AWS & Encryption keys: Revert manually edited policy

Since we’ve been working with AWS we sometimes did stuff that, after looking back on it, wasn’t the best approach.

One of those things was manually applying Key Policies on Encryption Keys.

It currently looked like this:

Manually edited key policy
Manually edited key policy

Notice the sentence:

We’ve detected that the policy document for this key has been manually edited. You may now edit the document directly to make changes to permissions.

This gives a lot of issues, for example, you cannot view grants anymore through the UI, nor can you easily add & remove Key Administrators. While the API allows you to modify the grants, that wasn’t enough for simple changes we’d like to make when testing / operating our products.

Because of the fact that you cannot delete nor reset keys in AWS, you have to find another way.

So I do have another key that shows me the UI I want, where I can modify Key Administrators and Key Usage.

So, what do we do then? We fetch the correct policy from a key that shows the correct UI and see whether we can apply it to our ‘broken’ key, and see if it works. (Spoiler, it does).

Should you not have a ‘working’ key (as described next), and don’t want to create a new one for the sake of doing this (you can’t delete a key, so I completely understand), click here to scroll down to the correct policy. 

First, let’s get the ARN of a working key, just navigate to the Encryption Key section in the IAM Management console, set your region and select your key, and copy the ARN:

Find the ARN
Find the ARN

So, how do we get that correct policy? Let’s use Python with boto3.

First of all we make sure we have an account in

%userprofile%\.aws\credentials

If you don’t please follow the steps here.

Next up is ensuring we have boto3 installed. Fire up a cmd window and execute the following:

pip install boto3

When that’s done, we can open Python, and that key for its policy.

import boto3

kms = boto3.client("iam")

policy = kms.get_key_policy(KeyId="THE ARN YOU JUST GOT FROM A WORKING KEY", PolicyName="default")["Policy"]

print policy

2 things here:

  1. Do paste in the correct ARN!
  2. Why default as policy name? That’s the only one they support.

That policy is a JSON string. It’s full of \n gibberish, so let’s trim that out (in the same window, we reuse that policy variable):

import json

json.dumps(json.loads(policy))

Which should give you this beautiful JSON document:

'{"Version": "2012-10-17", "Id": "key-consolepolicy-2", "Statement": [{"Action": "kms:*", "Principal": {"AWS": "arn:aws:iam::************:root"}, "Resource": "*", "Effect": "Allow", "Sid": "Enable IAM User Permissions"}, {"Action": ["kms:Describe*", "kms:Put*", "kms:Create*", "kms:Update*", "kms:Enable*", "kms:Revoke*", "kms:List*", "kms:Get*", "kms:Disable*", "kms:Delete*"], "Resource": "*", "Effect": "Allow", "Sid": "Allow access for Key Administrators"}, {"Action": ["kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt"], "Resource": "*", "Effect": "Allow", "Sid": "Allow use of the key"}, {"Action": ["kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant"], "Resource": "*", "Effect": "Allow", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}, "Sid": "Allow attachment of persistent resources"}]}'

(!) Notice the single quotes in the beginning and the end. You DON’T want those. Also notice that I’ve removed my Account Id (replaced by asterisks), so if you’re just copy pasting, make sure you replace them by your own Account Id, which you can find here (middle, Account Id, 12 digit number).

Now let’s go to our broken key again, and in the policy field we paste in our just-retrieved working policy.

Hit the save button, and lo and behold, we revert back to the original UI.

Succes!

Had any issues? Sound off in the comments!

Menu on the wrong side with a touch screen?

When you’re reading this you probably have a touch screen.

So, I never use my touch screen. Almost never. But I did notice that by default my menus in Windows (from a menu bar, not a ribbon) appear (when possible) on the right side of the clicked menu item.

Like this:

Menu appears on left side of the menu toolbar item.
Menu appears on left side of the menu toolbar item.

Goosebumps. Something is off. It took me a while to realize this,

The menu expanded to the left!

So, what is this. I can’t remember what exactly I searched for, but the change you need to make is in Tablet PC Settings.

When your menus are expanded to the left you’ll see something like this:

Menus appear to the left of your hand.
Menus appear to the left of your hand.

This is different from the default that I’ve been used to since I’ve been using Windows 95.

Change it to ‘Left-handed’:

Menus appear to the right of your hand.
Menus appear to the right of your hand.

Hit apply, and restart any offending programs, open a menu and enjoy:

Menu appears on right side of the menu toolbar item.
Menu appears on right side of the menu toolbar item.

I can easy again…

ASP.NET MVC Mobile: where is my style?

I was playing with ASP.NET MVC Mobile to start something quickly for my phone.

I then updated the NuGet packages, and my style was GONE.

Seems that jQuery 1.9.* is incompatible with jQuery.Mobile 1.2.

According to the website 1.3 is out, so the package should soon be there, so until then you can revert from jQuery 1.9.* to 1.8.3 with the following code in your Package Manager Console:

uninstall-package jQuery -Force # ignore that some have dependencies on jQuery
install-package jQuery -Version 1.8.3

jQuery downgrade

Have a good one,

-Kristof

Get your facts right.

I just read this article: http://www.simple-talk.com/dotnet/.net-framework/10-reasons-why-visual-basic-is-better-than-c/ . And I’m pissed. Why? Allow me to elaborate

First of all, because on the top right there is “a service from redgate”. You’d expect to get their facts right.

And that’s the main issue with this article. There will always be fights among developers about which language is better, VB.NET or C#. I don’t care. Use what works best for you. And I’m always interested in a well argumented comparison between the two. (and I’m not going to show my preference here, I worked in both languages, and I like to think I know what I’m talking about).

Alright, let’s take a look at Andy Brown’s points:

Point number 1

Not a good point to start with, very personal point, so I’m like: ‘whatever dude’

Point number 2

Again, bad point, it’s a language feature, I have no problem with typing out an if else statement. However the second part of your argument is utterly wrong. C# doesn’t allow fall through in a case statement, meaning the compiler will complain if you omit the break statement:

case fallthrough C#

Point number 3

If I change the name of my control in the designer it just updates everything. I guess your Visual Studio 2010 is broken.

Point number 4

The one I hate the most. Not only are you PUSHING your personal preference to other people, you’re doing it with the wrong arguments. Allow me to explain:

&& in C# is NOT And in VB.NET. The && is a Contitional And, the And operator is logical, meaning it will execute both sides. We can read this on the MSDN page on this topic.

Let me prove it to you with an example:

C# &&

As you can see it only executes the Foo one, it completely omits the Bar!

If we follow the ‘comparison’ Andy wrote this would translate to the following VB.NET code:

VB.NET And

Well, it seems that we need the AndAlso operator in VB.NET to get the same behavior. You can get the And behavior in C# by using a single & instead of a double.

The same is for the || and the Or, you need the OrElse to achieve the || result, or, to use the Or in C#, you need the single | instead of a double.

Point number 5

First of all this is a IDE feature, not a language feature. But fine, I’ll bite: you have that too in C#. Type prop+<tab>+<tab> and you’ve got your property.

Point number 6

You are relying on the Microsoft.VisualBasic namespace. If you want to you can even add it to your C# project. The issue with this function is the following: reading the documentation doesn’t give me a single clue on what the restrictions are, what culture does it use?

You can always do int.TryParse or double.TryParse. Hec, you can even do a Regular Expression like ^[0-9]$ and then something else for the commas. I’m not a Regex Expert, and probably never will be Smile with tongue out.

And for your PMT function (click, decompiled from the dll):

PMT

Point number 7

Language feature, personal preference. No argument there.

Point number 8

First you start off by writing how to declare and define variables and then you come up with the out keyword? And if you have problems with the out keyword, you do realize that VB.NET doesn’t offer a way to the programmer to restrict him to give either an initialized variable or a non initialized variable. VB.NET only supports ByVal and ByRef, where the first is always a pointer (like in C#) and the second one is ref. No out available Sad smile. And then there is this behavior: Force an Argument to Be Passed by Value.

Point number 9

An enum in C# is an enum, even though it inherits from int. It’s just the compiler that complains. Of all the things you mentioned you have a fair point here. I’ll give you that.

Point number 10

You say it yourself, the whole point of an array is that it is fixed size. Use a list. They’re there for a reason.

I do not want to rant. I just want to get the facts right. And I feel bad. From your bio I read that you are a trainer. While they don’t have to go too deep for an introduction, you should get your facts right.

Signing off,

-Kristof

Silverlight 4: Bug in TabControl.TabStripPlacement = Dock.Left and OnApplyTemplate

At work I ran into a bug with the Silverlight TabControl, more specifically when setting the TabStripPlacement to Dock.Left and hiding one of the TabItems in the parent’s OnApplyTemplate.

The way to get to this bug is quite specific. For example, you can’t do it when you’re using a UserControl, since in that kind of class OnApplyTemplate is never called.

You need to build a class which inherits from Control.

public class TabControlTest : Control

Then we have the style of this particular class:

<Style TargetType="TabControlTest:TabControlTest"> <Setter Property="Template"> <Setter.Value> <ControlTemplate TargetType="TabControlTest:TabControlTest"> <Grid x:Name="LayoutRoot" Background="White"> <Grid.RowDefinitions> <RowDefinition Height="*" /> <RowDefinition Height="38" /> </Grid.RowDefinitions> <sdk:TabControl TabStripPlacement="{TemplateBinding TabStripPlacement}" Grid.Row="0"> <sdk:TabItem Header="First"> <sdk:TabItem.Content> <TextBlock Text="A" /> </sdk:TabItem.Content> </sdk:TabItem> <sdk:TabItem Header="Second" x:Name="middleTabItem"> <sdk:TabItem.Content> <TextBlock Text="B" /> </sdk:TabItem.Content> </sdk:TabItem> <sdk:TabItem Header="Last"> <sdk:TabItem.Content> <TextBlock Text="C" /> </sdk:TabItem.Content> </sdk:TabItem> </sdk:TabControl> <Button HorizontalAlignment="Center" Grid.Row="1" Content="{TemplateBinding ShowOrHide}" Command="{TemplateBinding ShowOrHideCommand}" /> </Grid> </ControlTemplate> </Setter.Value> </Setter> </Style>

As you can see I’ve named the middle TabItem (“middleTabItem”) so I can retrieve it in the OnApplyTemplate:

public override void OnApplyTemplate()
{
    this._middleTabItem = (TabItem) this.GetTemplateChild("middleTabItem");
    this._middleTabItem.Visibility = Visibility.Collapsed;

    base.OnApplyTemplate();
}

Now if the following 2 conditions are matched:

  1. TabStripPlacement is set to Dock.Left (it doesn’t happen on ‘Top’)
  2. We set the Visibility of the said TabItem to Collapsed in the OnApplyTemplate of the surrounding Control

Then we cannot make the TabItem Visible anymore.

To show or hide I use the following code:

this.ShowOrHideCommand = new Command(() =>
                                         {
                                            this.ShowOrHideText = string.Format(SwitchTo, this._middleTabItem.Visibility);
                                            this._middleTabItem.Visibility = this._middleTabItem.Visibility == Visibility.Visible ? Visibility.Collapsed : Visibility.Visible;
                                         });

The solution to this is to call the OnApplyTemplate of the TabControl itself so that it recalculates it’s children’s location (or something, I’m not sure):

Give the TabControl a name, fetch it in OnApplyTemplate of your Control:

<sdk:TabControl TabStripPlacement="{TemplateBinding TabStripPlacement}" x:Name="TabControl" Grid.Row="0">
public override void OnApplyTemplate()
{
    this._middleTabItem = (TabItem) this.GetTemplateChild("middleTabItem");
    this._middleTabItem.Visibility = Visibility.Collapsed;
    this._tabControl = (TabControl) this.GetTemplateChild("TabControl");
    base.OnApplyTemplate();
}

And call the _tabControl’s OnApplyTemplate after switching the Visibility to Visible:

this.ShowOrHideCommand = new Command(() =>
                                         {
                                            this.ShowOrHideText = string.Format(SwitchTo, this._middleTabItem.Visibility);
                                            this._middleTabItem.Visibility = this._middleTabItem.Visibility == Visibility.Visible ? Visibility.Collapsed : Visibility.Visible;
                                            this._tabControl.OnApplyTemplate();
                                         });

This will make the UI respond correctly. For your convenience I’ve added the SL project, and you can download it here.

Clear all event logs on Windows using PowerShell

I was bored with the vast amount of data in the eventlogs which were really not useful for me. So, in order to improve readability on my machine I decided to look for something to clear all of the eventlogs. Easy.

Since I always use the Administrative Events filter to view every warning and error I get a lot of junk (who cares for Kernel-Power warnings?)

Administrative Events

Since I didn’t feel like doing the following steps for each frigging event log there is on my machine. You would need to go to the following steps:

Step 1

Step 2

Now this is an excerpt  from the eventlogs I have on this machine:

Analytic
Application
DirectShowFilterGraph
DirectShowPluginControl
EndpointMapper
ForwardedEvents
HardwareEvents
Internet Explorer
Key Management Service
MF_MediaFoundationDeviceProxy
MediaFoundationDeviceProxy
MediaFoundationPerformance
MediaFoundationPipeline
MediaFoundationPlatform
Microsoft-IE/Diagnostic
Microsoft-IEDVTOOL/Diagnostic
Microsoft-IEFRAME/Diagnostic
Microsoft-IIS-Configuration/Administrative
Microsoft-IIS-Configuration/Analytic
Microsoft-IIS-Configuration/Debug
Microsoft-IIS-Configuration/Operational
Microsoft-PerfTrack-IEFRAME/Diagnostic
Microsoft-PerfTrack-MSHTML/Diagnostic
Microsoft-Windows-ADSI/Debug
Microsoft-Windows-API-Tracing/Operational
Microsoft-Windows-ATAPort/General
Microsoft-Windows-ATAPort/SATA-LPM
Microsoft-Windows-ActionQueue/Analytic
Microsoft-Windows-AltTab/Diagnostic
Microsoft-Windows-AppID/Operational
Microsoft-Windows-AppLocker/EXE and DLL
Microsoft-Windows-AppLocker/MSI and Script
Microsoft-Windows-Application Server-Applications/Admin
Microsoft-Windows-Application Server-Applications/Analytic
Microsoft-Windows-Application Server-Applications/Debug

And so on (for about 10 times as large). I’m not going to clear them by hand.

So let’s call Powershell to the rescue! (Play Thunderbirds theme song!)

First of all (and nothing to do with Powershell): wevtutil

We’re going to use this tool to display every available event source on this machine:

wevtutil el

The help states:

el | enum-logs          List log names.

Good, that’s what we need. Next up, we pass every line of this list to a command using a pipe and the Powershell Foreach-Object cmdlet

wevtutil el | Foreach-Object { … commands go here … }

The commands are going to be

wevtutil cl “$_”

The help states:

cl | clear-log          Clear a log.

And $_ is the current variable in the enumeration of Foreach-Object. I added the quotes since there are event sources with spaces and we need to have the full name in order to have wevtutil to be able to clear that log.

Now let’s add some diagnostics output to see which one we’re currently clearing:

wevtutil el | Foreach-Object {Write-Host "Clearing $_"; wevtutil cl "$_"}

Now just run it through Powershell, and bam, a clean event log.

Result

Cheers!

.NET natural sort, a possible solution.

You have a list of items, let’s say 20 elements, starting at 1, until 20 (inclusive). We shuffle the list and we try to sort it.

  1. List<string> normalDotNetSort = GiveMeANewList();

The code to create the list:

  1. private static List<string> GiveMeANewList()
  2. {
  3.     List<string> list = new List<string>();
  4.  
  5.     for (int i = 1; i <= 20; i++)
  6.     {
  7.         list.Add(string.Format("{0}", i));
  8.     }
  9.  
  10.     return list.MixList();
  11. }

MixList just shuffles the list.

We’re using a normal Generic List and to sort, let’s use the Sort method, and write it to the console:

  1. normalDotNetSort.Sort();
  2. normalDotNetSort.ForEach(Console.WriteLine);

What would be the result?

.

.

.

.

.

.

.

.

.

.

.

.

.

1
10
11
12
13
14
15
16
17
18
19
2
20
3
4
5
6
7
8
9

That’s not what we wanted, but it is what we told the code to do. It first sorts on the first character, and then on the second (and so on…). That’s why 19 takes precedence of 2, since 1 < 2.

How do we fix this?

There is a little gem in the shlwapi.dll, namely StrCmpLogicalW. Since this is a native function we need to do a DllImport to expose the function to our C# code:

  1. public static class SafeNativeMethods
  2. {
  3.     [DllImport("shlwapi.dll", CharSet = CharSet.Unicode)]
  4.     public static extern int StrCmpLogicalW(string psz1, string psz2);
  5. }

Now we can use this function in our own string comparer:

  1. public sealed class NaturalStringComparer : IComparer<string>
  2. {
  3.     #region IComparer<string> Members
  4.  
  5.     public int Compare(string x, string y)
  6.     {
  7.         return SafeNativeMethods.StrCmpLogicalW(x, y);
  8.     }
  9.  
  10.     #endregion
  11. }

And use this comparer to sort our list:

  1. List<string> interopSort = GiveMeANewList();
  2. interopSort.Sort(new NaturalStringComparer());
  3. interopSort.ForEach(Console.WriteLine);

And the result:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Much better no?

Dictionary<TKey, TValue> finding key: try/catch vs TryGetValue

Today I saw some code where the developer accessed a dictionary like this:

  1. void Foo(int keyToFindInDictionary)
  2. {
  3.     Dictionary<int, string> dictionary = new Dictionary<int, string>();
  4.  
  5.     try
  6.     {
  7.         DoSomethingWithTheResult(dictionary[keyToFindInDictionary]);
  8.     }
  9.     catch (KeyNotFoundException)
  10.     {
  11.         // fallback
  12.     }
  13. }
  14.  
  15. private void DoSomethingWithTheResult(string s)
  16. {
  17.     // do something
  18. }

As you can see he catches the exception to handle the fact that the given key was not found in the dictionary.

I told him that there was a better way, i.e. Dictionary<TKey, TValue>.TryGetValue.

And then the curious part of me started thinking, how much better is it? Is it faster? Slower?

So I wrote the following small piece of code to test my statement that TryGetValue is better than catching the KeyNotFoundException.

  1. namespace DictionaryTryGetValueVersusException
  2. {
  3.     using System;
  4.     using System.Collections.Generic;
  5.     using System.Diagnostics;
  6.  
  7.     internal class Program
  8.     {
  9.         private static void Main()
  10.         {
  11.             // create a dictionary with some values
  12.             Dictionary<string, string> dictionary = new Dictionary<string, string>();
  13.  
  14.             // add 10,000 items
  15.             for (int i = 0; i < 10000; i++)
  16.             {
  17.                 if (i == 5000)
  18.                 {
  19.                     // skip
  20.                     continue;
  21.                 }
  22.  
  23.                 dictionary.Add(string.Format("Key{0}", i), string.Format("Value{0}", i));
  24.             }
  25.  
  26.             Stopwatch stopwatch = new Stopwatch();
  27.  
  28.             stopwatch.Start();
  29.  
  30.             const string keyToFindInDictionary = "Key5000";
  31.  
  32.             for (int i = 0; i < 10000; i++)
  33.             {
  34.                 // 5000 does not exist
  35.                 try
  36.                 {
  37.                     // execute a method on the variable, so that he compiler doesn't optimize it.
  38.                     dictionary[keyToFindInDictionary];
  39.                 }
  40.                 catch (Exception)
  41.                 {
  42.                     // ignore
  43.                 }
  44.             }
  45.  
  46.             stopwatch.Stop();
  47.             Console.WriteLine("Dictionary lookup with try/catch took: {0}", stopwatch.ElapsedTicks);
  48.  
  49.             stopwatch.Restart();
  50.  
  51.             for (int i = 0; i < 10000; i++)
  52.             {
  53.                 string notFound;
  54.                 // 5000 does not exist
  55.                 dictionary.TryGetValue(keyToFindInDictionary, out notFound);
  56.             }
  57.  
  58.             stopwatch.Stop();
  59.             Console.WriteLine("Dictionary lookup with TryGetValue took: {0}", stopwatch.ElapsedTicks);
  60.  
  61.             Console.WriteLine("Done, press enter to exit");
  62.             Console.ReadLine();
  63.         }
  64.     }
  65. }

As you can see we add 10,000 items to the dictionary, skipping the 5000th item, and then we do a lookup in the dictionary, 10,000 times, on the key that doesn’t exist, to measure the performance difference between the 2 previously discussed methods.

To run this test I did a Release Build in Visual Studio 2010, .NET 4.0, Any CPU, and this is the result:

Results

Dictionary lookup with try/catch took: 1069625
Dictionary lookup with TryGetValue took: 864
Done, press enter to exit

As you can see there is a HUGE difference. The TryGetValue-way was about 1237 faster!

Exception throwing is very heavy! Don’t forget that. It doesn’t mean that you need to program without exceptions, but when you EXPECT that a Key is not present in a given dictionary, don’t use the exception. Use the TryGetValue. If you always expect it to be there then it’s normal to catch the exception, because it’s exceptional that the key was not found.

PS: I tried the code again by skipping the 9999th item, and the results were about the same, take or leave a few milliseconds. So searching in the dictionary is very performant (close to O(1), as written in the Remarks section on this page.)

Quote…

Believe me when I say we have a difficult time ahead of us. But if we are to be prepared for it, we must first shed our fear of it. I stand here, before you now, truthfully unafraid. Why? Because I believe something you do not? No, I stand here without fear because I remember. I remember that I am here not because of the path that lies before me but because of the path that lies behind me.

It’s a movie, but I think the last sentence applies to everybody. It’s your decisions that makes you who you are.