哪个范围允许 TFS 扩展操作 ACL? [英] Which scope lets a TFS extension manipulate ACLs?
问题描述
TFS 2015 u2.尝试编写一个 TFS 扩展,该扩展将使用 JavaScript API 来操纵发布定义上的安全性.与安全相关的 API 失败,错误 401.代码如下:
TFS 2015 u2. Trying to write a TFS extension that would use JavaScript API to manipulate the security on a release definition. Security related APIs fail on me with error 401. The code goes:
VSS.require(["VSS/Service", "VSS/Security/RestClient"],
function (Srv, SecAPI)
{
var SecClient = Srv.getCollectionClient(SecAPI.SecurityHttpClient);
SecClient.queryAccessControlLists("aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee").then(function(a)
{
//...
});
}
出现 401 Unauthorized 错误.据我了解,扩展可能使用的 REST API 列表由清单中的 scopes 参数驱动.我在那里放什么才能让它起作用?范围列表未列出任何类型.
That errors out with 401 Unauthorized. As far as I understand, the list of REST API that an extension may use is driven by the scopes parameter in the manifest. What do I place there for this to work? The scopes list lists none of the sort.
与此同时,使用 Windows 身份验证从常规 REST 客户端调用同一个端点可以正常工作.
Meanwhile, calling the same endpoint from a regular REST client with Windows auth works as expected.
推荐答案
在 TFS 2017 u2 中,终于有了 vso.security_manage.
In TFS 2017 u2, finally, there's vso.security_manage.
在 TFS 2017 u1 中,有一个范围 vso.base 涵盖此 API 端点,但仅限于 GET.更改描述符所需的 POST 仍未包含在范围内.
In TFS 2017 u1, there is a scope vso.base that covers this API endpoint, but only with GET. POST, which is required to change the descriptor, is still not covered by the scope.
在 TFS 2015 u2 中,大概在下面,没有涵盖 ACL 相关端点的范围.
In TFS 2015 u2, and presumably below, there's no scope that covers the ACL related endpoints.
我发现了一种非常 hackish 的方式来在旧版本的 TFS 中为 OAuth 启用这些端点.它仅适用于本地 TFS.OAuth 范围和服务端点 URL/方法之间的关系存储在一个全局的、公共的、可变 单例数据结构中,一段用户代码可能只能改变它.如果您在 Microsoft.VisualStudio.Services.DelegatedAuthorization.AuthorizationScopeDefinitions 类中的方法 CreateDefault 中查看 >Microsoft.TeamFoundation.Framework.Server.dll.
I've found a very hackish way to enable those endpoints for OAuth in older versions of TFS. It's only applicable to on-premises TFS. The relationship between OAuth scopes and service endpoint URLs/methods is stored in a global, public, mutable singleton data structure that a piece of user code might just be able to alter. You can see it in your favorite MSIL disassembler (ILDASM, ILSpy, Reflector) if you poke around method CreateDefault in class Microsoft.VisualStudio.Services.DelegatedAuthorization.AuthorizationScopeDefinitions within Microsoft.TeamFoundation.Framework.Server.dll.
以下 Global.asax 可以解决问题.您必须将其复制到 C:\Program Files\Microsoft Team Foundation Server 14.0\Application Tier\Web Services(对于 TFS 2015).
The following Global.asax does the trick. You have to copy it to C:\Program Files\Microsoft Team Foundation Server 14.0\Application Tier\Web Services (for TFS 2015).
<%@ Application Inherits="Microsoft.TeamFoundation.Server.Core.TeamFoundationApplication" %>
<%@ Import namespace="Microsoft.VisualStudio.Services.DelegatedAuthorization" %>
<%@ Import namespace="System.Collections.Generic" %>
<%@ Import namespace="System.Linq" %>
<script runat="server">
void Session_Start(object o, EventArgs a)
{
AuthorizationScopeDefinition Def = AuthorizationScopeDefinitions.Default.scopes
.FirstOrDefault(d => d.scope == "vso.identity");
if(Array.IndexOf(Def.patterns, "/_apis/SecurityNamespaces#GET") < 0)
{
List<string> l = Def.patterns.ToList();
l.Add("/_apis/SecurityNamespaces#GET");
l.Add("/_apis/AccessControlLists#GET+POST");
l.Add("/DefaultCollection/_apis/SecurityNamespaces#GET");
l.Add("/DefaultCollection/_apis/AccessControlLists#GET+POST");
Def.patterns = l.ToArray();
}
}
</script>
挂钩 Application_Start 会更有意义,但代码隐藏的 DLL 已经挂钩了它.Global.asax 中的另一个处理程序不会覆盖.我对 vso.identity 范围进行了猴子修补,因为我的扩展已经声明了这一点,但可以随意使用任何其他范围.
Hooking Application_Start would've made more sense, but the code-behind DLL already hooks it. Another handler in Global.asax doesn't override. I monkey-patch the vso.identity scope, because my extension already claims that, but feel free to use any other one.
引入您自己的全新示波器可能行不通.
Introducing your own, brand new scope probably won't work.
这篇关于哪个范围允许 TFS 扩展操作 ACL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
