6.0. The .NET Core SDK 6.0.0 or newer must be installed for development, and the runtime for servers where it needs to be installed/executed.

For production, get the version of this tool (Sequel.Security\Packages\Tools\sequel-security\sequel-security.exe) from the same Sequel.Deployment.Manager you work with, for example:

\\buildoutput.office.sbs\drops\Security\stable\1.72.21057.01.stable\Sequel.Security\Packages\Tools\sequel-security\sequel-security.exe

For testing purposes, the security tool can be installed manually as follows:

1. Clone Sequel Security using the master branch.

2. Open a command line prompt and navigate to the folder where the sequel-security.csproj file is.

3. Pack the tool into a NuGet package using:

dotnet pack -c release -o nupkg

4. Globally install the tool with:

dotnet tool install --add-source .\nupkg -g sequel-security

5. If necessary, uninstall the tool from the global scope with:

dotnet tool uninstall -g sequel-security

Deployment Manager token replacement¶

Deployment Managers of Rating Engine and Workflow are configured with activities to replace tokens with parameters during database configuration process. Tokens examples are ClientSecretHash, RatingEngineUrlExternal or WorkflowExternalUrl.

RunPowerShellScript ReplaceHash.ps1 and ReplaceTokensWithParameters activities replace token in the package files and cannot be reused, so redeploying again using a different URL and secret does not replace tokens and new settings are not upload; the settings of the first deploy remains.

The solution for the above problem is:

1. Update RunPowerShellScript ImportSecuritySettings activity in DatabaseMetadata.xml, with arguments for UtilsPath, ClientSecretHashToken, ClientSecretHashValue and RatingEngineUrlExternalToken (for Rating Engine) or WorkflowExternalUrl (for Workflow) like:

   <activity xsi:type="RunPowerShellScript" file="Packages\Scripts\ImportSecuritySettings.ps1">
       <argument name="ConnectionString" value="{p:SecurityConnectionString}" type="string"/>
       <argument name="ImportToolLocation" value="{var:RootFolder}Packages\Tools\sequel-security\sequel-security.exe" type="string" />
       <argument name="InputFolder" value="{var:RootFolder}Security\Vanilla" type="string" />
       <argument name="UtilsPath" value="{var:RootFolder}\lib\Sequel.Deployment.Manager.Utils.exe" type="string" />
       <argument name="ClientSecretHashToken" value="__ClientSecretHash__" type="string"/>
       <argument name="ClientSecretHashValue" value="{p:ConfigurationClientSecret}" type="string"/>
       <argument name="RatingEngineUrlExternalToken" value="{__RatingEngineUrlExternal__}{{p:RatingEngineUrlExternal}}" type="string"/>
   </activity>
   

2. Delete activities ReplaceTokensWithParameters and RunPowerShellScript ReplaceHash.ps1 from DatabaseMetadata.xml.

3. Delete ReplaceHash.ps1 script

4. Update ImportSecuritySettings script:

   • adding parameters for new arguments such as UtilsPath, ClientSecretHashToken, ClientSecretHashValue and RatingEngineUrlExternalToken (for Rating Engine) or WorkflowExternalUrl (for Workflow).

     [string]$UtilsPath,
     [string]$ClientSecretHashToken,
     [string]$ClientSecretHashValue,
     [string]$RatingEngineUrlExternalToken
     

   • setting the hash value of the client secret

     $HashedValue = & "$UtilsPath" -m hash -p $ClientSecretHashValue
     

   • editing the security tool import authentication command adding token replacements parameters

     -tr "{$ClientSecretHashToken}{$HashedValue}" -tr "$RatingEngineUrlExternalToken"
     

Check the script and activity details for Rating Engine as sample.

Functionality¶

Functionality and commands details are here