Related
I have a proxy application that would create for every user365 the onlinemeeting,
So I have read this:
documentation update in march
and it seems that for each user in azure, I have to run a powershell command to allow my application to generate a meeting.
in the example there is this policy with 3 parameter (in the doc explain two parameter) so I'm so confuse:
New-CsApplicationAccessPolicy -Identity Test-policy -AppIds "ddb80e06-92f3-4978-bc22-a0eee85e6a9e", "ccb80e06-92f3-4978-bc22-a0eee85e6a9e", "bbb80e06-92f3-4978-bc22-a0eee85e6a9e" -Description "description here"
It seems that a policy needs to be created first....
And then the policy has to be associated with each user... one at a time....
Isn't there something global for all users?
Let me explain better: once the application type permissions are activated on
OnlineMeetings.Read.All OnlineMeetings.ReadWrite.All
why do I need to do anything else?
In other API (like create calendar event for example here) the policy rule is not necessary... but is necessary only the permission API
I have solve:
There are a -Global parameter that When you use this cmdlet without specifying a user identity, the policy applies to all users in your tenant, except any that have an explicit policy assignment. To skip a warning when you do this operation, specify this parameter.
Grant-CsApplicationAccessPolicy -PolicyName "ASimplePolicy" -Global
How to query Test Cases that have been run and to identify if the most recent run passed or failed ?
we are using TFS2015 on premises, also configured SQL reporting server lately.
Since you are using SQL reporting, you could create a SSRS report which will hold the value of all the test case results, execution date, who ran it. There are some related tables in Warehouse DB which stores the information. Each time test case outcome change, will create a test run, you could order by TestRunId: You just need to write a sample query to check the data. For example:
select TestCaseId,TestRunId, ResultOutcome,ResultDate from [dbo].[TestResultView]
where TestCaseId = 'xxx' order by TestRunId,ResultDate
another similar query:
SELECT [ResultSK],[ResultBK],[ResultId],[TestCaseId],[Outcome] FROM [Tfs_Warehouse].[dbo].[DimTestResult]
where TestCaseId ='xxx' order by DateCompleted
You could also user TFS REST API to git a list of test result based on test run ID, detail API please refer this--Get a list of test results.
We ran the Fortify scan and had some Access Control: Database issues. The code is getting the textbox value and setting it to a string variable. In this case, it's passing the value from the TextBox to the stored procedure in a database. Any ideas on how I can get around this Access Control: Database issue?
Without proper access control, the method ExecuteNonQuery() in DataBase.cs
can execute a SQL statement on line 320 that contains an attacker-controlled primary
key, thereby allowing the attacker to access unauthorized records.
Source: Tool.ascx.cs:591 System.Web.UI.WebControls.TextBox.get_Text()
rptItem.FindControl("lblClmInvalidEntry").Visible = false;
ToolDataAccess.UpdateToolData(strSDN, strSSNum, strRANC, strAdvRecDate, strAdvSubDate, strClmRecDate, strClmAuth, strClmSubDate, strAdvAuth, txtNoteEntry.Text);
Sink: DataBase.cs:278
System.Data.SqlClient.SqlParameterCollection.Add()
// Add parameters
foreach (SqlParameter parameter in parameters)
cmd.Parameters.Add(parameter);
The point of "Access Control: Database" is where it isn't being specific enough in the query and so could potentially allow a user to see information that they're not supposed to.
An easy example of this vulnerability would be a payroll database where there is a textbox that says the ID of the employee and gives their salary, this could potentially allow the user to change the ID and see the salary of other employees.
Another example where this is often intended functionality is in a website URL where the product ID is used in a parameter, meaning a user could go through every product you have on your site. But as this only allows users to see information they're supposed to be able to, it's not particularly a security issue.
For instance:
"SELECT account_balance FROM accounts WHERE account_number = " + $input_from_attacker + ";"
// even if we safely build the query above, preventing change to the query structure,
// the attacker can still send someone else's account number, and read Grandma's balance!
As this is pretty context based, it's difficult to determine statically so there are lots of examples where Fortify may catch this but it's actually intended functionality. That's not to say the tool is broken, it's just one of the limitations of static analysis and depending on what your program is supposed to be doing it may or may not be intended.
If this is intended to work like this, then I would suggest auditing it as not an issue or suppressing the issue.
If you can see that this is definitely an issue and users can see information that they shouldn't be able to, then the stored procedure needs to be more specific so that users can only see information they should be able to. However SCA will likely still pick this up in a latter scan so you would still then need to audit it as fixed and no longer an issue.
In my Team Foundation Server, I have a collection containing a Team Project. This Team Project has several contributors. The following lines of code get all contributors of that project:
TfsTeamProjectCollection collection = new TfsTeamProjectCollection(new Uri("http://tfs:8080/tfs/CollectionName"));
IGroupSecurityService groupSecurityService = collection.GetService<IGroupSecurityService>();
Identity contributors = groupSecurityService.ReadIdentity(SearchFactor.AccountName, "[ProjectName]\\Contributors", QueryMembership.Expanded);
Identity[] members = groupSecurityService.ReadIdentities(SearchFactor.Sid, contributors.Members, QueryMembership.None);
Each Identity in members has a Property MailAddress, which in my case is equal to string.Empty.
Where do I administrate those mail addresses?
My first idea was to have a look at the users in Start->Administrative Tools->Computer Management->Users
I selected one of the users and opened his properties. I thought there might be an email property that the TFS would take. But I couldn't find one.
Then I opened the TFS Administration Console, looked for Group Membership and navigated to one of the users. There is also no way of editing properties.
Does anyone know where to set that email address?
Great question! There is a TFS job that is scheduled to run every hour to update information about security identities stored in TFS against the details in Active Directory. Some of this information includes the display name, security identifier (SID), AD distinguished name, and e-mail address, among other details. You can find out this cache of details by looking at the tbl_security_identity_cache table in the configuration database.
Warning: Querying against or changing the database puts you in a position where you will likely not be able to get support from Microsoft. It's advised that you don't do this unless instructed by a Microsoft support representative in the context of an active support case. You were actually doing it right by using the TFS SDK to get this information.
If your TFS environment is not in an Active Directory environment, then it will attempt to synchronize information from the local machine where TFS is running. It won't have details about the e-mail address to use so it will be left blank.
Starting in the next version of TFS after TFS 2010, each user will be able to update their notification e-mail address in their profile using Team Web Access.
The following is for TFS 2013 Update 5
** WARNING ** Getting caught editing the TFS database directly
** will void your Microsoft Support Agreement. **
What follows is not for the uninitiated. ** Proceed at your own risk. **
Locate the user or users with email addresses needing to be set. There can be duplicates in the Identities table. I found that the ones with the highest SequenceId were the active Identities.
Use Tfs_TFSConfiguration
SELECT i1.AccountName, i1.Id FROM tbl_Identity AS i1
LEFT OUTER JOIN tbl_Identity AS i2
ON (i1.AccountName=i2.AccountName AND i1.SequenceId<i2.SequenceId)
WHERE i2.AccountName IS NULL
AND i1.AccountName in ('<your first user>','<another user>','<and so on>')
This gives a list of the most recent the Id(s), in GUID form, for the accounts that you need to update. These GUIDs must be reformatted into ArtifactId(s), which is a transformed binary format. This is accomplished by reversing the byte order (low to high) or each of the first three parts of the GUID, but leaving the last two parts in order. E.g.:
Returned 'Id' GUID =01020304-0506-0708-090A-0B0C0D0E0F10
Byte Swapped GUID =04030201-0605-0807-090A-0B0C0D0E0F10
Reformatted 'ArtifacId'=0x0403020106050807090A0B0C0D0E0F10
Next, you have to find the PropertyId(s) used by TFS for email notifications. In TFS 2013 U5, this can be found with the following query:
USE Tfs_TFSConfiguration
SELECT Name, PropertyId FROM tbl_PropertyDefinition WHERE Name LIKE '%Address%'
This will give you the PropertyId(s) for ConfirmedNotificationAddress and CustomNotificationAddresses; which are the two property fields used by TFS 2013 U5 to send notification emails.
Next, you have to find the InternalKindId for the Identity Framework for the TFS DatabaseCategory
USE Tfs_TFSConfiguration
SELECT Description, InternalKindId FROM tbl_PropertyArtifactKind
WHERE Description='Identity'
Now to put it all together, ...
If the configuration records for your user(s) already exist, you can update the settings with:
USE Tfs_TFSConfiguration
UPDATE tbl_PropertyValue SET LeadingStringValue='<user's notification email address>'
WHERE ArtifactId=<ArtifactId, reformatted from tbl_Identity query>
AND PropertyId IN ('<first PropertyId from tbl_PropertyDefinition>', '<second id>')
Note: that ArtifactId is a binary value, based upon a semi-byte-swapped database GUID, and will not match a quoted value in the UPDATE query. I.e. this part of the query will look something like:
WHERE ArtifactId=0x90D490F6BF7B31491CB894323F38A91F AND
Below I assume that the PartitionId is '1'; this should be verified before you continue by a brief scan of the records in the tbl_PropertyValue table.
If you are loading configuration settings that have not yet been set:
USE Tfs_TFSConfiguration
INSERT INTO tbl_PropertyValue
(PartitionId, ArtifactId, InternalKindId, Version, PropertyId, LeadingStringValue)
VALUES ('1', <ArtifactId, reformatted from tbl_Identity query>,
'<InternalKindId from tbl_PropertyArtifactKind>',
'0',
'<first PropertyId from tbl_PropertyDefinition>',
'<user's notification email address>'),
('1', <ArtifactId, reformatted from tbl_Identity query>,
'<InternalKindId from tbl_PropertyArtifactKind>',
'0',
'<second PropertyId from tbl_PropertyDefinition>',
'<user's notification email address>')
Note: that ArtifactId must be an unquoted binary value, transformed from the GUID returned from the tbl_Identity as explained above.
Note: that two records are created for each ArtifactId, one for each PropertyId.
** WARNING ** Getting caught editing the TFS database directly
** will void your Microsoft Support Agreement. **
** Proceed at your own risk. **
(This works for me, ... but, I do not have a Microsoft Support Agreement to invalidate.)
If Active Directory does not get synched with TFS, and assuming your goal to keep email address is for sending notifications you can use the IEventService.GetEventSubscriptions() methods.
var eventService = (IEventService)collection.GetService(typeof(IEventService));
foreach (var member in members)
{
var subscription = eventService.GetEventSubscriptions(member.DisplayName).First();
{
if (subscription != null && string.IsNullOrEmpty(member.MailAddress))
member.MailAddress = subscription.DeliveryPreference.Address;
}
}
I believe this is kept in Active Directory.
For TFS2017+, each user can have a preferred email address, that they can setup in their profile, on the web interface.
It can override, or replace the email set in Active Directory. It also has the benefit to be an instant change, no synchronisation needed.
The field will be initialized with the value that has been set in Active Directory. The synchronization doesn't seem to happen anymore.
In my Team Foundation Server, I have a collection containing a Team Project. This Team Project has several contributors. The following lines of code get all contributors of that project:
TfsTeamProjectCollection collection = new TfsTeamProjectCollection(new Uri("http://tfs:8080/tfs/CollectionName"));
IGroupSecurityService groupSecurityService = collection.GetService<IGroupSecurityService>();
Identity contributors = groupSecurityService.ReadIdentity(SearchFactor.AccountName, "[ProjectName]\\Contributors", QueryMembership.Expanded);
Identity[] members = groupSecurityService.ReadIdentities(SearchFactor.Sid, contributors.Members, QueryMembership.None);
Each Identity in members has a Property MailAddress, which in my case is equal to string.Empty.
Where do I administrate those mail addresses?
My first idea was to have a look at the users in Start->Administrative Tools->Computer Management->Users
I selected one of the users and opened his properties. I thought there might be an email property that the TFS would take. But I couldn't find one.
Then I opened the TFS Administration Console, looked for Group Membership and navigated to one of the users. There is also no way of editing properties.
Does anyone know where to set that email address?
Great question! There is a TFS job that is scheduled to run every hour to update information about security identities stored in TFS against the details in Active Directory. Some of this information includes the display name, security identifier (SID), AD distinguished name, and e-mail address, among other details. You can find out this cache of details by looking at the tbl_security_identity_cache table in the configuration database.
Warning: Querying against or changing the database puts you in a position where you will likely not be able to get support from Microsoft. It's advised that you don't do this unless instructed by a Microsoft support representative in the context of an active support case. You were actually doing it right by using the TFS SDK to get this information.
If your TFS environment is not in an Active Directory environment, then it will attempt to synchronize information from the local machine where TFS is running. It won't have details about the e-mail address to use so it will be left blank.
Starting in the next version of TFS after TFS 2010, each user will be able to update their notification e-mail address in their profile using Team Web Access.
The following is for TFS 2013 Update 5
** WARNING ** Getting caught editing the TFS database directly
** will void your Microsoft Support Agreement. **
What follows is not for the uninitiated. ** Proceed at your own risk. **
Locate the user or users with email addresses needing to be set. There can be duplicates in the Identities table. I found that the ones with the highest SequenceId were the active Identities.
Use Tfs_TFSConfiguration
SELECT i1.AccountName, i1.Id FROM tbl_Identity AS i1
LEFT OUTER JOIN tbl_Identity AS i2
ON (i1.AccountName=i2.AccountName AND i1.SequenceId<i2.SequenceId)
WHERE i2.AccountName IS NULL
AND i1.AccountName in ('<your first user>','<another user>','<and so on>')
This gives a list of the most recent the Id(s), in GUID form, for the accounts that you need to update. These GUIDs must be reformatted into ArtifactId(s), which is a transformed binary format. This is accomplished by reversing the byte order (low to high) or each of the first three parts of the GUID, but leaving the last two parts in order. E.g.:
Returned 'Id' GUID =01020304-0506-0708-090A-0B0C0D0E0F10
Byte Swapped GUID =04030201-0605-0807-090A-0B0C0D0E0F10
Reformatted 'ArtifacId'=0x0403020106050807090A0B0C0D0E0F10
Next, you have to find the PropertyId(s) used by TFS for email notifications. In TFS 2013 U5, this can be found with the following query:
USE Tfs_TFSConfiguration
SELECT Name, PropertyId FROM tbl_PropertyDefinition WHERE Name LIKE '%Address%'
This will give you the PropertyId(s) for ConfirmedNotificationAddress and CustomNotificationAddresses; which are the two property fields used by TFS 2013 U5 to send notification emails.
Next, you have to find the InternalKindId for the Identity Framework for the TFS DatabaseCategory
USE Tfs_TFSConfiguration
SELECT Description, InternalKindId FROM tbl_PropertyArtifactKind
WHERE Description='Identity'
Now to put it all together, ...
If the configuration records for your user(s) already exist, you can update the settings with:
USE Tfs_TFSConfiguration
UPDATE tbl_PropertyValue SET LeadingStringValue='<user's notification email address>'
WHERE ArtifactId=<ArtifactId, reformatted from tbl_Identity query>
AND PropertyId IN ('<first PropertyId from tbl_PropertyDefinition>', '<second id>')
Note: that ArtifactId is a binary value, based upon a semi-byte-swapped database GUID, and will not match a quoted value in the UPDATE query. I.e. this part of the query will look something like:
WHERE ArtifactId=0x90D490F6BF7B31491CB894323F38A91F AND
Below I assume that the PartitionId is '1'; this should be verified before you continue by a brief scan of the records in the tbl_PropertyValue table.
If you are loading configuration settings that have not yet been set:
USE Tfs_TFSConfiguration
INSERT INTO tbl_PropertyValue
(PartitionId, ArtifactId, InternalKindId, Version, PropertyId, LeadingStringValue)
VALUES ('1', <ArtifactId, reformatted from tbl_Identity query>,
'<InternalKindId from tbl_PropertyArtifactKind>',
'0',
'<first PropertyId from tbl_PropertyDefinition>',
'<user's notification email address>'),
('1', <ArtifactId, reformatted from tbl_Identity query>,
'<InternalKindId from tbl_PropertyArtifactKind>',
'0',
'<second PropertyId from tbl_PropertyDefinition>',
'<user's notification email address>')
Note: that ArtifactId must be an unquoted binary value, transformed from the GUID returned from the tbl_Identity as explained above.
Note: that two records are created for each ArtifactId, one for each PropertyId.
** WARNING ** Getting caught editing the TFS database directly
** will void your Microsoft Support Agreement. **
** Proceed at your own risk. **
(This works for me, ... but, I do not have a Microsoft Support Agreement to invalidate.)
If Active Directory does not get synched with TFS, and assuming your goal to keep email address is for sending notifications you can use the IEventService.GetEventSubscriptions() methods.
var eventService = (IEventService)collection.GetService(typeof(IEventService));
foreach (var member in members)
{
var subscription = eventService.GetEventSubscriptions(member.DisplayName).First();
{
if (subscription != null && string.IsNullOrEmpty(member.MailAddress))
member.MailAddress = subscription.DeliveryPreference.Address;
}
}
I believe this is kept in Active Directory.
For TFS2017+, each user can have a preferred email address, that they can setup in their profile, on the web interface.
It can override, or replace the email set in Active Directory. It also has the benefit to be an instant change, no synchronisation needed.
The field will be initialized with the value that has been set in Active Directory. The synchronization doesn't seem to happen anymore.