Raspberry Pi 3+ and Joy-IT 7" touchscreen on Debian 11

I've had for sometime a Joy-IT 7" IPS display for Raspberry Pi waiting in my drawer and now I got around to put it into use with Ikea Ribba frame. Setting up the touch screen was easy but getting it inverted (upside down) took some extra steps.

The touchscreen is "RB-LCD-7-2" from Joy-IT which is a 7" IPS display for Raspberry Pi with 1024x600 resolution and 5 point capacitive touchscreen and HDMI connector. The manufacturer provides a manual for setting it up but as things have changed during the years it didn't work out of the box for the inverted touch matrix.

I installed Debian GNU/Linux 11 (bullseye) to my Raspberry Pi Model 3 plus and did the following changes:

Display working

Edit /boot/config.txt

max_usb_current=1
hdmi_force_hotplug=1
# or 4
config_hdmi_boost=7
hdmi_group=2
hdmi_mode=1
hdmi_mode=87
# or 1
hdmi_drive=2
display_rotate=2
hdmi_cvt 1024 600 60 6 0 0 0

Inverted display

Flip the command line by editing /boot/cmdline.txt and adding

fbcon=rotate:2

For inverting the GUI use evdev:

sudo apt-get install xserver-xorg-input-evdev
sudo mv /usr/share/X11/xorg.conf.d/10-evdev.conf

/usr/share/X11/xorg.conf.d/45-evdev.conf

Section "InputClass"
        Identifier "evdev touchscreen catchall"
        MatchIsTouchscreen "on"
        MatchDevicePath "/dev/input/event*"
        Driver "evdev"
        Option "InvertX" "true"
        Option "InvertY" "true"
EndSection

Resources:

Short notes on tech 31/2022

Software development

How to explain technical architecture with a natty little video
Some thoughts on explaining architecture through diagraming, in particular the advantage of scrappy videos to show diagramming step-by-step. (from DevOps Weekly)

What Are Vanity Metrics and How to Stop Using Them
Measurement and metrics are an important part of devops practices, but establishing metrics always risks issues with vanity metrics. This post explains what they are and how to avoid them.

Chrome DevTools: 10 Useful Tips & Tricks
Various tips and tricks to help you get the most out of Chrome DevTools
(from Web Design Weekly)

Learning

Awesome Cloud Native Trainings
"All the free trainings (with and without certificates) released from different companies supporting CNCF Projects and Kubernetes." (from CloudSecList)

The Docker, Kubernetes, Terraform, and AWS crash course series
"High quality learning material is hugely useful given the large number of technologies relevant to modern software development and operations. This set of crash course posts on Docker, Kubernetes, AWS and Terraform look super useful for anyone just getting started." (from DevOps Weekly)

Tools

Tauri
"An Electron alternative, written in Rust under MIT or MIT/Apache 2.0 license. The advantages of Electron combined with a fast, modern and secure base makes this a really cool project to consider for multi-platform apps. And the list of partners and sponsors makes me confident that it’ll stay at least for a while on the market." (from WDRL)

DevOps

Kubernetes 101
Kubernetes is one of the most exciting technologies in the world of DevOps. The article explains the concepts of it and some simple examples.

Minimal Container Images: Towards a More Secure Future
This post walks through the typical approaches in this space: minimal distributions, scratch and distroless. (from CloudSecList)

Design

Every programmer should care about UI design
"It’s way more common for people working on iOS/macOS projects to care about design than with some other platforms, but I still come across an occasional “I don’t need to care about it“. The points raised by this article are certainly worth reading if you’re in that camp!" (from iOS Dev Weekly)

UI Filler
Placeholders for your designs.
(from Web Design Weekly)

iOS

Awesome iOS widgets
A curated list of home screen widgets for apps on iOS 14!

Short notes on tech 25/2022

Tools

CyberChef
Simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

Software development

The Art of Code Comments
Sarah Drasner talked at JSConf Hawaii 2020 about how commenting code is a more nuanced thing than we give it credit for. There is just not one right way or one reason to write a comment. The talk will dig into some of the many beneficial types of comments that might all serve a different purpose, followed by patterns we might want to avoid.

Does Laravel Scale?
"Jack Ellis elaborates on the question whether Laravel or PHP can scale." People usually tell how awful PHP is but what I've recently used it (newer versions) it was just like any other backend framework. And as Hannemann writes "It’s a very powerful, professional language with a huge ecosystem and it can be used to serve fast, efficient, reliable and readable codebases." (from WDRL)

Atkinson Hyperlegible font
"Atkinson Hyperlegible is a typeface created in partnership with Braille Institute. It has been developed specifically to increase legibility for readers with low vision, and to improve comprehension." (from WDW)

Security

Awesome Azure Penetration Testing
A collection of resources, tools and more for penetration testing and securing Microsoft's cloud platform. (from Cloud Security Reading List)

Miscellanous

Important PostgreSQL 14 update to avoid silent corruption of indexes
"PostgreSQL 14.4 release fixes an issue with all versions of PostgreSQL 14 that can lead to silent corruption of indexes."

Learn to write secure code with DevSecLab

There are lots of pitfalls in software development and creating a secure Web application needs some thought and keeping especially the OWASP Top-10 in mind. One effective way to learn secure software development is to learn by doing and that's what DevSecLab by Fraktal provides: teach developers to write secure code with hands-on exercises.

I got a chance to try the DevSecLab exercices with a free "trial" and here are my short notes about the content and thoughts about what I learned. Previously I've learned secure software development with Secure Code Warrior Secure Code Bootcamp, Kontra OWASP Top 10 for Web and more academic approach with Cyber Security Base MOOC so the topics and problems were familiar.

DevSecLab: Web Security Basics

The DevSecLab will teach you about:

  • The most common vulnerabilities in web applications,
  • How to spot vulnerabilities in code review
  • How to validate your findings with proof-of-concept exploits
  • Secure coding practices that keep your systems safe

The course is split into seven independent topics and you can work through them at your own pace in any order. The interactive challenges teach new tools and give new perspectives on daily work and each topic takes about 15–30-minutes.

  • Cross-Site Scripting (XSS): Hijacking a victim's browser by embedding JavaScript fragments in an application's inputs
  • SQL Injection: Accessing an application's database by embedding SQL fragments in its input
  • Broken Authentication: Weak or missing user identity checks on sensitive data or functionality
  • Broken Authorization: Weak or missing permission checks on sensitive data or functionality
  • Sensitive Data Exposure: Accidentally leaving secrets or confidential information publicly accessible
  • Cross-Site Request Forgery (CSRF): Tricking a victim's browser into performing actions on another website
  • Server-Side Request Forgery (SSRF): Tricking a backend server into performing HTTP requests on the attacker's behalf

The content of the course is well thought and covers the main issues in software development. Each topic is described in details by going from introduction to more detailed parts with appropriate exercises on the way.

DevSecLab: Introduction to CSRF

In each topic you get lessons ticked and unlocked by reading about the vulnerability and / or solving the exercises. The exercises can be all done with a web browser as shown below. Usually in the exercises you either need to write small about of code or use some other tools found in the web or in the course environment like gitleaks or fuff.

DevSecLab: exercise can be done with the browser

Some of the exercises require more thought what you should do the exploit the given application but fortunately there are hints to help you. At the end of the each topic there's "Dos & Don'ts" part which provides key points summarized for easy reference during daily work.

DevSecLab: Sensitive Data Exposure Dos and Don'ts

What I thought about it?

After the course you should have knowledge to identify, fix and prevent vulnerabilities in your web application code. And with hands-on approach with Dos and Don'ts at the end of each topic that goal is achieved.

What I liked about the course:

  • Shows what is wrong, how vulnerabilities can be exploited.
  • Hands down approach with embedded "browser" window of the application.
  • Suggestions of tools to use for testing (exploiting) like fuzzing.
  • Suggestions what you should do.
  • Dos and Don'ts

The overall difficulty was quite good regarding the hints you are given on the way and descriptions of the vulnerabilities. I didn't really count how many hours I spent doing the course. Although all of the topics were familiar more or less in practice I also learned some new things and what is also important, rehearsing the issues with new point of view.

DevSecLab has a free trial which you can check before buying the course. I found it useful and if you need it for compliance it really is "effortless" way to fulfill competence requirements.

Short notes on tech 22/2022

Worklife

GitLab's Guide to All-Remote
Good writeup of remote work in GitLab, i.a. it's benefits and drawbacks and tips to better remote.

DevOps

Honeycomb’s O’Reilly Book Observability Engineering
"Achieving Production Excellence by Charity Majors, Liz Fong-Jones, and George Miranda"

Set up a Terraform Pipeline with GitHub Actions and GitHub OIDC for AWS
A walkthrough of a Terraform pipeline setup. Most interesting for the use of OpenID Connect to remove the need for persistent credentials for AWS. (from Devops Weekly #590)

Terraform Best Practices for Better Infrastructure Management
Post which explores different best practices for Terraform and Infrastructure as Code, analyzes various options for handling and structuring Terraform projects, and shows how adopting helper tools could make our life easier. (from Cloud Security Reading List)

Observability 4 JVM Frameworks with Grafana in Java and Kotlin
(from Devops Weekly #591)

Security

A Review of the AWS Security Model
AWS have released their own security maturity model, but does it stack up against what we're seeing in real-world attacks and in the approaches being suggested by the rest of the AWS security community? (from Cloud Security Reading List)

Security Overview of AWS Fargate
Amazon's own security overview of Fargate, which is helpful for new adopters and deepens understanding of Fargate for current users. (from Cloud Security Reading List)

Override nested NPM dependency versions

Sometimes your JavaScript project's dependency contains a library which has a vulnerability and you're left with a question how to solve the issue. If the nested dependency (with vulnerability) is already fixed but the main dependency isn't, you can use overrides field of package.json as explained in StackOverflow answer.

You'll need a recently new version of npm cli v8.3.0 (2021-12-09) which comes with Node.js v16.14.0. Corresponding node.js and npm versions can be seen in the releases table.

In my case the problem was that express-openapi-validator contained a version of multer which used dicer with vulnerable version of busboy. The vulnerability was fixed in multer 1.4.4-lts.1 and now the task was to override the nested dependency.

The overrides section in package.json file provides a way to replace a package in your dependency tree with another version, or another package entirely. These changes can be scoped as specific or as vague as desired.

For example in my case I used:

{
  "overrides": {
    "express-openapi-validator": {
      "multer": "1.4.4-lts.1"
    }
  }
}

The overrides section is useful if you need to make specific changes to dependencies of your dependencies, for example replacing the version of a dependency with a known security issue, replacing an existing dependency with a fork or only override a package when it's a dependency of a particular package hierarchy.

And to ensure that you've correct Node.js and npm versions in use, add the following to the package.json.

"engines": {
    "node": ">=16.14",
    "npm": ">=8.3.0"
},

What did we learn here? About how to "patch" dependencies and how beneficial it is to read what new features comes with your tools. But in the end this all was more or less just a drill as the nested dependency of multer in express-openapi-validator was updated to the fixed version in the same day that it was released (it took around 10 days to multer have a fix).

Using CASL and roles with persisted permissions

How do you implement user groups, roles and permissions in a multitenant environment where you have multiple organizations using the same application and each have own users and groups and roles? There are different approaches to the issue and one is to implement Attributes-based access control (ABAC) in addition with roles (RBAC). But what does that actually mean?

In short: you've groups, groups have roles and roles have permission attributes. Well, read forward and I'll explain how to tie things together using CASL: an isomorphic authorization JavaScript library which restricts what resources a given client is allowed to access.

Authorization mechanisms

First let's start with short introduction to authorization: "Authorization is the process of determining which action a user can perform in the system." Authorization mechanism grants proper privileges for a user defined by some role or other factor. Two popular types of authorization are: Role-based access control (RBAC) and Attributes-based access control (ABAC)

Role based access control (RBAC) is a simple and efficient solution to manage user permissions in an organization. We have to create roles for each user group and assign permissions for certain operations to each role. This is commonly used practice with roles suchs as "System admin", "Administrator", "Editor" and "User". The drawbacks of RBAC, especially in a complex system, is that a user can have various roles, which require more time and effort to organize. Also the more roles you create, the more security holes will be born.

Attributes-based access control (ABAC) is an authorization mechanism granting access dynamically based on user characteristics, environment context, action types, and more. Here we can have some action which is permitted to certain user, e.g. "{ action: 'edit', subject: 'Registration' }", "{ action: 'manage', subject: 'User', fields: ['givenName', 'familyName', 'email', 'phone', 'role'] }". For example, a manager can view only the users in their department; an user can not access his project’s information. ABAC is sometimes referred to as claims-based access control (CBAC) or policy-based access control (PBAC). You often see ABAC authorization mechanism in cloud computing services such as AWS and Azure.

The difference between ABAC and RBAC is that ABAC supports Boolean logic, if the user meets this condition he is allowed to do that action. Attribute-based Access Control (ABAC) enables more flexible control of access permissions as you can grant, adjust or revoke permissions instantly.

RBAC is a simple but sufficient solution to manage access in an uncomplicated system. However, it is not flexible and scalable and that is why ABAC becomes an efficient approach in this case. In the contrast, ABAC may be costly to implement. There is no all-in-one solution and it depends on your business requirements. Remember that use the right tool for the right job.

RBAC table structure can be visualized with:

Role basec access control in multitenant system

And you can add attribute based permissions to RBAC model:

Attribute based permissions for roles (CASL)

Using CASL with roles and permissions

CASL is a robust authorization library for JavaScript and including RBAC it also supports ABAC implementation by adding condition expression to the permission. That's exactly what we need in this case where we have a requirement to define different permissions for custom groups: need for roles and groups.

CASL has good resources and shows a great cookbook how to implement roles with persisted permissions. To supplement that you can check Nest.js and CASL example which also shows table structures in different stages.

The code for the following part can be seen in Gist

Table structure

  • Global Users table
  • Users are grouped by tenant in TenantUsers
  • TenantUsers have a role or roles
  • Users can be added to a group
  • Groups and roles are tenant specific
  • Permissions can be added to a role

Table structure in DBDiagram syntax

Next we create the table structure to our code with help of Sequelize ORM which describes the models, relations and associations.

We have the following models for our table structure:

  • models/rolepermissions.js
  • models/role.js
  • models/permission.js
  • models/group.js
  • models/groupuser.js

The Sequelize modeled class looks like this:

const { Model } = require('sequelize');
module.exports = (sequelize, DataTypes) => {
class Permission extends Model {
static associate() {}
toJSON() {
return {
id: this.id,
action: this.action,
subject: this.subject,
fields: this.fields,
conditions: this.conditions,
inverted: this.inverted,
system: this.system,
};
}
}
Permission.init(
{
id: {
type: DataTypes.INTEGER,
primaryKey: true,
allowNull: false,
},
action: DataTypes.STRING,
subject: DataTypes.STRING,
fields: DataTypes.ARRAY(DataTypes.TEXT),
conditions: DataTypes.JSON,
inverted: DataTypes.BOOLEAN,
system: DataTypes.BOOLEAN,
},
{
sequelize,
modelName: 'Permission',
},
);
return Permission;
};

You can see all the models on the Gist.

Defining CASL permissions to user

In this example we are adding permissions directly to the JWT we are generating and signing so we don't have to fetch user's permissions every time from the database (or cache) when user makes a request. We get the claims.role from the authentication token and it can be e.g. "admin", "user" or whatever you need.

services/token.js is the class where we fetch the permissions for the role and generate the JWT. It fetches the permissions for the user's roles, gets the user groups and those groups' roles and permissions. Then it merges the permissions to be unique and adds them to the JWT.

The JWT looks something like this:

{
"sub": "1234567890",
"role": "user",
"groups": [1, 3],
"permissions": [
{
"action": "read",
"subject": "Users",
"fields": null,
"conditions": {
"id": "${user.tenant}"
}
},
{
"action": "edit",
"subject": "User",
"fields": null,
"conditions": {
"id": "${user.id}",
"TenantId": "${user.tenant}"
}
},
]
}
view raw jwt-sample.json hosted with ❤ by GitHub

Now we have all the permissions for the user in JWT which we can use in our services and routes. The solution isn't optimal as the JWT can grow large if user has lots of permissions.

In the JWT you can see that the conditions attribute has a placeholder. middleware/abilities.js class parses the user JWT which we added permissions in JSON format, converts the condition to CASL’s condition and creates a CASL Ability so that we can add permission checks later on to our actions.

const { AbilityBuilder, Ability } = require('@casl/ability');
const parseCondition = (template, vars) => {
if (!template) {
return null;
}
JSON.parse(JSON.stringify(template), (_, rawValue) => {
if (rawValue[0] !== '$') {
return rawValue;
}
const name = rawValue.slice(2, -1);
const value = get(vars, name);
if (typeof value === 'undefined') {
throw new ReferenceError(`Variable ${name} is not defined`);
}
return value;
});
return null;
};
const defineAbilitiesFor = (jwtToken) => {
const { can: allow, build } = new AbilityBuilder(Ability);
jwtToken.permissions.forEach((item) => {
const parsedConditions = parseCondition(item.conditions, { jwtToken });
allow(item.action, item.subject, item.fields, parsedConditions);
});
return build();
};
module.exports = { defineAbilitiesFor };

Now you can check the permissions in e.g. route.

const ForbiddenOperationError = {
  from: (abilities) => ({
    throwUnlessCan: (...args) => {
      if (!abilities.can(...args)) {
        throw Forbidden();
      }
    },
  }),
};

...
try {
    const abilities = defineAbilitiesFor(jwtToken);
    ForbiddenOperationError.from(abilities).throwUnlessCan('read', 'Users');
    const users = await UserService.getAll(user.tenant);
    return res.send({ entities: users });
} catch (e) {
    return next(e);
}
...

Summary

Implementing authorization is an important part of software system and you've several approaches to solve it. RBAC is a simple but sufficient solution to manage access in an uncomplicated system. ABAC in the other hand is flexible and scalable approach but may be costly to implement. There is no all-in-one solution and it depends on your business requirements.

Using CASL with roles, groups and permissions makes the handling of the authorization side of things easier but as you can see from the database diagram the overal complexity of the system is still quite high and we're not even touched the user interface of managing the roles, groups and permissions.

Short notes on tech 15/2022

Week 15 of 2022

Before leaving for a short Easter holiday here are some links to go through.

Security

Top10 CI/CD Security Risks

Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards "How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it." (from Cloud Security Reading List)

Software development

Please put units in names
"There is one code readability trap that is easy to avoid once you are aware of it, yet the trap is pervasive: omitting units." (from Hacker Newsletter)

The Catalog of Design Patterns
Creational, Structural and Behavioral Patterns.

Java Development on an Apple M1 – A One Year Review
"Initial pitfalls when working with the Apple M1 and a collection of valuable tricks and workarounds for developing and testing Java applications." (from Hacker Newsletter)

An up-to-date guide on running Java applications in Docker containers
(from DevOps weekly)

Tools

A list of new(ish) command line tools
"Like ripgrep and fd and fzf and exa and bat."

Work

Maybe you should do less 'work'

Short notes on tech 13/2022

Learning

Personal Goal Setting Playbook
"Setting personal goals can be used in many contexts to help people achieve tasks, objectives or improvements of any kind, big or small."

Design

A Designer’s Guide to Documenting Accessibility & User Interactions

Understanding Figma’s interactive components feature
(from WDRL)

Backend

How to design better APIs
15 language-agnostic, actionable tips on REST API design. (from WDRL)

PHP: The Right Way
"An easy-to-read, quick reference for modern coding standards in PHP, trying to fight all the outdated and partially wrong solutions found on the web." (from WDRL)

Database

Postgres Auditing in 150 lines of SQL
Or you can use pgAudit. (from Hacker Newsletter)

Testing

How to test if there is any element outside the viewport with Cypress
"How to use Cypress to create an automated test that checks if there is an element out of the viewport." (from CSS Weekly)

Tools

Healthchecks
"Healthcheck is a dedicated monitoring and alerting system for cron, with a nice looking dashboard and various alerting options." (from DevOps Weekly #585)

Who watches the watchers?
"A look at using a dead-man's-switch to monitor other monitoring systems, with code examples for implementing on AWS with Prometheus and PagerDuty." (from DevOps Weekly #586)

Learning secure code by identifying vulnerable code and solutions

The DevOps Conference was held this week and on the Expo there were companies showing their services. One of those was Secure Code Warrior which provides a learning platform for teaching developers the skills they need to produce secure code. Last year I wrote about their bootcamp but now it was time to participate in their "The DEVOPS Secure Coding Tournament!"

Secure Coding Tournament

The DevOps Conference Secure Coding Tournament

Identifying and fixing vulnerable code is an important skill in software development and there are different ways to enhance your skills. During the The DevOps Conference Secure Code Warrior organized the The DEVOPS Secure Coding Tournament in their learning platform which allowed you to improve your secure coding skills.

"The tournament allows you to compete against the other participants in a series of vulnerable code challenges that ask you to identify a problem, locate insecure code, and fix a vulnerability."

The challenges were based on the OWASP Top 10 and there were good explanations for the vulnerabilities and solutions to get better understanding of the underlying problems. You get to use your preferred software language such as JavaScript, Java EE / Spring, C#, Go, Ruby on Rails, Python Django & Flask, Scala Play, Node.JS, React, and both iOS and Android development languages.

I chose to use JavaScript and Node.js (Express) as it's the recent language I've used with different libraries and concepts. From previous experience from Secure Coding Bootcamp it helps to know not just the chosen language and framework but also other libraries from the ecosystem. For example with Node.js (Express) there were questions relating to use of Handlebars, LDAP, Mongoose, XML, etc. But most of the challenges were logical to deduce even if you didn't know e.g. XPath.

The missions were presented as a world map and there was total of 8 levels to compete. The usage of the map and potentical attackers was a bit confusing in my mind but might fascinate some.

Challenge map

In each one of the mission there were 5 different challenges with locating vulnerability by selecting one or more code rows or identifying what kind of vulnerability was shown. You got 3 lives to get it right. Then you got four possible solutions to identify which would fix the issue.

Locate vulnerability
Identify vulnerability

After you either got it right or not, the solution was shown with short explanation to teach you more about it.

Identify the correct solution

Tournament participants had two days to complete the challenges but I noticed the tournament on the last day around four hours before it ended. Fortunately it was said that it should took around two or three hours to complete.

I've to admit that at first I wasn't so sure if I would do more than a few challenges regarding the timeframe for completing all of them but it was actually quite addictive to see how well you could identify the vulnerable parts of the code and what the solutions would be although some of the libraries were not so familiar. And seeing that I did quite well on the leaderboard helped to finish it.

The DevOps Conference Secure Coding Tournament leaderboard

On the leaderboard I managed to gather enough points for the third position and won a Secure Code Warrior T-shirt. Yay! The total points available was 12000 so you could say that there was a lot of points (easily) missed.

The overall experience of the tournament was great and it was fun. There were several challenges which weren't quite clear if you didn't know the used library and couple of solutions were tricky as although the solution was "right" the other solution was better (in terms of e.g. better algorithm, etc.).

I've now done two Secure Code Warriors' OWASP Top-10 learning challenges (Bootcamp and this tournament) and can say that although they don't actually teach you to write secure code, they teach you to read code and identify vulnerable parts. They also have more practical and interactive approaches to build secure coding skills systematically but I haven't tried those missions.