-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SPWebApplication with Claims Authentication #513
Conversation
Hi @mrpullen, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution! The agreement was validated by Microsoft and real humans are currently evaluating your PR. TTYL, MSBOT; |
Need to figure out how to support unit testing this.. Cause I would need ADFS or some other STS to issue the claims... And how is that going to work with appveyor. Also need to pull down the SPExtendedWebApplication resource and add changes to that. |
I'll have a look through this code when I get a minute, but we should be able to mock out the claims stuff to the point of validating our logic at least. I'll update here when I get a minute to look through it with some ideas for you. |
OK so a few little things (mostly style guidelines). The unit testing though you won't need ADFS or anything at all to test this. You can simply mock the output from the Get-SPAuthenticationProvider method (in much the same way as we already do in the tests for this resource. That will let you fake it to look like it has claims configured without need any infrastructure at all to actually make it work. The other thing I would like on this one is an extra example file (under "modules\SharePointDsc\Examples\resources\SPWebApplication") that shows a claims based example added in here as well (this gets used by our documentation generator, so would love to get that included there) Let me know if you need more help getting the tests sorted out and I'll do what I can, it shouldn't be too difficult though. Reviewed 3 of 3 files at r2, 1 of 1 files at r3. Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 91 at r3 (raw file):
Need to drop the open brace to a new line here (style guidelines, not my call :P ) Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 100 at r3 (raw file):
Lower case "a" at the start of this one as it's a local variable, not a parameter Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 102 at r3 (raw file):
Drop the brace to a new line Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 104 at r3 (raw file):
No need to wrap this as a string, DisplayName is a string property already so just $authProvider.DisplayName should do it Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 255 at r3 (raw file):
Rather than elseif'ing this, can we switch it out for a "switch" statement? Makes more sense now it's a three choice thing Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 255 at r3 (raw file):
Can we put a test at the start of the set method that checks to make sure that if you specify "claims" that you have to provide an AuthenticationProvider name? Something like this
And put this near the start of the set method to make sure we catch it early in the piece (outside of the Invoke-SPDscCommand bit) Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 256 at r3 (raw file):
Again we don't need to write the Identity value in a string here, just $params.AuthenticationProvider will work as it's a string to begin with Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.schema.mof, line 10 at r3 (raw file):
Can I get a full stop after "used for the app" before you list what the options are? Modules/SharePointDsc/Examples/Single Server/SharePoint.ps1, line 132 at r3 ([raw file](https://github.com/powershell/sharepointdsc/blob/cb0ff669e79d7a273e8d69ddecf576ea435d6d18/Modules/SharePointDsc/Examples/Single Server/SharePoint.ps1#L132)):
We shouldn't need to put this here by default if I'm looking at this right? So can we take this out from this example Modules/SharePointDsc/Examples/Small Farm/SharePoint.ps1, line 132 at r3 ([raw file](https://github.com/powershell/sharepointdsc/blob/cb0ff669e79d7a273e8d69ddecf576ea435d6d18/Modules/SharePointDsc/Examples/Small Farm/SharePoint.ps1#L132)):
We shouldn't need to put this here by default if I'm looking at this right? So can we take this out from this example Comments from Reviewable |
Also can I get you to put this in the changelog.md file as well :) Review status: all files reviewed at latest revision, 10 unresolved discussions. Comments from Reviewable |
I should have these updates back to you today or tomorrow. Thanks for taking making the time to review. |
Codecov Report
@@ Coverage Diff @@
## dev #513 +/- ##
======================================
Coverage ? 88.19%
======================================
Files ? 79
Lines ? 7409
Branches ? 3
======================================
Hits ? 6534
Misses ? 872
Partials ? 3
Continue to review full report at Codecov.
|
I think I got everything.. Let me know how it looks. |
…, even if they don't provide the claimsProvider name
Ok.. I have some more work to do on the unit tests. I will get back to this tonight. |
Reviewed 4 of 7 files at r4, 2 of 3 files at r5, 1 of 1 files at r6. Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 101 at r6 (raw file):
We don't need to do this sort of thing here - if it's NTLM or Kerberos we should be returning the authentication provider regardless of what the input parameters were. Remember the "get" methods are there to tell us about the current state, so the parameters we pass to it shouldn't have an impact on the get methods ability to describe the current state to us. Does that make sense? So we should just be able to say $authenticationProvider = "Windows Authentication" here and remove the comment. Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 113 at r6 (raw file):
We can remove the comment here - I think the discussion is whether or not "claims" is the right terminology here and I think that we might wanna change it since technically speaking both NTLM and Kerberos are still using claims authentication, just against the internal STS. So perhaps the better thing here is to call it "ExternalClaim" or something like that? @ykuijs can I get your two cents worth on this? Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 213 at r6 (raw file):
Why is this Server role stuff here? A copy/paste mistake I think? Modules/SharePointDsc/DSCResources/MSFT_SPWebApplication/MSFT_SPWebApplication.psm1, line 280 at r6 (raw file):
There's an extra space at the start of this line so it looks out of alignment with the code above it (again, style guidelines :P ) Modules/SharePointDsc/Examples/Resources/SPWebApplication/2-ClaimsExample.ps1, line 3 at r6 (raw file):
Can we update the comment here to explain the example a bit more - we use the comment in the documentation Modules/SharePointDsc/Examples/Resources/SPWebApplication/2-ClaimsExample.ps1, line 18 at r6 (raw file):
Do we really need the WSP in this example? I want to keep things nice and generic in these examples to focus on a specific resource. I'm inclined to want to keep this one as just the SPTrustedIdentityTokenIssuer and SPWebApplication. Modules/SharePointDsc/Examples/Resources/SPWebApplication/2-ClaimsExample.ps1, line 26 at r6 (raw file):
We can take the comments out of these as well Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 38 at r6 (raw file):
Can we remove this empty line that got added? Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 63 at r6 (raw file):
These parameters are all extra ones that shouldn't be needed so we can take them back out Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 139 at r6 (raw file):
These parameters are all extra ones that shouldn't be needed so we can take them back out Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 297 at r6 (raw file):
Can we remove the region comments Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 431 at r6 (raw file):
Can I get you to have a look at the logic here - the code coverage report is showing that line 275 ($ap = Get-SPTrustedIdentityTokenIsser -Identity $params.AuthenticationProvider) isn't getting hit and from the looks of it this scenario should have that covered. There should also be a mock for Get-SPTrustedIdentityTokenIsser somewhere in here as well for this scenario as it should be getting called from the set method here. Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 473 at r6 (raw file):
Remove the comment Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 487 at r6 (raw file):
This return value needs to include a "DisplayName" property to make sure that this will check the logic in the get method at line 91 Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 518 at r6 (raw file):
This return value needs to include a "DisplayName" property to make sure that this will check the logic in the get method at line 91 Comments from Reviewable |
Reviewed 3 of 3 files at r7. Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 638 at r7 (raw file):
This shouldn't be piping out to anything, it's causing an error in the tests. It should also have the Assert-MockCalled cmdlets for the key set commands in there as well Comments from Reviewable |
I did some looking at your test fails - the fixes are all commented below. Hope that helps Reviewed 1 of 1 files at r8. Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 397 at r8 (raw file):
There is a typo here causing the test to fail. "Issuer" instead of "Isser" Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 595 at r8 (raw file):
The call to the set function here needs to be inside curly braces {} not normal brackets () - this is causing one of your test failures Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 628 at r8 (raw file):
The context here says the web application DOES exist, but the mock is returning nothing. I suspect this is why your test method is returning false and causing you a fail. Also the get method here shouldn't be looking for absent, it should be looking for present. So this covers another test failure. Comments from Reviewable |
Found the same mistake Get-SPTrustedTokenIsser in the Resource file as well. Hoping everything passes muster. I have a lot of other resources I want to build. :) |
1 new discussion and 1 existing one left to look at here, almost done :) Reviewed 1 of 2 files at r9, 1 of 1 files at r10. Tests/Unit/SharePointDsc/SharePointDsc.SPWebApplication.Tests.ps1, line 53 at r10 (raw file):
Your comments on these tests talk about managed accounts - can you update these so i can look at this context again? Comments from Reviewable |
So I was trying to 100% code coverage.. in SPWebApplication resource there is the following code in set-TargetResource
so just throwing an "alternate" error from the mock to get to the else statement above. The other test case for Managed account exception here was throwing an Exception.Message that matched the if conditional.. |
@mrpullen That bit of code you have there is to make sure we showed a "friendlier" message to a user in the event of the managed account exception. So it's something I want to see left there, even if we don't test for it specifically. Realistically we are targeting 80% code coverage right now (which is 10% higher than the minimum requirement of the PowerShell team to hit at least 70%) and looking at the latest codecov report on this PR you've got 100% coverage of the changes you made to SPWebApplication so I think that's enough. I'll get through the review in full from here and we can merge in what you've done so far! :) |
Never mind, total mind blank on my behalf (this is why I shouldn't code review tired!) This one Review status: all files reviewed at latest revision, all discussions resolved, some commit checks broke. Comments from Reviewable |
#512
Add support for Claims providers to SharePointDSC. I haven't gotten to the SPWebAppExtension and there is a lot more to do to get this to meet submission guidelines. I am trying to find a good claims provider that I can install easily without a lot of additional work for testing.. if you have any ideas on that, greatly appreciated.
This change is