Daily Knowledge Drop
All configuration values for an aapplication, as well as their source, can be viewed with the GetDebugView method on IConfigurationRoot.
While this core functionality has been available since .NET Core 3, enhancements are also coming with .NET7 (currently in preview) to allow for confidential values to be masked.
All of this in more detail below.
GetDebugView: Current
To retrieve the configuration information is fairly straightforward - all one needs is the IConfiguration implementation.
The below uses top-level statements and minimal API to expose a config endpoint:
// inject IConfiguration from dependency injection container
app.MapGet("/config", (IConfiguration config) =>
{
// convert to IConfigurationRoot
var root = config as IConfigurationRoot;
return root.GetDebugView();
});
With a appsettings.json file which contains the following:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"ServiceCredentials": {
"username": "admin123",
"password" : "admin456"
}
}
Browsing to the endpoint will return the following relevent configuration values (along with numerous other system environment variables):
AllowedHosts=* (JsonConfigurationProvider for 'appsettings.json' (Optional))
ASPNETCORE_ENVIRONMENT=Development (EnvironmentVariablesConfigurationProvider Prefix: '')
Logging:
LogLevel:
Default=Information (JsonConfigurationProvider for 'appsettings.Development.json' (Optional))
Microsoft.AspNetCore=Warning (JsonConfigurationProvider for 'appsettings.Development.json' (Optional))
ServiceCredentials:
password=admin456 (JsonConfigurationProvider for 'appsettings.json' (Optional))
username=admin123 (JsonConfigurationProvider for 'appsettings.json' (Optional))
The configuration from the appsettings.json config file are displayed, with the corresponding provider source (JsonConfigurationProvider) as well as a configuration value sourced from the environment variable provider (EnvironmentVariablesConfigurationProvider).
Secrets exposed
One limitation of the current (.NET Core 3 to .NET 6) implementation, which is demonstrated above - is that configuration values which are secrets (keys, passwords, etc.) are included in the output.
In my example the password was stored in the appsettings.json, which ideally shouldn't happen - however even if injected at runtime as an environment variable, the same would occur, and the value would still be exposed (just coming from a different provider source).
The enhancements in .NET7 aim to improve this.
GetDebugView: Preview
Bear in mind, that the following is done using a Preview version of .NET7, and may change by the time it is officially release.
The GetDebugView now has an overload which accepts a Func and allows for custom processing and manipulation of the configuration values for display:
// inject IConfiguration from dependency injection container
app.MapGet("/config", (IConfiguration config) =>
{
// convert to IConfigurationRoot
var root = config as IConfigurationRoot;
return root.GetDebugView(context =>
{
// this Func keys called for each Key in the configuration
// if the key is one we know contains a password
if(context.Key == "ServiceCredentials:password")
{
// return a masked value
return "***";
}
// otherwise return the original configuration value
return context.Value;
});
});
With a appsettings.json file the same as before
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"ServiceCredentials": {
"username": "admin123",
"password" : "admin456"
}
}
Browsing to the endpoint will return the same as before, but with one small adjustment:
AllowedHosts=* (JsonConfigurationProvider for 'appsettings.json' (Optional))
ASPNETCORE_ENVIRONMENT=Development (EnvironmentVariablesConfigurationProvider Prefix: '')
Logging:
LogLevel:
Default=Information (JsonConfigurationProvider for 'appsettings.Development.json' (Optional))
Microsoft.AspNetCore=Warning (JsonConfigurationProvider for 'appsettings.Development.json' (Optional))
ServiceCredentials:
password=*** (JsonConfigurationProvider for 'appsettings.json' (Optional))
username=admin123 (JsonConfigurationProvider for 'appsettings.json' (Optional))
The password returned is now the masked value specified in the Func!
Notes
Having the ability to expose all configuration values can definitely save time and effort - it eliminates the need to remote into other machines or containers and get a list of environment variables when doing investigations. However the fact that confidential information could be exposed is far from ideal, and depending on how serious security is taken, could render the functionality unusable.
However the .NET7 enhancements provides a working solution for this, which I look forward to being able to leverage.
References
Viewing .NET configuration values
Daily Drop 110: 05-07-2022
At the start of 2022 I set myself the goal of learning one new coding related piece of knowledge a day.
It could be anything - some.NET / C# functionality I wasn't aware of, a design practice, a cool new coding technique, or just something I find interesting. It could be something I knew at one point but had forgotten, or something completely new, which I may or may never actually use.
The Daily Drop is a record of these pieces of knowledge - writing about and summarizing them helps re-enforce the information for myself, as well as potentially helps others learn something new as well.