Kristof's blog

Tokio: receive variable-sized data from a UdpSocket

Kristof — Wed, 21 Jan 2026 15:49:01 -0700

Imagine you're listening on a tokio::net::UdpSocket</code></a> and you know you're going to receive a packet, but don't know the size.</p>

The first option was to find out what the other party might send, but that information might not always be available.</p>

Another way might be to dynamically allocate a buffer based on the incoming packet size:</p>

use</span> tokio</span>::</span>net</span>::</span>UdpSocket</span>;</span></span>
</span>
async fn</span> get_buffer_size</span>(socket</span>: &</span>UdpSocket</span>)</span> -></span> Result</span><</span>usize</span>, std</span>::</span>io</span>::</span>Error</span>> {</span></span>
    let</span> result</span> =</span> socket</span></span>
        .</span>async_io</span>(</span>Interest</span>::</span>READABLE</span>,</span> ||</span> {</span></span>
            let mut</span> mini_buf</span> =</span> [</span>0_</span>u8</span>;</span> 32</span>];</span></span>
</span>
            // SAFETY: libc call</span></span>
            let</span> result</span> = unsafe</span> {</span></span>
                libc</span>::</span>recv</span>(</span></span>
                    socket</span>.</span>as_raw_fd</span>(),</span></span>
                    mini_buf</span>.</span>as_mut_ptr</span>()</span>.</span>cast</span>(),</span></span>
                    mini_buf</span>.</span>len</span>(),</span></span>
                    libc</span>::</span>MSG_PEEK</span> |</span> libc</span>::</span>MSG_TRUNC</span>,</span></span>
                )</span></span>
            };</span></span>
</span>
            if</span> result</span> <</span> 0</span> {</span></span>
                return</span> Err</span>(</span>std</span>::</span>io</span>::</span>Error</span>::</span>last_os_error</span>());</span></span>
            }</span></span>
</span>
            Ok</span>(result</span>.</span>unsigned_abs</span>())</span></span>
        })</span></span>
        .await?</span>;</span></span>
</span>
    Ok</span>(result)</span></span>
}</span></span></code></pre>
Couple of things to note:</p>

We're using MSG_PEEK</code></a> to ensure we don't pull the data from the buffer, we just look at it.</li>
MSG_TRUNC</code></a> to ensure we get back the total number of bytes pending in the kernel's buffer, not just the amount written to OUR buffer</li>
We stack-allocated the buffer to avoid the allocation hit every time.</li>
</ul>



Ubuntu 24.04: disable systemd-resolved's stub listener
Kristof — Sun, 19 May 2024 13:43:01 -0700
I'm rebuilding my server and I need to make sure the server itself does not listen to port 53 as we'll be hosting a Docker container with AdGuard on port 53.</p>
To do that we need to disable systemd-resolved's stub listener.</p>
The trick is to set DNSStubListener=no</code> in /etc/systemd/resolved.conf</code>:</p>
# ...</span></span>
</span>
[Resolve]</span></span>
# ...</span></span>
#DNSStubListener=yes</span></span>
# ...</span></span></code></pre>
However, this will cause APT to ask you to resolve configuration discrepancies should systemd-resolved be updated (e.g. when updating Ubuntu to vNext).</p>
So we take a step back, read the comments, and ...:</p>
# Entries in this file show the compile time defaults. Local configuration</span></span>
# should be created by either modifying this file (or a copy of it placed in</span></span>
# /etc/ if the original file is shipped in /usr/), or by creating "drop-ins" in</span></span>
# the /etc/systemd/resolved.conf.d/ directory.</span></span></code></pre>
Cool, we create the directory:</p>
# Create directory</span></span>
sudo mkdir -p /etc/systemd/resolved.conf.d/</span></span>
# Set permissions</span></span>
sudo chmod 755 /etc/systemd/resolved.conf.d/</span></span>
# Disable</span></span>
printf "[Resolve]\nDNSStubListener=no\n" | sudo tee /etc/systemd/resolved.conf.d/noresolved.conf</span></span>
# Restart systemd-resolved</span></span>
sudo systemctl restart systemd-resolved.service</span></span>
# Test</span></span>
cat /etc/resolv.conf</span></span></code></pre>
And notice that it no longer contains something like this:</p>
nameserver 127.0.0.53</span></span>
options edns0 trust-ad</span></span>
search .</span></span></code></pre>
But something like this:</p>
nameserver 192.168.1.1</span></span>
search home.domain.com</span></span></code></pre>
Until next time!</p>
-K</p>


You cannot disable rDNS (IPv6) nameservers with netplan
Kristof — Sat, 11 Feb 2023 16:23:01 -0800
I am playing with IPv6 and wanted to statically configure /etc/resolv.conf</code>'s nameserver</code>s. I wanted to avoid getting any from the Router, even though I wanted an IPv6 address through SLAAC.</p>
First try</h3>
Since the server runs Ubuntu, netplan is the default network configuration tool:</p>
network:</span></span>
  ethernets:</span></span>
    eno1:</span></span>
      addresses:</span></span>
        # static IPv4 address</span></span>
        - 10.0.10.10/24</span></span>
      routes:</span></span>
        # static IPv4 gateway</span></span>
        - to: default</span></span>
          via: 10.0.10.1</span></span>
          metric: 100</span></span>
          on-link: true</span></span>
        # IPv6 gateway comes via RA</span></span>
      nameservers:</span></span>
        addresses:</span></span>
          - 10.0.10.20</span></span>
        # always use FQDN as short names clash with SSL</span></span>
        search: [""]</span></span>
      # disabled by default</span></span>
      # dhcp4: false</span></span>
      # dhcp4-overrides:</span></span>
        # use-dns: false</span></span>
        # use-domains: false</span></span>
      # IPv6</span></span>
      # We want IPv6 to be configured by RA only</span></span>
      accept-ra: true</span></span>
      # dhcp6: false</span></span>
      # dhcp6-overrides:</span></span>
        # use-dns: false</span></span>
        # use-domains: false</span></span>
      ipv6-privacy: false</span></span>
  renderer: networkd</span></span>
  version: 2</span></span></code></pre>
One sudo netplan apply</code> later and we have</p>

a static IPv4 address</li>
a static DNS server</li>
a SLAAC IPv6 address</li>
ping to an IPv4 address work</li>
ping6 to an IPv6 address work</li>
</ul>
However, we have one issue. We're getting a IPv6 DNS address pushed...:</p>
> cat /etc/resolv.conf</span></span>
# ...</span></span>
nameserver 10.0.10.20</span></span>
nameserver 2600:xxxx:xxxx:xxxx::1</span></span>
search .</span></span></code></pre>
Parsing netplan's reference yielded some reference to stateless configuration here</a>. Time to try it out.</p>
Second try</h3>
Let's switch it on.</p>
network:</span></span>
  ethernets:</span></span>
    eno1:</span></span>
      # ...</span></span>
      # IPv6</span></span>
      # We want IPv6 to be configured by RA only</span></span>
      accept-ra: true</span></span>
      dhcp6: true</span></span>
      dhcp6-overrides:</span></span>
        use-dns: false</span></span>
        use-domains: false</span></span>
      ipv6-privacy: false</span></span>
  # ...</span></span></code></pre>
Running > sudo netplan apply && sudo systemctl restart systemd-resolved.service</code> and ...</p>
> cat /etc/resolv.conf</span></span>
# ...</span></span>
nameserver 10.0.10.20</span></span>
nameserver 2600:xxxx:xxxx:xxxx::1</span></span>
search .</span></span></code></pre>
Still there... What's going on?</p>
Digging deeper reveals that netplan is an abstraction tool over systemd.network. Reading through its configuration reference something caught my attention:
IPv6AcceptRA=</code></a></p>
Notice the reference to an [IPv6AcceptRA]</code> section</a></p>
And this rang a bell... The DNS address that I got pushed comes from my router's rDNS.</p>
So how do we configure this with netplan? We cannot. If we look in netplan's code for IPv6AcceptRA</code> which only yields the following result:</p>


    
    Netplan doesn't support rendering the IPv6AcceptRA section.</figcaption>
</figure>

Last try</h3>
Eventually I ended up setting it manually in the networkd configuration:</p>
> cat /run/systemd/network/10-netplan-eno1.network</span></span>
[Match]</span></span>
Name=eno1</span></span>
</span>
[Network]</span></span>
DHCP=ipv6</span></span>
LinkLocalAddressing=ipv6</span></span>
Address=10.0.10.10/24</span></span>
IPv6AcceptRA=yes</span></span>
DNS=10.0.10.20</span></span>
</span>
[Route]</span></span>
Destination=0.0.0.0/0</span></span>
Gateway=10.0.10.1</span></span>
GatewayOnLink=true</span></span>
Metric=100</span></span>
</span>
[DHCP]</span></span>
RouteMetric=100</span></span>
UseMTU=true</span></span>
UseDNS=false</span></span>
UseDomains=false</span></span>
</span>
# vvvvvvvv</span></span>
[IPv6AcceptRA]</span></span>
UseDNS=false</span></span>
UseDomains=false</span></span>
# ^^^^^^^^</span></span></code></pre>
No more sudo netplan apply</code>. This time we do sudo systemctl restart systemd-networkd.service && sudo systemctl restart systemd-resolved.service</code>.</p>
Checking /etc/resolv.conf</code> one more time:</p>
> cat /etc/resolv.conf</span></span>
# ...</span></span>
nameserver 10.0.10.20</span></span>
search .</span></span></code></pre>
Bingo!</p>
After some more searching I did stumble upon an existing bug report</a> on launchpad. At least I'm not the only one.</p>
Wrapping up</h3>
I removed the config for netplan. That way it cannot overwrite the network configuration that I edited.</p>
-Kristof</p>


How to use Wireguard without Masquarade
Kristof — Sat, 08 Jan 2022 11:27:01 -0800
For a while now I've been running linuxserver.io's Docker container of Wireguard</a> to be able to get access to my home network when I'm on the go.</p>
Initially, we had a network for the computers at home, 192.168.25.0/24</code>. (Of course IOT sits in another network).</p>
The Wireguard VPN device sat on 192.168.25.20</code>. And since it uses NAT, and that doesn't allow me to track individual peers at the network level. All traffic coming over the Wireguard VPN would look like it originates from THAT IP.</p>
Time to split that up.</p>
So what are the steps that we need to do?</p>
Define the VPN network and set up the route</h3>
Note: I contemplated keeping my Wireguard clients in the same subnet, but that would mean that EVERY device in that subnet would need to get static routes to the Wireguard clients. Whereas if I move them to a separate subnet, only the router needs to get the static route.</p>
I chose to use 192.168.30.0/24</code> for all my Wireguard clients.</p>
Our Wireguard server sits at 192.168.25.20</code>, so on the router we add the static route:</p>


    
    Static route screenshot.</figcaption>
</figure>

Update Wireguard's config to not use Masquerade</h3>
The default wg0.conf</code> needs to be updated to look like this:</p>
[Interface]</span></span>
Address</span> = 192.168.30.1</span></span>
ListenPort</span> = 51820</span></span>
PrivateKey</span> =</span> ##############################################</span></span>
</span>
[Peer]</span></span>
# peer_iPhoneKristof</span></span>
PublicKey</span> =</span> ##############################################</span></span>
AllowedIPs</span> = 192.168.30.10/32</span></span></code></pre>
So what did we change?</p>

We removed PostUp</code> and PostDown</code>, as these are only needed when we do NAT (i.e. Masquarade)</li>
We set up the Interface</code>'s address to be .1</code> in our new range.</li>
We set our client to be .10</code> in our new range.</li>
</ol>
Ensure the server forwards IPv4 packets AND enable proxy ARP</h3>
Lastly, the underlying server needs 2 changes:</p>
In /etc/sysctl.conf</code> (or wherever it is on your flavor of Linux):</p>
# Enable IPv4 packet forwarding</span></span>
net.ipv4.ip_forward</span>=1</span></span>
</span>
# Enable Proxy ARP (https://en.wikipedia.org/wiki/Proxy_ARP)</span></span>
net.ipv4.conf.all.proxy_arp</span>=1</span></span></code></pre>Update the client's config</h3>
We need to make sure that the client now connects with the right IP, and that the client's AllowedIPs</code> are set up to target our ORIGINAL range:</p>
[Interface]</span></span>
PrivateKey</span> =</span> ##############################################</span></span>
ListenPort</span> = 51820</span></span>
Address</span> = 192.168.30.10</span></span>
DNS</span> = 192.168.25.5 </span># adguard sits here</span></span>
</span>
[Peer]</span></span>
PublicKey</span> =</span> ##############################################</span></span>
AllowedIPs</span> = 192.168.25.0/24</span></span>
Endpoint</span> = my.endpoint.com:51820</span></span></code></pre>Conclusion</h3>
We now can track individual Wireguard clients on our network.</p>


.NET: Disabling SSL Certificate validation
Kristof — Thu, 09 Jun 2016 14:17:39 +0000
Yesterday I wanted to download some content off a website with F#, however unfortunately the certificate of the website was expired.</p>
let</span> result</span> =</span></span>
    try</span></span>
        let</span> request</span> =</span></span>
            "https://somewebsite/with/expired/ssl/certificate/data.json?paramx=1&paramy=2"</span></span>
            |></span> WebRequest.Create</span></span>
</span>
        let</span> response</span> =</span></span>
            request.GetResponse </span>()</span></span>
</span>
        // parse data</span></span>
        let</span> parsed</span> =</span> "..."</span></span>
</span>
        Ok parsed</span></span>
    with</span></span>
    |</span> ex </span>-></span></span>
        Error ex</span></span></code></pre>
If we execute this, then result would be of Error with the following exception:</p>


    
    SSL certificate validation exception</figcaption>
</figure>

ex.Message</span></span>
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."</span></span>
ex.InnerException.Message</span></span>
"The remote certificate is invalid according to the validation procedure."</span></span></code></pre>
So how do we fix this?</p>
The solution is to set the following code at startup of the application (or at least before the first call):</p>
ServicePointManager.ServerCertificateValidationCallback <-</span></span>
    new RemoteCertificateValidationCallback(fun _ _ _ _ -> true)</span></span></code></pre>
Notice that you should not do this, because this does not validate the certificate at ALL!
Also, this is for ALL calls, if you want to do it on a specific call you need to do make some changes.</p>
First of all, it doesn't work with WebRequest.Create</code></a>, you need to use WebRequest.CreateHttp</code></a>, or cast the WebRequest</code></a> to HttpWebRequest</code></a>, as the property we need, ServerCertificateValidationCallback</code></a> is not available on WebRequest</code></a>, only on HttpWebRequest</code></a>. The resulting code looks like this:</p>
let</span> request</span> =</span></span>
    "https://somewebsite/with/expired/ssl/certificate/data.json?paramx=1&paramy=2"</span></span>
    |></span> WebRequest.CreateHttp</span></span>
</span>
request.ServerCertificateValidationCallback </span><- new</span> RemoteCertificateValidationCallback</span>(fun</span> _ _ _ _ </span>-></span> true</span>)</span></span>
</span>
let</span> response</span> =</span></span>
    request.GetResponse </span>()</span></span></code></pre>
Again, don't do this in production!</p>
If need be, do it on a single HttpWebRequest</code></a>, like the last example, and write some code so that you ignore the expiration part, but leave in place the validation part.</p>
Code on Github</a>!</p>


Be careful with npm shrinkwrap
Kristof — Tue, 17 Nov 2015 08:32:26 +0000
Recently we had the issue that we used version x of an npm package. However in the course of time this package was updated by the author and contained a critical bug, which broke our AWS deployments. Locally this was no issue because we had a version installed that satisfied the version requirements.</p>
In order to prevent issues like this we looked at npm shrinkwrap</a>. This writes a file called npm-shrinkwrap.json</code> which 'freezes' all of the package-versions that are installed in current project.</p>
Now this is dangerous, as we just found out.</p>
The issue is that when an author decides to delete a package from the feed. Delete you ask? Yes, delete, gone, no trace, nothing.</p>
What's the issue you might ask? You'll find it next time?</p>
Not really.</p>
Imagine you're using Elastic Beanstalk, which, based on certain triggers, can spawn a new instance of a server, or delete one.</p>
Now today you release your application to your servers, and you shrinkwrap</code> your packages.</p>
Before you do that, you obviously clear your local npm cache (located in %appdata%\npm-cache</code>), and your local node_modules</code>. Then you do an npm install</code> to verify every package is correctly installed, you do a few test runs, maybe on a local server. Then you package and send it of to AWS.</p>
All runs well, you're happy, and your boss is happy.</p>
Next week, for whatever reason, you get a high load on your servers. Elastic Beanstalk decides to add one more instance.</p>
And then stuff starts to break. You get emails that its health is degraded. Then you get emails that its health severe.</p>
At 2a.m. you open your laptop, and you start looking at the logs. There you find something in the lines of:</p>
npm ERR! Linux 3.14.48-33.39.amzn1.x86_64</span></span>
npm ERR! argv "/usr/bin/iojs" "/usr/bin/npm" "install"</span></span>
npm ERR! node v2.4.0</span></span>
npm ERR! npm  v2.13.0</span></span>
</span>
npm ERR! version not found: node-uuid@1.4.4</span></span>
npm ERR!</span></span>
npm ERR! If you need help, you may report this error at:</span></span>
npm ERR!     <https://github.com/npm/npm/issues></span></span>
</span>
npm ERR! Please include the following file with any support request:</span></span>
npm ERR!     /app/npm-debug.log</span></span></code></pre>
What? You tested locally? What happened?</p>
Okay, you fire up a console window. You make a test dir. You run npm installnode-uuid@1.4.4</code>.</p>
All goes well. Or does it?</p>
Let's look at the output:</p>
C:\__SOURCES>mkdir test</span></span>
</span>
C:\__SOURCES>cd test</span></span>
</span>
C:\__SOURCES\test>npm install node-uuid@1.4.4</span></span>
npm http GET https://registry.npmjs.org/node-uuid/1.4.4</span></span>
npm http 404 https://registry.npmjs.org/node-uuid/1.4.4</span></span>
node-uuid@1.4.4 node_modules\node-uuid</span></span></code></pre>
Notice the 404</code>? I didn't... But it's important!</p>
Now here's what happened: locally I had node-uuid@1.4.4</code> in my cache, so he took that one, even though the package disappeared from the registry.</p>
However: my new instance on Elastic Beanstalk didn't. That's why it failed.</p>
So, solutions:</p>

Be careful when you shrinkwrap</code>. Stuff might break in the future, as authors delete packages</li>
Create a private feed, that you curate</li>
As a package author, don't delete packages. Just don't. Other people might depend on you.</li>
</ul>


DynamoDb & updating objects: it doesn't react like SQL!
Kristof — Wed, 05 Aug 2015 19:34:32 +0000
Today I stumbled upon the following bug:</p>
We had an object with some properties that we wanted to update, but only if a certain property of that object is not set, i.e. it should be null.</p>
{</span></span>
    "Id"</span>: </span>1</span>,</span> // Id is the HashKey</span></span>
}</span></span></code></pre>
In this case we wanted to update the object with Id 1, and set an attribute called Foo</code> to "Bar"</code></p>
To do this I wrote the following Javascript, using the aws-sdk</a>:</p>
function</span> updateObject</span>(</span>id</span>) {</span></span>
    var</span> dynamodb</span> = new</span> AWS</span>.</span>DynamoDB</span>();</span></span>
</span>
    dynamodb.</span>updateItem</span>(</span></span>
        {</span></span>
            Id: id,</span></span>
        },</span></span>
        {</span></span>
            UpdateExpression:</span> "SET Foo = :value"</span>,</span></span>
            ExpressionAttributeValues: {</span></span>
                ":value"</span>:</span> "Bar"</span>,</span></span>
            },</span></span>
            ConditionExpression:</span> "attribute_not_exists(Foo)"</span>,</span></span>
        },</span></span>
        function</span> (</span>error</span>,</span> data</span>) {</span></span>
            if</span> (error) {</span></span>
                // TODO check that the error is a ConditionalCheckFailedException, in</span></span>
                // which case the Condition failed, otherwise something else might be off.</span></span>
                console.</span>log</span>(</span>"Error"</span>);</span></span>
            }</span> else</span> {</span></span>
                console.</span>log</span>(</span>"All good, we've updated the object"</span>);</span></span>
            }</span></span>
        },</span></span>
    );</span></span>
}</span></span></code></pre>
Perfect!</p>
Now assume we have have a range of 1 -> 12 in our table, where half of them already have the Foo</code> attribute, so we should get 50% Error</code>, and 50% All good, ...</code> (which is the case).</p>
However, what do we expect when we update an item with Id 13?</p>
When I, in my mind, which talks (used to) talk SQL when thinging about a database, updating something that is not there, doesn't do anything.</p>
Consider the following table:</p>
CREATE TABLE</span> Test</span>(</span></span>
    Id </span>INT NOT NULL</span>,</span></span>
    Foo </span>NVARCHAR</span>(</span>255</span>) </span>NULL</span></span>
)</span></span></code></pre>
With the following query:</p>
INSERT INTO</span> Test (Id, Foo) </span>VALUES</span> (</span>1</span>, </span>NULL</span>), (</span>2</span>, </span>N'Bar'</span>), (</span>3</span>, </span>NULL</span>)</span></span>
GO</span></span>
</span>
--SELECT * FROM Test</span></span>
--GO</span></span>
</span>
UPDATE</span> Test </span>SET</span> Foo </span>=</span> 'Bar'</span> WHERE</span> Id </span>=</span> 1</span> AND</span> Foo </span>IS NULL</span></span>
IF</span> @@ROWCOUNT </span>=</span> 1</span></span>
BEGIN</span></span>
    SELECT</span> N'1 updated, set Foo to Bar'</span></span>
END</span></span>
ELSE</span></span>
BEGIN</span></span>
    SELECT</span> N'1 not updated, Foo was already set'</span></span>
END</span></span>
GO</span></span>
</span>
--SELECT * FROM Test</span></span>
--GO</span></span>
</span>
UPDATE</span> Test </span>SET</span> Foo </span>=</span> 'Bar'</span> WHERE</span> Id </span>=</span> 2</span> AND</span> Foo </span>IS NULL</span></span>
IF</span> @@ROWCOUNT </span>=</span> 1</span></span>
BEGIN</span></span>
    SELECT</span> N'2 updated, set Foo to Bar'</span></span>
END</span></span>
ELSE</span></span>
BEGIN</span></span>
    SELECT</span> N'2 not updated, Foo was already set'</span></span>
END</span></span>
</span>
--SELECT * FROM Test</span></span>
--GO</span></span>
UPDATE</span> Test </span>SET</span> Foo </span>=</span> 'Bar'</span> WHERE</span> Id </span>=</span> 7</span> AND</span> Foo </span>IS NULL</span> -- 7 Doesn't exist!</span></span>
IF</span> @@ROWCOUNT </span>=</span> 1</span></span>
BEGIN</span></span>
    SELECT</span> N'7 updated, set Foo to Bar'</span></span>
END</span></span>
ELSE</span></span>
BEGIN</span></span>
    SELECT</span> N'7 not updated, because 7 doesn''t exist!'</span></span>
END</span></span></code></pre>
This will print, along with some empty result sets, the following:</p>
1 updated, set Foo to Bar</span></span>
2 not updated, Foo was already set</span></span>
7 not updated, because 7 doesn't exist!</span></span></code></pre>
Now, that knowledge in SQL doesn't apply to DynamoDb.</p>
While testing on some non-existing values we saw that our code passed the testcases perfectly. That's not how it should be.</p>
Let's take a look again at the documentation</a>, this time do actually read the first line:</p>

Edits an existing item's attributes, or adds a new item to the table if it does not already exist</strong>.</p>
</blockquote>
(emphasis mine).</p>



So we need to guard ourselves against updates on non-existing items? How do we do that? Let's extend our ConditionExpression</code>. Start by taking the original code, and change the ConditionExpression</code> as highlighted:</p>
function</span> updateObject</span>(</span>id</span>) {</span></span>
    var</span> dynamodb</span> = new</span> AWS</span>.</span>DynamoDB</span>();</span></span>
</span>
    dynamodb.</span>updateItem</span>(</span></span>
        {</span></span>
            Id: id,</span></span>
        },</span></span>
        {</span></span>
            UpdateExpression:</span> "SET Foo = :value"</span>,</span></span>
            ExpressionAttributeValues: {</span></span>
                ":id"</span>: id,</span></span>
                ":value"</span>:</span> "Bar"</span>,</span></span>
            },</span></span>
            // make sure the object we're updating actually has</span></span>
            // :id as Id, the side-effect of this is that if none of those</span></span>
            // is found, it will throw a ConditionalCheckFailedException</span></span>
            // which is what we want</span></span>
            ConditionExpression:</span> "Id = :id AND attribute_not_exists(Foo)"</span>,</span></span>
        },</span></span>
        function</span> (</span>error</span>,</span> data</span>) {</span></span>
            if</span> (error) {</span></span>
                // TODO check that the error is a ConditionalCheckFailedException, in</span></span>
                // which case the Condition failed, otherwise something else might be off.</span></span>
                console.</span>log</span>(</span>"Error"</span>);</span></span>
            }</span> else</span> {</span></span>
                console.</span>log</span>(</span>"All good, we've updated the object"</span>);</span></span>
            }</span></span>
        },</span></span>
    );</span></span>
}</span></span></code></pre>


AWS & Encryption keys: Revert manually edited policy
Kristof — Sun, 14 Jun 2015 14:04:58 +0000
Since we've been working with AWS we sometimes did stuff that, after looking back on it, wasn't the best approach.</p>
One of those things was manually applying Key Policies on Encryption Keys.</p>
It currently looked like this:</p>



Notice the sentence:</p>

We've detected that the policy document for this key has been manually edited. You may now edit the document directly to make changes to permissions.</p>
</blockquote>
This gives a lot of issues, for example, you cannot view grants anymore through the UI, nor can you easily add & remove Key Administrators. While the API allows you to modify the grants, that wasn't enough for simple changes we'd like to make when testing / operating our products.</p>
Because of the fact that you cannot delete nor reset keys in AWS, you have to find another way.</p>
So I do have another key that shows me the UI I want, where I can modify Key Administrators and Key Usage.</p>
So, what do we do then? We fetch the correct policy from a key that shows the correct UI and see whether we can apply it to our 'broken' key, and see if it works. (Spoiler, it does).</p>
_Should you not have a 'working' key (as described next), and don't want to create a new one for the sake of doing this (you can't delete a key, so I completely understand), click here to scroll down to the correct policy. _</p>
First, let's get the ARN of a working key, just navigate to the Encryption Key section in the IAM Management console</a>, set your region and select your key, and copy the ARN:</p>


    
    Find the ARN</figcaption>
</figure>

So, how do we get that correct policy? Let's use Python with boto3.</p>
First of all we make sure we have an account in</p>
%userprofile%\.aws\credentials</span></span></code></pre>
If you don't please follow the steps here</a>.</p>
Next up is ensuring we have boto3 installed. Fire up a cmd window and execute the following:</p>
pip install boto3</span></span></code></pre>
When that's done, we can open Python, and that key for its policy.</p>
import</span> boto3</span></span>
</span>
kms</span> =</span> boto3.client(</span>"iam"</span>)</span></span>
</span>
policy</span> =</span> kms.get_key_policy(</span>KeyId</span>=</span>"THE ARN YOU JUST GOT FROM A WORKING KEY"</span>,</span> PolicyName</span>=</span>"default"</span>)[</span>"Policy"</span>]</span></span>
</span>
print</span> policy</span></span></code></pre>
2 things here:</p>


Do paste in the correct ARN!</p>
</li>

Why default</code> as policy name? That's the only one they support</a>.</p>
</li>
</ol>
That policy is a JSON string. It's full of \n</code> gibberish, so let's trim that out (in the same window, we reuse that policy</code> variable):</p>
import</span> json</span></span>
</span>
json.dumps(json.loads(policy))</span></span></code></pre>
Which should give you this beautiful JSON document:</p>
'{"Version": "2012-10-17", "Id": "key-consolepolicy-2", "Statement": [{"Action": "kms:*", "Principal": {"AWS": "arn:aws:iam::************:root"}, "Resource": "*", "Effect": "Allow", "Sid": "Enable IAM User Permissions"}, {"Action": ["kms:Describe*", "kms:Put*", "kms:Create*", "kms:Update*", "kms:Enable*", "kms:Revoke*", "kms:List*", "kms:Get*", "kms:Disable*", "kms:Delete*"], "Resource": "*", "Effect": "Allow", "Sid": "Allow access for Key Administrators"}, {"Action": ["kms:DescribeKey", "kms:GenerateDataKey*", "kms:Encrypt", "kms:ReEncrypt*", "kms:Decrypt"], "Resource": "*", "Effect": "Allow", "Sid": "Allow use of the key"}, {"Action": ["kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant"], "Resource": "*", "Effect": "Allow", "Condition": {"Bool": {"kms:GrantIsForAWSResource": true}}, "Sid": "Allow attachment of persistent resources"}]}'</span></span></code></pre>
(!) Notice the single quotes in the beginning and the end. You DON'T want those. Also notice that I've removed my Account Id (replaced by asterisks), so if you're just copy pasting, make sure you replace them by your own Account Id, which you can find here</a> (middle, Account Id, 12 digit number).</p>
Now let's go to our broken key again, and in the policy field we paste in our just-retrieved working policy.</p>
Hit the save button, and lo and behold, we revert back to the original UI.</p>
Succes!</p>


Topshelf install, PowerShell and Get-Credentials
Kristof — Thu, 15 Jan 2015 15:10:27 +0000
In the project I'm currently working at we use PowerShell script for configuration and build execution.</p>
This means that if you get a new laptop, or a new member joins the team, or even when you need to change your Windows password, you just need to run the script again and it will set up everything in the correct locations & with the correct credentials.</p>
The credentials were a problem though.</p>
When installing a Topshelf service with the --interactive</code> parameter (we need to install under the current user, not System</code>) it will prompt you for your credentials for each service you want to install. For one, it's fine, for 2, it's already boring, for 3, ... You get the point.</p>
We initially used the following command line to install the services:</p>
.</span> $pathToServiceExe</span> --</span>install </span>--</span>interactive </span>--</span>autostart</span></span></code></pre>
To fix this we will give the $pathToServiceExe</code> the username and password ourselves with the -username</code> and -password</code>. We should also omit the --interactive</code>.</p>
First gotcha here: When reading the documentation</a>, it says one must specify the commands in this format:</p>
.</span> $pathToServiceExe</span> --</span>install </span>--</span>autostart </span>-</span>username:username </span>-</span>password:password</span></span></code></pre>
However, this is not the case. You mustn't separate the command line argument and the value with a :</code>.</p>
Now, we don't want to hardcode the username & password file in the setup script.</p>
So let's get the credentials of the current user:</p>
$credentialsOfCurrentUser</span> =</span> Get-Credential</span> -</span>Message </span>"Please enter your username & password for the service installs"</span></span></code></pre>
Next up we should extract the username & password of the $credentialsOfCurrentUser</code> variable, as we need it in clear-text (potential security risk!).</p>
One can do this in 2 ways, either by getting the NetworkCredential</code> from the PSCredential</code> with GetNetworkCredential()</code>:</p>
$networkCredentials</span> =</span> $credentialsOfCurrentUser.GetNetworkCredential();</span></span>
$username</span> =</span> (</span>"{0}\{1}"</span>)</span> -f</span> $networkCredentials.Domain</span>,</span> $networkCredentials.UserName</span> # change this if you want the user@domain syntax, it will then have an empty Domain and everything will be in UserName.</span></span>
$password</span> =</span> $networkCredentials.Password</span></span></code></pre>
Notice the $username</code> caveat.</p>
Or, by not converting it to a NetworkCredential</code>:</p>
# notice the UserName contains the Domain AND the UserName, no need to extract it separately</span></span>
$username</span> =</span> $credentialsOfCurrentUser.UserName</span></span>
</span>
# little more for the password</span></span>
$BSTR</span> =</span> [</span>System.Runtime.InteropServices.Marshal</span>]::SecureStringToBSTR($credentialsOfCurrentUser.Password)</span></span>
$password</span> =</span> [</span>System.Runtime.InteropServices.Marshal</span>]::PtrToStringAuto($BSTR)</span></span></code></pre>
Notice the extra code to retrieve the $password</code> in plain-text.</p>
I would recommend combining both, using the NetworkCredential</code> for the $password</code>, but the regular PSCredential</code> for the $username</code> as then you're not dependent on how your user enters his username.</p>
So the best version is:</p>
$credentialsOfCurrentUser</span> =</span> Get-Credential</span> -</span>Message </span>"Please enter your username & password for the service installs"</span></span>
$networkCredentials</span> =</span> $credentialsOfCurrentUser.GetNetworkCredential();</span></span>
$username</span> =</span> $credentialsOfCurrentUser.UserName</span></span>
$password</span> =</span> $networkCredentials.Password</span></span></code></pre>
Now that we have those variables we can pass them on to the install of the Topshelf exe:</p>
.</span> $pathToServiceExe install </span>-</span>username </span>`"</span>$username</span>`"</span> -</span>password </span>`"</span>$password</span>`"</span> --</span>autostart</span></span></code></pre>
Notice the backticks (`) to ensure the double quotes are escaped.</p>
In this way you can install all your services and only prompt your user for his credentials once!</p>


When frameworks try to be smart, AngularJS & Expressions
Kristof — Fri, 28 Nov 2014 09:40:41 +0000
One of my colleagues just discovered this bug/feature in AngularJS. Using an ngIf</a> on a string "no"</code> will result in false</code>.</p>
HTML:</p>
<</span>div</span> ng-app</span>></span></span>
    <</span>div</span> ng-controller</span>=</span>"yesNoController"</span>></span></span>
        <</span>div</span> ng-if</span>=</span>"yes"</span>>Yes is defined, will display</</span>div</span>></span></span>
        <</span>div</span> ng-if</span>=</span>"no"</span>>No is defined, but will not display on Angular 1.2.1</</span>div</span>></span></span>
        <</span>div</span> ng-if</span>=</span>"notDefined"</span>>Not defined, will not display</</span>div</span>></span></span>
    </</span>div</span>></span></span>
</</span>div</span>></span></span></code></pre>
JavaScript:</p>
function</span> yesNoController</span>(</span>$scope</span>) {</span></span>
    $scope.yes</span> =</span> "yes"</span>;</span></span>
    $scope.no</span> =</span> "no"</span>;</span></span>
    $scope.notDefined</span> =</span> undefined</span>;</span></span>
}</span></span></code></pre>
Will print:</p>
Yes is defined, will display</span></span></code></pre>
Let's read the documentation on expression</a>, to see where this case is covered.</p>
.</p>
.</p>
.</p>
.</p>
Can you find it?</p>
Neither can I.</p>
Fix?</p>
Use the double bang:</p>
// ...</span></span>
<div ng-if="!!no">No is defined, but we need to add a double bang for it to parse correctly</div></span></span>
// ...</span></span></code></pre>
JSFiddle can be found here</a>.</p>
For those who care, it's not a JS thing:</p>
// execute this line in a console</span></span>
alert("no" ? "no evaluated as true" : "no evaluated as false"); // will alert "no evaluated as true"</span></span></code></pre>


Enabling dynamic compression (gzip) for WebAPI and IIS
Kristof — Mon, 27 Oct 2014 18:43:08 +0000
A lot of code on the internet refers to writing custom ActionFilters, or even HttpHandlers that will compress your return payload for you.</p>
For example, see this package</a> (which with its name implies that it is Microsoft, but then says it's not Microsoft).</p>
At the moment of writing the above-linked package even throws an error when you return a 200 OK without a body...</p>
But in the end, it's very simple to enable compression on your IIS server without writing a single line of code:</p>
You first need to install the IIS Dynamic Content Compression module:</p>



Or, if you're a command line guy, execute the following command in an elevated CMD:</p>
dism /online /Enable-Feature /FeatureName:IIS-HttpCompressionDynamic</span></span></code></pre>
Next up you need to enable the Dynamic Content Compression to compress</p>
application/json</span></span></code></pre>
and</p>
application/json; charset=utf-8</span></span></code></pre>
To do this, execute the following commands in an elevated CMD:</p>
cd c:\Windows\System32\inetsrv</span></span>
</span>
appcmd.exe set config -section:system.webServer/httpCompression /+"dynamicTypes.[mimeType='application/json',enabled='True']" /commit:apphost</span></span>
appcmd.exe set config -section:system.webServer/httpCompression /+"dynamicTypes.[mimeType='application/json; charset=utf-8',enabled='True']" /commit:apphost</span></span>
</span>
</span>
This adds the 2 mimetypes to the list of types the module is allowed to compress. Validate that they are added with this command:</span></span>
</span>
</span></code></pre>
appcmd.exe list config -section:system.webServer/httpCompression</p>
</span>
Validate that the 2 mimetypes are there and enabled:</span></span>
</span>
</span>
<img</span></span>
    src="&#x2F;enabling-dynamic-compression-gzip-for-webapi-and-iis&#x2F;/cmd.png"</span></span>
    /></span></span>
</span>
</span>
</span>
And lastly, you'll probably need to restart the Windows Process Activation Service.</span></span>
</span>
Best is to do this through the UI because I have yet to find a way in CMD to restart a service (can't seem to start services that are dependent on the one we just started).</span></span>
</span>
In services.msc you'll need to search for Windows Process Activation Service. Restart it.</span></span>
</span>
</span>
<img</span></span>
    src="&#x2F;enabling-dynamic-compression-gzip-for-webapi-and-iis&#x2F;/wpas.png"</span></span>
    /></span></span>
</span>
</span>
</span>
Obviously there are more settings available, take a look at the [httpCompression Element](http://msdn.microsoft.com/en-us/library/ms690689.aspx) settings page.</span></span>
</span>
I recommend reading about 2 at least:</span></span>
* dynamicCompressionDisableCpuUsage</span></span>
* noCompressionForProxies</span></span>
</span>
</span>
Good luck,</span></span>
</span>
-Kristof</span></span></code></pre>


Update on handedness (menu location)
Kristof — Sat, 02 Aug 2014 14:30:20 +0000
A while back I wrote how to change the handedness</a> (which seems to be the correct term, instead of the dreadful 'Menu on the wrong side with a touch screen').</p>
I got a machine in my hands which exhibited the previously mentioned problem. However Tablet PC Settings weren't installed, so we couldn't open the tab.</p>
After searching the bowels of the internet I found the following shell shortcut:</p>
shell:::{80F3F1D5-FECA-45F3-BC32-752C152E456E}</span></span></code></pre>
Putting this in Winkey+R, or in the Windows 7/8(.1) search box will open the Tablet PC Settings, and if you don't have a touch screen, will default to the Other tab, where you can change the handedness of your menus!</p>



Have a good one,</p>
-Kristof</p>


The impact of SqlDataReader.GetOrdinal on performance
Kristof — Sun, 25 May 2014 11:56:53 +0000
I recently had a discussion 
 </span>         </span> </span>  mapObject</code> 
                           </span>                              And without GetOrdin 
                             With GetOrdinal</code>

And without:</p>

As you can see the 
 GetOrdinal</code> </blockquote> 
So do watch out that case.</p> 
PS: the project itself 
  Menu on the wrong Kristof — Thu,

about the impact of SqlDataReader.GetOrdinal</code></a> on execution of a SqlClient.SqlCommand</code></a>. I then decided to run some code to measure the difference, because I think that's the only way to get a decent opinion. This is the code that I've used to run a certain query 1000 times:</p> data-lang="csharp">private void</span> InvokeQuery</span>(</span>Action mapObject</span>)</span></span> {</span></span> class="z-entity z-name">    Stopwatch stopwatch</span> =</span> Stopwatch.</span>StartNew</span>();</span></span> class="z-keyword">    for</span> (</span>int</span> i</span> =</span> 0</span>; i</span> <</span> Iterations; i</span>++</span>)</span></span> {</span></span> class="z-keyword">        using</span> (</span>var</span> sqlCommand</span> = new</span> SqlCommand</span>(</span>this</span>._query,</span> this</span>._sqlConnection))</span></span> {</span></span> class="z-keyword">            using</span> (</span>SqlDataReader sqlDataReader</span> =</span> sqlCommand.</span>ExecuteReader</span>())</span></span> {</span></span> class="z-keyword">                while</span> (sqlDataReader.</span>NextResult</span>())</span></span> {</span></span> class="z-entity z-name">                    mapObject</span>(sqlDataReader);</span></span> }</span></span> }</span></span> }</span></span> }</span></span> class="z-variable z-other">    stopwatch.</span>Stop</span>();</span></span> class="z-variable z-other">    Debug.</span>WriteLine</span>(</span>"Running {0} queries took {1} milliseconds!"</span>, Iterations, stopwatch.ElapsedMilliseconds);</span></span> }</span></span></code></pre> uses either directly the ordinal, or fetches the ordinal based on the column name. Also, I moved everything inside of the for</code> loop to ensure nothing could be reused between queries. Here are the mapObject</code> Action</code></a>s, with GetOrdinal</code>:</p> data-lang="plain">Action<SqlDataReader> = sqlDataReader =></span></span> {</span></span> int salesOrderID = sqlDataReader.GetOrdinal("SalesOrderID");</span></span> int revisionNumber = sqlDataReader.GetOrdinal("RevisionNumber");</span></span> int orderDate = sqlDataReader.GetOrdinal("OrderDate");</span></span> int dueDate = sqlDataReader.GetOrdinal("DueDate");</span></span> int shipDate = sqlDataReader.GetOrdinal("ShipDate");</span></span> int status = sqlDataReader.GetOrdinal("Status");</span></span> int onlineOrderFlag = sqlDataReader.GetOrdinal("OnlineOrderFlag");</span></span> int salesOrderNumber = sqlDataReader.GetOrdinal("SalesOrderNumber");</span></span> int purchaseOrderNumber = sqlDataReader.GetOrdinal("PurchaseOrderNumber");</span></span> int accountNumber = sqlDataReader.GetOrdinal("AccountNumber");</span></span> int customerID = sqlDataReader.GetOrdinal("CustomerID");</span></span> int salesPersonID = sqlDataReader.GetOrdinal("SalesPersonID");</span></span> int territoryID = sqlDataReader.GetOrdinal("TerritoryID");</span></span> int billToAddressID = sqlDataReader.GetOrdinal("BillToAddressID");</span></span> int shipToAddressID = sqlDataReader.GetOrdinal("ShipToAddressID");</span></span> int shipMethodID = sqlDataReader.GetOrdinal("ShipMethodID");</span></span> int creditCardID = sqlDataReader.GetOrdinal("CreditCardID");</span></span> int creditCardApprovalCode = sqlDataReader.GetOrdinal("CreditCardApprovalCode");</span></span> int currencyRateID = sqlDataReader.GetOrdinal("CurrencyRateID");</span></span> int subTotal = sqlDataReader.GetOrdinal("SubTotal");</span></span> int taxAmt = sqlDataReader.GetOrdinal("TaxAmt");</span></span> int freight = sqlDataReader.GetOrdinal("Freight");</span></span> int totalDue = sqlDataReader.GetOrdinal("TotalDue");</span></span> int comment = sqlDataReader.GetOrdinal("Comment");</span></span> int rowguid = sqlDataReader.GetOrdinal("rowguid");</span></span> int modifiedDate = sqlDataReader.GetOrdinal("ModifiedDate");</span></span> var temp = new SalesOrderHeader(</span></span> salesOrderID: sqlDataReader.GetInt32(salesOrderID),</span></span> revisionNumber: sqlDataReader.GetInt16(revisionNumber),</span></span> orderDate: sqlDataReader.GetDateTime(orderDate),</span></span> dueDate: sqlDataReader.GetDateTime(dueDate),</span></span> shipDate: sqlDataReader.GetDateTime(shipDate),</span></span> status: sqlDataReader.GetInt16(status),</span></span> onlineOrderFlag: sqlDataReader.GetBoolean(onlineOrderFlag),</span></span> salesOrderNumber: sqlDataReader.GetString(salesOrderNumber),</span></span> purchaseOrderNumber: sqlDataReader.GetString(purchaseOrderNumber),</span></span> accountNumber: sqlDataReader.GetString(accountNumber),</span></span> customerID: sqlDataReader.GetInt32(customerID),</span></span> salesPersonID: sqlDataReader.GetInt32(salesPersonID),</span></span> territoryID: sqlDataReader.GetInt32(territoryID),</span></span> billToAddressID: sqlDataReader.GetInt32(billToAddressID),</span></span> shipToAddressID: sqlDataReader.GetInt32(shipToAddressID),</span></span> shipMethodID: sqlDataReader.GetInt32(shipMethodID),</span></span> creditCardID: sqlDataReader.GetInt32(creditCardID),</span></span> creditCardApprovalCode: sqlDataReader.GetString(creditCardApprovalCode),</span></span> currencyRateID: sqlDataReader.GetInt32(currencyRateID),</span></span> subTotal: sqlDataReader.GetDecimal(subTotal),</span></span> taxAmt: sqlDataReader.GetDecimal(taxAmt),</span></span> freight: sqlDataReader.GetDecimal(freight),</span></span> totalDue: sqlDataReader.GetDecimal(totalDue),</span></span> comment: sqlDataReader.GetString(comment),</span></span> rowguid: sqlDataReader.GetGuid(rowguid),</span></span> modifiedDate: sqlDataReader.GetDateTime(modifiedDate)</span></span> );</span></span> };</span></span></code></pre> al</code>:</p> data-lang="plain">Action<SqlDataReader> mapSalesOrderHeader = sqlDataReader =></span></span> {</span></span> new SalesOrderHeader(</span></span> salesOrderID: sqlDataReader.GetInt32(0),</span></span> revisionNumber: sqlDataReader.GetInt16(1),</span></span> orderDate: sqlDataReader.GetDateTime(2),</span></span> dueDate: sqlDataReader.GetDateTime(3),</span></span> shipDate: sqlDataReader.GetDateTime(4),</span></span> status: sqlDataReader.GetInt16(5),</span></span> onlineOrderFlag: sqlDataReader.GetBoolean(6),</span></span> salesOrderNumber: sqlDataReader.GetString(7),</span></span> purchaseOrderNumber: sqlDataReader.GetString(8),</span></span> accountNumber: sqlDataReader.GetString(9),</span></span> customerID: sqlDataReader.GetInt32(10),</span></span> salesPersonID: sqlDataReader.GetInt32(11),</span></span> territoryID: sqlDataReader.GetInt32(12),</span></span> billToAddressID: sqlDataReader.GetInt32(13),</span></span> shipToAddressID: sqlDataReader.GetInt32(14),</span></span> shipMethodID: sqlDataReader.GetInt32(15),</span></span> creditCardID: sqlDataReader.GetInt32(16),</span></span> creditCardApprovalCode: sqlDataReader.GetString(17),</span></span> currencyRateID: sqlDataReader.GetInt32(18),</span></span> subTotal: sqlDataReader.GetDecimal(19),</span></span> taxAmt: sqlDataReader.GetDecimal(20),</span></span> freight: sqlDataReader.GetDecimal(21),</span></span> totalDue: sqlDataReader.GetDecimal(22),</span></span> comment: sqlDataReader.GetString(23),</span></span> rowguid: sqlDataReader.GetGuid(24),</span></span> modifiedDate: sqlDataReader.GetDateTime(25));</span></span> };</span></span></code></pre> the results are:</p> performance difference is so low that I honestly don't think you should sacrifice the readability and maintainability of your code vs a mere 82 milliseconds on a 1000 queries. Readability speaks for itself, you don't talk with int</code>s anymore, and for maintainability, consider the following: If your query column(s) change and you forget to update your code, GetOrdinal</code> will throw an IndexOutOfRangeException</a>, instead of maybe</strong> get an InvalidCastException</a> or, if you're really unlucky, another column and then broken code behavior... One sidenote</a> to add:</p> performs a case-sensitive lookup first. If it fails, a second, case-insensitive search occurs (a case-insensitive comparison is done using the database collation). Unexpected results can occur when comparisons are affected by culture-specific casing rules. For example, in Turkish, the following example yields the wrong results because the file system in Turkish does not use linguistic casing rules for the letter 'i' in "file". The method throws an IndexOutOfRange</code> exception if the zero-based column ordinal is not found.</p> is hosted on GitHub, you can find it here</a>!</p> side with a touch screen?
 15 May 2014 19:21:52 +0000
When you're reading this you probably have a touch screen.</p>
So, I never use my touch screen. Almost never. But I did notice that by default my menus in Windows (from a menu bar, not a ribbon) appear (when possible) on the right side of the clicked menu item.</p>
Like this:</p>



Goosebumps. Something is off. It took me a while to realize this,</p>
The menu expanded to the left!</strong></p>
So, what is this. I can't remember what exactly I searched for, but the change you need to make is in Tablet PC Settings</strong>.</p>
When your menus are expanded to the left you'll see something like this:</p>



This is different from the default that I've been used to since I've been using Windows 95.</p>
Change it to 'Left-handed':</p>



Hit apply, and restart any offending programs, open a menu and enjoy:</p>



I can rest easy again...</p>


TransactionScope & SqlConnection not rolling back? Here's why...
Kristof — Tue, 22 Apr 2014 16:39:29 +0000
A while back we ran into an issue with one of our projects where we executed a erroneous query (missing DELETE statement), and then left the database in an inconsistent state.</p>
Which is weird, considering the fact that we use a TransactionScope</code></a>.</p>
After some digging around I found the behavior I wanted, and how to write it in correct C#.</p>
Allow me to elaborate.</p>
Consider a database with 3 tables:</p>
T2 --> T1 <-- T3</span></span></code></pre>
Where both T2</code> and T3</code> link to an entity in T1</code>, thus we cannot delete lines from T1</code> that are still referenced in T2</code> or T3</code>.</p>
I jumped to C# and started playing with some code, and discovered the following (mind you, each piece of code is actually supposed to throw an exception and abort):</p>
This doesn't use a TransactionScope</code>, thus leaving the database in an inconsistent state:</p>
using</span> (</span>var</span> sqlConnection</span> = new</span> SqlConnection</span>(ConnectionString))</span></span>
{</span></span>
    sqlConnection.</span>Open</span>();</span></span>
</span>
    using</span> (</span>SqlCommand sqlCommand</span> =</span> sqlConnection.</span>CreateCommand</span>())</span></span>
    {</span></span>
        sqlCommand.CommandText</span> =</span> "USE [TransactionScopeTests]; DELETE FROM T3; DELETE FROM T1;"</span>;</span></span>
        // DELETE FROM T1 will cause violation of integrity, because rows from T2 are still using rows from T1.</span></span>
</span>
        sqlCommand.</span>ExecuteNonQuery</span>();</span></span>
    }</span></span>
}</span></span></code></pre>
Now I wanted to wrap this in a TransactionScope, so I tried this:</p>
using</span> (</span>var</span> sqlConnection</span> = new</span> SqlConnection</span>(ConnectionString))</span></span>
{</span></span>
    sqlConnection.</span>Open</span>();</span></span>
</span>
    using</span> (</span>var</span> transactionScope</span> = new</span> TransactionScope</span>())</span></span>
    {</span></span>
        using</span> (</span>SqlCommand sqlCommand</span> =</span> sqlConnection.</span>CreateCommand</span>())</span></span>
        {</span></span>
            sqlCommand.CommandText</span> =</span> "USE [TransactionScopeTests]; DELETE FROM T3; DELETE FROM T1;"</span>;</span></span>
</span>
            sqlCommand.</span>ExecuteNonQuery</span>();</span></span>
        }</span></span>
</span>
        transactionScope.</span>Complete</span>();</span></span>
    }</span></span>
}</span></span></code></pre>
Well guess what, this essentially fixes nothing. The database, upon completion of the ExecuteNonQuery()</code> is left in the same inconsistent state. T3</code> was empty, which shouldn't happen since the delete from T1</code> failed.</p>
So what is the correct behavior?</p>
Well, it doesn't matter whether you create the TransactionScope</code> or the SqlConnection</code> first, as long as you Open()</code> the SqlConnection</code> inside of the TransactionScope</code></strong>:</p>
using</span> (</span>var</span> transactionScope</span> = new</span> TransactionScope</span>())</span></span>
{</span></span>
    using</span> (</span>var</span> sqlConnection</span> = new</span> SqlConnection</span>(ConnectionString))</span></span>
    {</span></span>
        sqlConnection.</span>Open</span>();</span></span>
</span>
        using</span> (</span>SqlCommand sqlCommand</span> =</span> sqlConnection.</span>CreateCommand</span>())</span></span>
        {</span></span>
            sqlCommand.CommandText</span> =</span> "USE [TransactionScopeTests]; DELETE FROM T3; DELETE FROM T1;"</span>;</span></span>
</span>
            sqlCommand.</span>ExecuteNonQuery</span>();</span></span>
        }</span></span>
</span>
        transactionScope.</span>Complete</span>();</span></span>
    }</span></span>
}</span></span></code></pre>
Or the inverse (swapping the declaration of the TransactionScope</code> and SqlConnection</code>):</p>
using</span> (</span>var</span> sqlConnection</span> = new</span> SqlConnection</span>(ConnectionString))</span></span>
{</span></span>
    using</span> (</span>var</span> transactionScope</span> = new</span> TransactionScope</span>())</span></span>
    {</span></span>
        sqlConnection.</span>Open</span>();</span></span>
</span>
        using</span> (</span>SqlCommand sqlCommand</span> =</span> sqlConnection.</span>CreateCommand</span>())</span></span>
        {</span></span>
            sqlCommand.CommandText</span> =</span> "USE [TransactionScopeTests]; DELETE FROM T3; DELETE FROM T1;"</span>;</span></span>
</span>
            sqlCommand.</span>ExecuteNonQuery</span>();</span></span>
        }</span></span>
</span>
        transactionScope.</span>Complete</span>();</span></span>
    }</span></span>
}</span></span></code></pre>
I wrote the test cases on a project on GitHub which you can download, compile and run as Tests for yourself!</p>
https://github.com/kristof-mattei/transaction-scope</a></p>
Have a good one,</p>
-Kristof</p>


About a dictionary, removing and adding items, and their order.
Kristof — Tue, 04 Mar 2014 20:52:00 +0000
I had a weird problem today using a Dictionary</a>. The process involved removing and adding data, and then printing the data. I assumed that it was ordered. I was wrong! Let me show you:</p>
var</span> dictionary</span> = new</span> Dictionary</span><</span>int</span>,</span> string</span>>();</span></span>
</span>
dictionary.</span>Add</span>(</span>5</span>,</span> "The"</span>);</span></span>
dictionary.</span>Add</span>(</span>7</span>,</span> "quick"</span>);</span></span>
dictionary.</span>Add</span>(</span>31</span>,</span> "brown"</span>);</span></span>
dictionary.</span>Add</span>(</span>145</span>,</span> "fox"</span>);</span></span>
</span>
dictionary.</span>Remove</span>(</span>7</span>);</span> // remove the "quick" entry</span></span></code></pre>
After a while I added another line to the dictionary:</p>
dictionary.</span>Add</span>(</span>423</span>,</span> "jumps"</span>);</span></span></code></pre>
While printing this data I discovered an oddity.</p>
dictionary</span></span>
    .</span>ToList</span>()</span></span>
    .</span>ForEach</span>(</span>e</span> =></span> Console.</span>WriteLine</span>(</span>"{0} => {1}"</span>, e.Key, e.Value));</span></span></code></pre>
What do you expect the output of this to be?</p>
5</span> =</span>></span> The</span></span>
31</span> =</span>></span> brown</span></span>
145</span> =</span>></span> fox</span></span>
423</span> =</span>></span> jumps</span></span></code></pre>
However the actual result was this:</p>
5</span> =</span>></span> The</span></span>
423</span> =</span>></span> jumps</span></span>
31</span> =</span>></span> brown</span></span>
145</span> =</span>></span> fox</span></span></code></pre>
The documentation</a> tells us the following:</p>
For purposes of enumeration, each item in the dictionary is treated as a KeyValuePair structure representing a value and its key. The order in which the items are returned is undefined.</blockquote>
Interested in the actual behavior I looked at the source code of Dictionary here</a>.</p>
If you look closely, first at Remove</code></a> and then to Add</code></a> (and subsequently Insert</code></a>) you can see that when you remove an item it holds a reference (in freelist</code></a>) to the free 'entry'.</p>
What's more weird is the behavior when you delete 2 entries, and then add 2 others:</p>
var</span> dictionary</span> = new</span> Dictionary</span><</span>int</span>,</span> string</span>>();</span></span>
</span>
dictionary.</span>Add</span>(</span>5</span>,</span> "The"</span>);</span></span>
dictionary.</span>Add</span>(</span>7</span>,</span> "quick"</span>);</span></span>
dictionary.</span>Add</span>(</span>31</span>,</span> "brown"</span>);</span></span>
dictionary.</span>Add</span>(</span>145</span>,</span> "fox"</span>);</span></span>
</span>
dictionary.</span>Remove</span>(</span>7</span>);</span> // remove the "quick" entry</span></span>
dictionary.</span>Remove</span>(</span>31</span>);</span> // also remove the "brown" entry</span></span>
</span>
dictionary.</span>Add</span>(</span>423</span>,</span> "jumps"</span>);</span></span>
dictionary.</span>Add</span>(</span>534</span>,</span> "high"</span>);</span></span>
</span>
dictionary</span></span>
    .</span>ToList</span>()</span></span>
    .</span>ForEach</span>(</span>e</span> =></span> Console.</span>WriteLine</span>(</span>"{0} => {1}"</span>, e.Key, e.Value));</span></span></code></pre>
Which yields:</p>
5</span> =</span>></span> The</span></span>
534</span> =</span>></span> high</span></span>
423</span> =</span>></span> jumps</span></span>
145</span> =</span>></span> fox</span></span></code></pre>
But for that you'll need to look at line 340</a> and further!</p>
So what have we learned? It's not ordered until MSDN tells you!</p>
Have a good one!</p>


Default values and overloads are not the same!
Kristof — Mon, 13 Jan 2014 20:39:02 +0000
Consider the following class of the Awesome(r) library, using default parameters.</p>
public class</span> Foo</span></span>
{</span></span>
    public void</span> DoCall</span>(</span>int</span> timeout</span> =</span> 10</span>)</span></span>
    {</span></span>
        /* awesome implementation goes here */</span></span>
    }</span></span>
}</span></span></code></pre>
You get the dll and that class & function in your code, like this:</p>
Foo foo</span> = new</span> Foo</span>();</span></span>
</span>
foo.</span>DoCall</span>();</span></span></code></pre>
Can't get much easier than this right?</p>
Then the Awesome(r) library gets updated:</p>
public class</span> Foo</span></span>
{</span></span>
    public void</span> DoCall</span>(</span>int</span> timeout</span> =</span> 20</span>)</span></span>
    {</span></span>
        /* awesome implementation goes here */</span></span>
    }</span></span>
}</span></span></code></pre>
Notice that the default value has changed. You assume that when you just overwrite the dll in production, you will adopt the new behavior.</p>
Nop. You need to recompile. Let me show you: the problem with default values is that the developer of Awesome(r) library is no longer in control of it.</p>
Let's take a look at an excerpt of the IL where we create a new Foo</code> and call</strong> DoCall</code> without specifying timeout</code>:</p>
IL_0000</span>:  newobj     instance</span> void</span> AwesomeLibrary.Foo</span>::</span>.</span>ctor</span>()</span></span>
IL_0005</span>:  stloc.</span>0</span></span>
IL_0006</span>:  ldloc.</span>0</span></span>
IL_0007</span>:  ldc.i4.s</span>   10</span></span>
IL_0009</span>:  callvirt   instance</span> void</span> AwesomeLibrary.Foo</span>::</span>DoCall</span>(int32)</span></span>
IL_000e</span>:  ret</span></span></code></pre>
This is a release build.</p>
Notice how on line 4 value 10 gets pushed on the the stack, and the next line calls the DoCall</code>.</p>
This is a big danger in public APIs, and this is why the developer of Awesome(r) library should have used an overload instead of a default parameter:</p>
public class</span> Foo</span></span>
{</span></span>
    public void</span> DoCall</span>()</span></span>
    {</span></span>
        this</span>.</span>DoCall</span>(</span>20</span>);</span></span>
    }</span></span>
</span>
    public void</span> DoCall</span>(</span>int</span> timeout</span>)</span></span>
    {</span></span>
        /* awesome implementation goes here */</span></span>
    }</span></span>
}</span></span></code></pre>
This ensures that when a new version of Awesome(r) library is released AND that if that release is backwards API compatible, it can just be dropped in, without you having to recompile your whole codebase (but you should still test it :P )</p>


Make sure unattended.xml is not encrypted!
Kristof — Thu, 12 Sep 2013 16:16:20 +0000
I was playing around with Sysprep using unattended.xml</code> when I hit a weird issue with VirtualBox and Encrypted folders on the host.</p>
Setup:</p>

unattended.xml</code> on the host, encrypted (with Windows EFS).</li>
Virtual Machine, hosted in VirtualBox</li>
</ul>
I mounted the folder with unattended.xml</code> (and other files) inside the VirtualBox and started sysprep (sysprep+shutdown.cmd</code> just executes the sysprep with the unattended.xml</code> from the location and copies a SetupComplete.cmd</code> to c:\Windows\Scripts</code>).</p>


    
    Windows Setup encountered an internal error while loading or searching for an unattended answer file.</figcaption>
</figure>

When booting the VM I got the following error:</p>



To investigate the error I hit up Shift+F10 and checked c:\Windows\Panther\setuperr.log</code>, which had the following error:</p>

[setup.exe] UnattendSearchExplicitPath: Found unattend file at [C:\Windows\Panther\unattend.xml] but unable to deserialize it; status = 0x80070005, hrResult = 0x0.</p>
</blockquote>
Googling for the error string didn't help. Googling for the error code did help. It meant Access Denied</a>. Now what could it be. I had a suspicion that it was the encryption. Let's find out:</p>
By using the command</p>
cipher /s:c:\Windows\Panther</span></span></code></pre>
I saw this:</p>



Notice the E</code>, which means, Encrypted.</p>
Executing</p>
notepad c:\Windows\Panther\unattended.xml</span></span></code></pre>
confirmed my suspicion:</p>



After removing the file with a Windows disk BEFORE the first boot (afterwards it doesn't work it seems) the boot went fine, I sysprepped it again (with a non-encrypted unattended.xml) and all went fine.</p>
So make sure you don't copy unattended.xml</code> to a machine that is encrypted. The your personal encryption keys don't transfer to the new system.</p>


C# 5.0 spec is available online now!
Kristof — Sat, 15 Jun 2013 16:25:51 +0000
A few posts ago I blogged about C# 5.0 and foreach</a>. I mentioned a part of the docs, but those weren't online yet!</p>
They are now!</p>
http://www.microsoft.com/en-us/download/confirmation.aspx?id=7029</a></p>
Enjoy & have a good one,</p>
-Kristof</p>


When using an enum in PowerShell, use the member's name, not the member's value
Kristof — Tue, 23 Apr 2013 12:57:32 +0000
Consider the following enum in C#:</p>
enum</span> State</span></span>
{</span></span>
    Started</span>,</span></span>
    Stopped</span>,</span></span>
    Unknown</span></span>
}</span></span></code></pre>
Note that I have not added an explicit value for the enum members. They will be generated by the compiler. As stated in the C# spec:</p>

... its associated value is set implicitly, as follows:</p>
</blockquote>

If the enum member is the first enum member declared in the enum type, its associated value is zero.</li>
Otherwise, the associated value of the enum member is obtained by increasing the associated value of the textually preceding enum member by one. This increased value must be within the range of values that can be represented by the underlying type, otherwise a compile-time error occurs.</li>
</ul>
Found at http://www.microsoft.com/en-us/download/details.aspx?id=7029</a>, page 400-401 (I can't find the version for 4.5 though...).</p>
Now what are the consequences of this? Consider the following piece of PowerShell:</p>
$result</span> =</span> $serviceController.GetServiceStatus()</span></span>
if</span>($result</span> -eq</span> 1</span>)</span></span>
{</span></span>
    MyLib.StartService()</span></span>
}</span></span></code></pre>
This will work, because PowerShell implicitly converts the int to the actual enum member.</p>
However since we are assuming the value can go wrong. In the next version you add extra values, say for example to represent a starting/stopping service:</p>
enum</span> State</span></span>
{</span></span>
    Starting</span>,</span></span>
    Started</span>,</span></span>
    Stopping</span>,</span></span>
    Stopped</span>,</span></span>
    Unknown</span></span>
}</span></span></code></pre>
Since now all the values are shifted when you run your PowerShell again you start the service when it's already started ;) .</p>
Solution?</p>
First of all (as a consumer), use the enum's member name instead of its value:</p>
$result</span> =</span> $serviceController.GetServiceStatus()</span></span>
if</span>($result</span> -eq</span> [</span>MyLib.State</span>]::Stopped)</span></span>
{</span></span>
    MyLib.StartService()</span></span>
}</span></span></code></pre>
This will ensure that you get the value for Started, not for anything else.</p>
As a developer of a library you should ensure that you never mess up the order of an enum, by adding new values as last, or (prefered) set the value yourself:</p>
enum</span> State</span></span>
{</span></span>
    Started</span> =</span> 0</span>,</span></span>
    Stopped</span> =</span> 1</span>,</span></span>
    Unknown</span> =</span> 2</span>,</span></span>
}</span></span></code></pre>
Becomes:</p>
enum</span> State</span></span>
{</span></span>
    Starting</span> =</span> 3</span>,</span></span>
    Started</span> =</span> 0</span>,</span></span>
    Stopping</span> =</span> 4</span>,</span></span>
    Stopped</span> =</span> 1</span>,</span></span>
    Unknown</span> =</span> 2</span>,</span></span>
}</span></span></code></pre>
And now you can also perfectly reorder them so the numbers are sequential:</p>
enum</span> State</span></span>
{</span></span>
    Started</span> =</span> 0</span>,</span></span>
    Stopped</span> =</span> 1</span>,</span></span>
    Unknown</span> =</span> 2</span>,</span></span>
    Starting</span> =</span> 3</span>,</span></span>
    Stopping</span> =</span> 4</span>,</span></span>
}</span></span></code></pre>

Kristof's blog

Tokio: receive variable-sized data from a UdpSocket

Ubuntu 24.04: disable systemd-resolved's stub listener

You cannot disable rDNS (IPv6) nameservers with netplan

Last try</h3> Eventually I ended up setting it manually in the networkd configuration:</p>

Wrapping up</h3> I removed the config for netplan. That way it cannot overwrite the network configuration that I edited.</p> -Kristof</p>

How to use Wireguard without Masquarade

Conclusion</h3> We now can track individual Wireguard clients on our network.</p>

.NET: Disabling SSL Certificate validation

Be careful with npm shrinkwrap

DynamoDb & updating objects: it doesn't react like SQL!

AWS & Encryption keys: Revert manually edited policy

Topshelf install, PowerShell and Get-Credentials

When frameworks try to be smart, AngularJS & Expressions

Enabling dynamic compression (gzip) for WebAPI and IIS

Update on handedness (menu location)

The impact of SqlDataReader.GetOrdinal on performance

TransactionScope & SqlConnection not rolling back? Here's why...

About a dictionary, removing and adding items, and their order.

Default values and overloads are not the same!

Make sure unattended.xml is not encrypted!

C# 5.0 spec is available online now!

When using an enum in PowerShell, use the member's name, not the member's value

Wrapping up</h3>
I removed the config for netplan. That way it cannot overwrite the network configuration that I edited.</p>
-Kristof</p>

Conclusion</h3>
We now can track individual Wireguard clients on our network.</p>