Introducing ConfigureAsync method, Security scanning with ZAP in the Lombiq UI Testing Toolbox - This week in Orchard (22/12/2023)
Introducing ConfigureAsync method and the IAsyncConfigureOptions interface, demo about Security scanning with ZAP in the Lombiq UI Testing Toolbox, and some photos of our Christmas event! Let's see the details!
Orchard Core updates
Introducing ConfigureAsync method
In the Startup files, you can use the Configure method to configure the tenant pipeline. Now, if you implement the IAsyncStartup interface, you will be able to configure the tenant pipeline asynchronously by using the new ConfigureAsync method.
This means the initialization of the tenants will be much faster in the future in a SaaS environment. Here, you can see an example of how to use this method in the Startup file of the Localization module, where we don't need to call the GetAwaiter() and the GetResult() methods when getting the default culture and the supported cultures.
IAsyncConfigureOptions interface
In this PR, Jean-Thierry Kéchichian introduced the IAsyncOptions and IAsyncConfigureOptions<TOptions> interfaces that can be used globally across your Orchard Core solution. The IAsyncConfigureOptions can be used to configure asynchronously a type of options just after a tenant container is created, and the IAsyncOptions marks a type of option intended to be registered as a singleton and configured asynchronously by an IAsyncConfigureOptions<TOptions> just after a tenant container is created.
For example, here the BlobOptions will be registered once as a singleton and configured asynchronously once by BlobOptionsSetup.ConfigureAsync() just after a tenant container is created using this single line of code: services.Configure<BlobOptions, BlobOptionsSetup>().
Demos
Security scanning with ZAP in the Lombiq UI Testing Toolbox
Maybe you have already heard about the Lombiq UI Testing Toolbox, our web UI testing toolbox mostly for Orchard Core applications. Everything you need to do UI testing with Selenium for an Orchard app is here. We wrote about it several times here as well, first when we open-sourced it, when we added some Orchard Core Features tests to it when we added the automated monkey testing feature to it, and when we introduced the Visual verification testing. At the end of last year, we showed you the latest updates about integrating UI testing into Orchard Core and the way you can use WebApplicationFactory, a fake video capture source, or the interactive mode. This time, we will check out a slightly different topic, security scanning!
Of course, security is important, you don't want your web app to be used for spamming or cryptocurrency mining, or you don't want your users' data to be lost or get into the hands of others. So, you want to secure your application. There are many layers to that, and many layers to enforcing or ensuring your application is secure including manual reviews and static code analysis. Another layer is penetration testing. It means that somebody going to your application and trying to break it in some way, get into it in a way that they shouldn't be able to. Pen testers use some tools, and one of the most widely used tools is the Zed Attack Proxy (ZAP). This is a very popular open-source project, which is a security scanner. It can check your application for security issues. This is a JAVA application, and it checks web apps for general web application security issues. It can do generally dangerous attacks, it can do that actively and passively, so let's see that in action and see how to automate those scans!
The easiest way is to clone Lombiq's Open-Source Orchard Core Extensions solution. This Orchard Core Visual Studio solution contains most of Lombiq's open-source Orchard modules and themes, as well as related utilities and libraries, containing our UI Testing Toolbox for Orchard Core, which contains a feature for ZAP. Here you can see quite detailed documentation about this but what's more important we also have some samples.
Here, you can run ZAP with a DotNet API. It's just a simple scan but you can utilize the DotNet API more if you add some more configuration as you can see on the screen. This SecurityScanWithCustomConfigurationShouldPass method adds some configuration, like you can exclude URLs from the scan, disable rules for just a given URL, can authenticate and while we are talking about testing, you can also assert on the results. The results are not just available on a human-readable HTML report but also as a sarif-json which is a standard way of sharing such scan results.
Do you want to know more about how to do an automated security scan of your Orchard Core app with ZAP? Check out our post in Orchard Dojo about it, and don't forget to head to YouTube for a recording to see how you can run these tests from Visual Studio!
News from the community
Christmas in Lombiq
Sometimes we do stuff. Together. Not (just) in front of computer screens. These are some usual events in Lombiq that are all announced and arranged in advance. We periodically have an event called RnDay: this is a few hour-long event where we share what we recently worked on and what we plan to do. E.g., If we recently finished a project, then the project's team members demo what they've done. We had our last RnDay for this year in the Loffice, which is a coworking and event space where we held this event. And at the end of the day, we visited a nearby restaurant to have dinner together.
We would like to thank you all for reading our posts and making the Orchard community stronger together with us! We hope that we can give you valuable news and demos about the happenings around Orchard and Orchard Core from time to time by reading our posts and of course the This week in Orchard newsletter. We would like to wish everyone a Merry Christmas with some photos of our latest event!
Orchard Dojo Newsletter
Lombiq's Orchard Dojo Newsletter has 486 subscribers! We have started this newsletter to inform the community around Orchard of the latest news about the platform. By subscribing to this newsletter, you will get an e-mail whenever a new post is published to Orchard Dojo, including This week in Orchard of course.
Do you know of other Orchard enthusiasts who would like to read our weekly articles? Tell them to subscribe here!