I'm facing an issue with TFS.
I'm trying to fetch commits by date range( Id range does not work for me as as it returns alphabetically sorted revisions, not based on when creation time. So I never got revision in specified range).
GitCommitRef.Committer.Date returns in UTF format
but GitQueryCommitsCriteria.FromDate expects date in format the user set in his UserProfile->Locale->TimeZone.
Looking for .Net api to extract this value. I'm aware of below REST api(though couldn't find its equivalent .net api) , but it doesn't provide me other user's timezone value.
http://tfsemea1.ta.philips.com:8080/tfs/TPC_Region13//_api/_common/GetUserProfile?__v=5
How to get timezone value for any user?
Alternatively how can i make ID range work?
Based on my test I cannot find the Time Zone property for a valid user with the .net API.
You can use below sample code to get the user list (unfortunately cannot find the Time Zone for users):
Note: You need to install the Microsoft.TeamFoundationServer.ExtendedClient Nuget package.
using System;
using Microsoft.TeamFoundation.Client;
using Microsoft.TeamFoundation.Framework.Client;
using Microsoft.TeamFoundation.Framework.Common;
namespace ConsoleApplication3
{
class Program
{
static void Main(string[] args)
{
TfsConfigurationServer tcs = new TfsConfigurationServer(new Uri("http://server:8080/tfs"));
IIdentityManagementService ims = tcs.GetService<IIdentityManagementService>();
TeamFoundationIdentity tfi = ims.ReadIdentity(IdentitySearchFactor.AccountName, "[TEAM FOUNDATION]\\Team Foundation Valid Users", MembershipQuery.Expanded, ReadIdentityOptions.None);
TeamFoundationIdentity[] ids = ims.ReadIdentities(tfi.Members, MembershipQuery.None, ReadIdentityOptions.None);
foreach (TeamFoundationIdentity id in ids)
{
if (id.Descriptor.IdentityType == "System.Security.Principal.WindowsIdentity")
{ Console.WriteLine(id.DisplayName); }
{ Console.WriteLine(id.UniqueName); }
}
Console.ReadLine();
}
}
}
And there isn't such a REST API to get all users and their profiles for now.
We can only get the current login user profile with the REST API, So as a workaround you can ask all the users to check and back their Time Zone to you.
No idea for the ID range.
Related
I'm working on a project that contains Dynamics CRM and Portal Connector which built upon Sitefinity.
There is a way to retrieve data inside Portal Connector from Dynamic CRM called Saved Query and this way generate a URL for you to retrieve data by HTTP request in front-end but I don't want to access it by the front end I want to access the Dynamics CRM by Backened, specifically by Entity framework, is it possible to connect to Dynamic CRM by Entity framework and retrieve the data by C# then send it to View?
My apologies for not coming across your post sooner.
A better way is to use the CRM connection provided by the Portal Connector. It essentially wraps the CRM SDK so calls you want make to the SDK can be made here and it uses the CRM connection configured in the site.
https://www.crmportalconnector.com/developer-network/documentation/developing-for-tpc/Dynamics-CRM-Connection-API
// Required usings
using System;
using Microsoft.Xrm.Sdk;
using Microsoft.Xrm.Sdk.Query;
using pavliks.PortalConnector.Crm.Connection;
// The Code
// Create an instance of the connection manager
CrmConnectionManager manager = new CrmConnectionManager();
// Use the Connection property of the manager to access the
// configured CRM connection and create a new account
Guid newId = manager.Connection.Create(new Entity("account")
{
Attributes = new AttributeCollection()
{
{"name", "My Account Name"}
}
});
// Create Query Expression
QueryExpression query = new QueryExpression("account")
{
ColumnSet = new ColumnSet(true),
};
// Use manager to query CRM
EntityCollection entities = manager.Connection.RetrieveMultiple(query);
All the required assemblies are already in the Sitefinity site bin folder as they come with the Portal Connector assemblies and are copied to that location with the Portal Connector during installation. If your code is in another project, either reference the assemblies in the Sitefinity project or add them from the Portal Connector deploy package to your project.
I know it's a bit late but I hope it helps you in your next portal project.
let me answer my question, in case anyone wants to do a similar thing in the future :
1- first thing connect to Dynamic CRM is not related to Portal Connector, so the area that you should search in is Dynamic CRM.
2- To connect to Dynamic CRM you should follow the below steps :
2.1- install this package "Microsoft.CrmSdk.XrmTooling.CoreAssembly"
2.2- find what is your connection string.
2.3 use below code
var service=new CrmServiceClient("AuthType=Office365;Url=https://ititisdf.crm4.dynamics.com;Password=1234" )/*put your connection string instead*/
3- Some example of you could create or retrieved data
service.Create(new Entity("account"){["name]="Test connection"}); // add record
// retrive data
//1- query expression
//var query= new QueryExpression().Criteria. <===== from here you can add filteration ... and so on
//2- fetch xml expression
//var query=new FetchExpression(#"fetch xml value"); // you need to use XrmToolBox to generate your fetchXml
//3- var query=new QueryByAttribute("account");
// query.AddAttributeValue("name","Test1");
var entities=service.RetrieveMultiple(query).Entities;
foreach(var entity in entities)
{
entity["name"];
}
var organization=new OrganizationServiceContext(service);
// below code is under a concept called late-bound
var result=(from account in organization.CreateQuery("account")
join contact in organization.CreateQuery("contact")
on account["primarcontactid"] equals contact["contactid"]
where account["gendercode"] == "test" AND account["industrycode"]=1
select new {
Name=account["name"],
ContactName=contact["fullname"]
}).ToList();
// to implement Early bound
1- go to XrmToolBox ==> About ==> Plugin Store ==> Early Bound Generator==>Early Bound Generator Page will opened choose Entity to skip and choose which entity to want to include and which want to exclude
===> choose the path of generated .cs class that will represent you Entity in your project ===> press on Create Entities ===> now copy the generated file .
Now you have something like Entity framework :
Just use Entity name as a normal class :
var account = new Account{Name="Ahmed"};
and instead of this :
organization.CreateQuery("account")
use
organization.CreateQuery<yourEntityName>()
Actually, I got all of this information from youtube serious related to Dynamic, and here is the link
note: this serious in the Arabic language for this reason I summarised the steps in this answer to make it helpful for all.
In our website we used to use access_token when logging people with Google Sign In. First, we redirect the user to google, user brings the access_token to us, and we validate that token to make sure the user is the actual Google user.
Then, we needed a Google sign-in feature for our Android app, so I wanted the Android developer to bring access_token to us. He replied he couldn't. I searched about that finding almost no documentation about access_token. In documentation, Google says me to use the "id_token".
OK, I wanted the developer to bring me the id_token, and I have successfully verified the token's integrity. Then I wanted to implement the same for websites.
My c# code is:
string googleId = GoogleJsonWebSignature.ValidateAsync(idToken).Result.Subject;
It worked when I ran it locally, but when I tried in production, it gave an error: JWT is not yet valid
Is id_token the correct way to send to the backend and verify? I found another option too: code.
Code is something like A/12112312......
Access_token is something like ya29.somemorestring
My question is, Which one is correct to send to the backend? By the way, I think access_token is sort of deprecated or something like that.
Yes, you should be using the id_token. You get the id_token on the client side using this:
var id_token = googleUser.getAuthResponse().id_token;
and validating it on the server side using (do in a try/catch block to catch any errors):
token = await GoogleJsonWebSignature.ValidateAsync(idToken);
The JWT is not yet valid error is due to the time on your server being slow. Even a few seconds slow will cause this problem. To be sure of this working all the time, you'll need to implement a custom clock which gets an accurate time from somewhere. Here's an example using NNTP:
public class AccurateClock : Google.Apis.Util.IClock
{
const int UpdateIntervalMinutes = 60;
const string NntpServer = "time.nist.gov";
private TimeSpan _timeOffset;
private DateTime _lastChecked;
public AccurateClock()
{
_timeOffset = TimeSpan.FromSeconds(0);
_lastChecked = DateTime.MinValue;
}
private DateTime GetTime()
{
try
{
if (DateTime.Now.Subtract(_lastChecked).TotalMinutes >= UpdateIntervalMinutes)
{
// Update offset
var client = new TcpClient(NntpServer, 13);
DateTime serverTime;
using (var streamReader = new StreamReader(client.GetStream()))
{
var response = streamReader.ReadToEnd();
var utcDateTimeString = response.Substring(7, 17);
serverTime = DateTime.ParseExact(utcDateTimeString, "yy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture, DateTimeStyles.AssumeUniversal);
}
_timeOffset = DateTime.UtcNow.Subtract(serverTime);
_lastChecked = DateTime.Now;
}
var accurateTime = DateTime.UtcNow.Subtract(_timeOffset);
return accurateTime;
}
catch (Exception ex)
{
return DateTime.UtcNow;
}
}
public DateTime Now
{
get
{
return GetTime().ToLocalTime();
}
}
public DateTime UtcNow
{
get
{
return GetTime();
}
}
}
You then pass the custom clock to the validation method.
token = await GoogleJsonWebSignature.ValidateAsync(idToken, new AccurateClock());
Please note: This will update the difference between the correct time and the local machine time every time the class is created, so you really want to register this as a Singleton in whatever IOC container you are using and pass the reference to the validator instead. It will then recheck the time using NNTP every hour. If you are not using an IOC Container you could make the class static.
id_token is a JWT token, that you validate and extract information such as "email", "name" etc. This is actually what you need in a regular case.
code and access_token are part of the flow when a user doesn't use your app in current moment but your app wants to make any actions behalf of them. Google calls it offline access https://developers.google.com/identity/sign-in/web/server-side-flow
TFS 2012 and later as well as VSTS have a concept of a Team Administrator. I've looked all over the API for a simple way to set and retrieve the value through code to make it easier to provision these settings, but could not find it.
Reflectoring through the Server Object Model for the web UI gives hints for how to do it, but it relies on a number of private methods to get this done. Especially the part that calculates the Security Scope Token is hidden magic.
It took quite a bit of digging to find this old blogpost from 2013 which details how to do this, and I don't seem to be the only person who got stumped by the private methods. In the end they also ended up using Reflection to call the private method to retrieve the token:
This functionality is now available through the TFS Team Tools:
TFS Team Tools
Retrieve
Find the security group matching the team, use it to calculate the team's token, get the people who are part of that special security namespace:
public List<string> ListTeamAdministrators(string team, out string message)
{
// Retrieve the default team.
TeamFoundationTeam t = this.teamService.ReadTeam(this.projectInfo.Uri, team, null);
List<string> lst = null;
message = "";
if (t == null)
{
message = "Team [" + team + "] not found";
}
else
{
// Get security namespace for the project collection.
ISecurityService securityService = this.teamProjectCollection.GetService<ISecurityService>();
SecurityNamespace securityNamespace =
securityService.GetSecurityNamespace(FrameworkSecurity.IdentitiesNamespaceId);
// Use reflection to retrieve a security token for the team.
var token = GetTeamAdminstratorsToken(t);
// Retrieve an ACL object for all the team members.
var allMembers = t.GetMembers(this.teamProjectCollection, MembershipQuery.Expanded)
.ToArray();
AccessControlList acl =
securityNamespace.QueryAccessControlList(token, allMembers.Select(m => m.Descriptor), true);
// Retrieve the team administrator SIDs by querying the ACL entries.
var entries = acl.AccessControlEntries;
var admins = entries.Where(e => (e.Allow & 15) == 15).Select(e => e.Descriptor.Identifier);
// Finally, retrieve the actual TeamFoundationIdentity objects from the SIDs.
var adminIdentities = allMembers.Where(m => admins.Contains(m.Descriptor.Identifier));
lst = adminIdentities.Select(i => i.DisplayName).ToList();
}
return lst;
}
private static string GetTeamAdminstratorsToken(TeamFoundationTeam team)
{
return IdentityHelper.CreateSecurityToken(team.Identity);
}
Set
Setting works in a similar fashion. Grab the token and then add the users unique identifier to the Access Control List:
IdentityDescriptor descriptor = GetMemberDescriptor(memberId);
securityNamespace.SetPermissions(token, descriptor, 15, 0, false);
Remove
And removing a person from the list is then, of course, easy to guess;
IdentityDescriptor descriptor = GetMemberDescriptor(memberId);
securityNamespace.RemovePermissions(token, descriptor, 15);
I'm using MSAL to get an ID Token which is then used to access an Web API app. I've got a couple of questions and I was wondering if someone could help me understand what's going on.
Let me start with the authentication process in the client side. In this case, I'm building a Windows Forms app that is using the following code in order to authenticate the current user (ie, in order to get an ID Token which will be used to validate the user when he tries to access a Web API app):
//constructor code
_clientApp = new PublicClientApplication(ClientId,
Authority, //which url here?
TokenCacheHelper.GetUserCache());
_scopes = new []{ "user.read" }; //what to put here?
//inside a helper method
try {
return await _clientApp.AcquireTokenSilentAsync(_scopes, _clientApp.Users.FirstOrDefault());
}
catch (MsalUiRequiredException ex) {
try {
return await _clientApp.AcquireTokenAsync(_scopes);
}
catch (MsalException ex) {
return null;
}
}
The first thing I'd like to clear is the value that should be used for the authority parameter. In this case, I'm using an URL on the form:
https://login.microsoftonline.com/{Tenant}/oauth2/v2.0/token
However, I'm under the impression that I could also get away with something like this:
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
It seems like one endpoint is specific to my Azure AD while the other looks like a general (catch all) URL...Where can I find more information about these endpoints and on what's the purpose of each...
Another thing that I couldn't quite grasp is the scope. I'm not interested in querying MS Graph (or any other Azure related service for that matter). In previous versions of the MSAL library, it was possible to reference one of the default scopes. However, it seems like that is no longer possible (at least, I tried and got an exception saying that I shouldn't pass the default scopes...).
Passing an empty collection (ex.: new List<string>()) or null will also result in an error. So, in this case, I've ended passing the user.read scope (which, if I'm not mistaken, is used by MS Graph API. This is clearly not necessary, but was the only way I've managed to get the authentication process working. Any clues on how to perform the call when you just need to get an ID Token? Should I be calling a different method?
Moving to the server side, I've got a Web API app whose access is limited to calls that pass an ID token in the authentication header (bearer). According to this sample, I should use something like this:
private void ConfigureAuth(IAppBuilder app) {
var authority = "https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration";
app.UseOAuthBearerAuthentication(
new OAuthBearerAuthenticationOptions {
AccessTokenFormat = new JwtFormat(GetTokenValidationParameters(),
new OpenIdConnectCachingSecurityTokenProvider(authority)),
Provider = new OAuthBearerAuthenticationProvider {
OnValidateIdentity = ValidateIdentity
}
});
}
Now, this does work and it will return 401 for all requests which don't have a valid ID Token. There is one question though: is there a way to specify the claim from the Ticket's Identity that should be used for identifying the username (User.Identity.Name of the controller)? In this case, I've ended handling the OnValidateIdentity in order to do that with code that looks like this:
private Task ValidateIdentity(OAuthValidateIdentityContext arg) {
//username not getting correctly filled
//so, i'm handling this event in order to set it up
//from the preferred_username claim
if (!arg.HasError && arg.IsValidated) {
var identity = arg.Ticket.Identity;
var username = identity.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value ?? "";
if (!string.IsNullOrEmpty(username)) {
identity.AddClaim(new Claim(ClaimTypes.Name, username));
}
}
return Task.CompletedTask;
}
As you can see, I'm searching for the preferred_username claim from the ID Token (which was obtained by the client) and using its value to setup the Name claim. Is there any option that would let me do this automatically? Am I missing something in the configuration of the OAuthBearerAuthenticationMiddleware?
Regarding your First Query -
Where can I find more information about these endpoints and on what's the purpose of each...
Answer -
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
The {tenant} can take one of four values:
common -
Users with both a personal Microsoft account and a work or school account from Azure Active Directory (Azure AD) can sign in to the application.
organizations -
Only users with work or school accounts from Azure AD can sign in to the application.
consumers -
Only users with a personal Microsoft account can sign in to the application.
8eaef023-2b34-4da1-9baa-8bc8c9d6a490 or contoso.onmicrosoft.com -
Only users with a work or school account from a specific Azure AD tenant can sign in to the application. Either the friendly domain name of the Azure AD tenant or the tenant's GUID identifier can be used.
Regarding your Second Query on Scope -
Answer - Refer to this document - OpenID Connect scopes
Regarding your Third Query on Claim -
Answer - Refer to this GIT Hub sample - active-directory-dotnet-webapp-roleclaims
I'm using the .NET libraries for accessing Visual Studio Team Services and i'm trying to work around a glaring design flaw on Microsoft's part. Apparently you can't have more than one collection per server/account, so i have to use several accounts, which in this example i'll refer to as collections, since Microsoft has even made clear they map to the same thing.
What i'm actually trying to achieve is to have a list with all my work items from all the collections i'm a member of. I have a QueryWorkItems() method that uses GetAllCollections() to get all my collections. That method has been tested and it works, it does return the two accounts i have. The top level method that triggers the whole thing is AssignedWorkItems(). My code is as follows:
public static List<TfsTeamProjectCollection> GetAllCollections()
{
// Get collections/accounts associated with user
string request = "https://app.vssps.visualstudio.com/_apis/Accounts?memberId=" + versionControl.AuthorizedIdentity.TeamFoundationId + "&api-version=3.2-preview";
string content = MakeRequestToAPI(request).Result;
dynamic results = JsonConvert.DeserializeObject<dynamic>(content);
List<TfsTeamProjectCollection> collections = new List<TfsTeamProjectCollection>();
// Iterate through all collections
Parallel.ForEach((IEnumerable<dynamic>)results.value, collection =>
{
TfsTeamProjectCollection col = TfsTeamProjectCollectionFactory.GetTeamProjectCollection(new Uri((string)collection.accountUri));
collections.Add(col);
});
return collections;
}
public static List<WorkItem> QueryWorkItems(string query)
{
List<WorkItem> workItems = new List<WorkItem>();
List<TfsTeamProjectCollection> collections = GetAllCollections();
//Parallel.ForEach(collections, collection =>
foreach(var collection in collections)
{
WorkItemCollection items = collection.GetService<WorkItemStore>().Query(query);
// Add each work item to the overall list
Parallel.For(0, items.Count, i =>
{
Console.WriteLine(items[i].Title);
lock (workItems)
{
workItems.Add(items[i]);
}
});
}
return workItems;
}
public static List<WorkItem> AssignedWorkItems()
{
Init(); //initializes variables like projectName, workItemStore and VersionControlServer(versionControl)
string myItems = "select * from issue where [System.AssignedTo]=#me";
return QueryWorkItems(myItems);
}
When i call the AssignedWorkItems method i get a login prompt, even though i have a default connection already setup:
After i input my credentials though, in this line:
WorkItemCollection items = collection.GetService().Query(query);
i get the following error:
An unhandled exception of type 'Microsoft.TeamFoundation.TeamFoundationServiceUnavailableException'
occurred in Microsoft.TeamFoundation.Client.dll
Additional information: TF31002: Unable to connect to this Team
Foundation Server: https://xxxxxx.vssps.visualstudio.com/.
Team Foundation Server Url: https://xxxxxx.vssps.visualstudio.com/
Possible reasons for failure include:
The name, port number, or protocol for the Team Foundation Server is incorrect.
The Team Foundation Server is offline.
The password has expired or is incorrect.
Funny thing is everytime i run this the URL mentioned in the error switches back and forth between the two collections i have. Any idea as to why this is happening?
I can test the method QueryWorkItems successfully.
Based on the error message you got, it seems the VSTS URL stored in collections as the format https://account.vssps.visualstudio.com instead of https://account.visualstudio.com. So please confirm the URLs stored in collections for the method GetAllCollections are correct.
I used this GetAllCollections method to verify QueryWorkItems:
public static List<TfsTeamProjectCollection> GetAllCollections()
{
List<TfsTeamProjectCollection> collections = new List<TfsTeamProjectCollection>();
NetworkCredential cred1 = new NetworkCredential("username for Alternate authentication", "password for Alternate authentication");
TfsTeamProjectCollection tpc1 = new TfsTeamProjectCollection(new Uri("https://account1.visualstudio.com"), cred1);
collections.Add(tpc1);
NetworkCredential cred2 = new NetworkCredential("username for Alternate authentication", "password for Alternate authentication");
TfsTeamProjectCollection tpc2 = new TfsTeamProjectCollection(new Uri("https://account2.visualstudio.com"), cred2);
collections.Add(tpc2);
return collections;
}