#152 Using OidcClient it works on PS51/NET48 and PS73/NET70!!... Next…

… some Test/New-IshSession Pester tests....Later deep dive into folder cmdlets based on OpenApi
RWS · Feb 7, 2023 · 80ab00e · 80ab00e
1 parent 9a791e2
commit 80ab00e
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 7 deletions.
diff --git a/Doc/TheExecution-ISHRemote-7.1.md b/Doc/TheExecution-ISHRemote-7.1.md
@@ -42,6 +42,9 @@ Add `-Timeout` parameter to this parameter group.
 
 
 # Protocol and Parameter Group Scenarios
+
+On Tridion Docs 14SPx/14.0.x and earlier, it is always `WcfSoapWithOpenIdConnect`. Starting from Tridion Docs 15/15.0.0 most customers will still use `WcfSoapWithOpenIdConnect` authenticated over `UserNameMixed` provided by `ISHSTS`-only. Experimenting on Tridion Docs 15/15.0.0 is possible for cmdlets having a side-by-side implementation when using `Protocol` `OpenApiWithOpenIdConnect`; when the OpenAPI implementation is not there, a fall back to `WcfSoapWithOpenIdConnect` will happen.
+
 1. Explicit parameter group `Protocol`
     1. Use `WcfSoapWithWsTrust`, so SOAP 1.2 end points protected by WS-Federation/WS-Trust
     2. Use `WcfSoapWithOpenIdConnect`, so SOAP 1.2 end points protected by Access Management
@@ -163,6 +166,7 @@ Add (nested binary module) AMRemote that could offer cmdlets like
    at IdentityModel.Client.HttpClientDiscoveryExtensions.<GetDiscoveryDocumentAsync>d__1.MoveNext()
    ```
 For whoever stumbles on this transitive package dependency of `System.Runtime.CompilerServices.Unsafe` (and/or `System.Text.Json `), solved it through a forced Assembly load of the v6 version (while v5 was expected and .NET Framework 4.8 loads v4.0.4). Solution is in the pragma-protected `SessionCmdlet::BeginProcessing` section in `SessionCmdlet.cs` and `AppDomainAssemblyResolveHelper.cs`. For completeness there is an OidClient logging-not-initialized seralization bug which I bypassed through `LogSerializer.Enabled = false;`. Inspired by https://stackoverflow.com/questions/1460271/how-to-use-assembly-binding-redirection-to-ignore-revision-and-build-numbers/2344624#2344624 in Preprocessing step of the cmdlet that needs it.
+* Verify Token Validation is there, happens for WCF/OpenApi at the same time... refresh token is used when expiration allows. Otherwise build new connection.
 
 # Next
 * Extend and document InfoShareOpenApiConnectionParameters (redirectUri, Open up hardcoded client to Tridion_Docs_Content_Importer , clean up code, check debug/verbose logging

diff --git a/Source/ISHRemote/Trisoft.ISHRemote/Connection/InfoShareOpenApiConnection.cs b/Source/ISHRemote/Trisoft.ISHRemote/Connection/InfoShareOpenApiConnection.cs
@@ -84,19 +84,23 @@ public InfoShareOpenApiConnection(ILogger logger, HttpClient httpClient, InfoSha
             _logger.WriteDebug($"InfoShareOpenApiConnection InfoShareWSUrl[{_connectionParameters.InfoShareWSUrl}] IssuerUrl[{_connectionParameters.IssuerUrl}] AuthenticationType[{_connectionParameters.AuthenticationType}]");
             if (_connectionParameters.Tokens == null)
             {
-                if ((string.IsNullOrEmpty(_connectionParameters.ClientId)) || (string.IsNullOrEmpty(_connectionParameters.ClientSecret)))
+                if ((string.IsNullOrEmpty(_connectionParameters.ClientId)) && (string.IsNullOrEmpty(_connectionParameters.ClientSecret)))
                 {
                     // attempt System Browser retrieval of Access/Bearer Token
                     _logger.WriteDebug($"InfoShareOpenApiConnection System Browser");
                     _connectionParameters.Tokens = GetTokensOverSystemBrowserAsync().GetAwaiter().GetResult();
                 }
-                else
+                else if ((!string.IsNullOrEmpty(_connectionParameters.ClientId)) && (!string.IsNullOrEmpty(_connectionParameters.ClientSecret)))
                 {
                     // Raw method without OidcClient works
                     //_connectionParameters.BearerToken = GetTokensOverClientCredentialsRaw();
                     _logger.WriteDebug($"InfoShareOpenApiConnection ClientId[{_connectionParameters.ClientId}] ClientSecret[{new string('*', _connectionParameters.ClientSecret.Length)}]");
                     _connectionParameters.Tokens = GetTokensOverClientCredentialsAsync().GetAwaiter().GetResult();
                 }
+                else
+                {
+                    throw new ArgumentException("Expected ClientId and ClientSecret to be not null or empty.");
+                }
             }
             else 
             {

diff --git a/Source/ISHRemote/Trisoft.ISHRemote/Connection/InfoShareOpenApiConnectionParameters.cs b/Source/ISHRemote/Trisoft.ISHRemote/Connection/InfoShareOpenApiConnectionParameters.cs
@@ -50,7 +50,7 @@ public Uri InfoShareWSUrl {
         /// <summary>
         /// Client Application Id as configured on Access Management which allows a http://127.0.0.1:SomePort redirect url
         /// </summary>
-        public string ClientAppId { get; set; } = "Tridion_Docs_Content_Importer";  // TODO[Must] InfoShareOpenApiConnection ClientId is hardcoded to Tridion_Docs_Content_Importer, introduce dedidcated ISHRemote one
+        public string ClientAppId { get; set; } 
 
         /// <summary>
         /// Existing scopes as configured on Access Management

diff --git a/Source/ISHRemote/Trisoft.ISHRemote/ISHRemote.PesterSetup.ps1 b/Source/ISHRemote/Trisoft.ISHRemote/ISHRemote.PesterSetup.ps1
@@ -98,6 +98,8 @@ if (Test-Path -Path $debugPesterSetupFilePath -PathType Leaf)
 	# $wsTrustIssuerMexUrl = "$baseUrl/ISHSTS/issue/wstrust/mex"
 	# $ishUserName = 'myusername'
 	# $ishPassword = 'mypassword'
+	# $amClientId = 'myserviceaccountclientid'
+	# $amClientSecret = 'myserviceaccountclientsecret'
 }
 #endregion
 

diff --git a/Source/ISHRemote/Trisoft.ISHRemote/Objects/Public/IshSession.cs b/Source/ISHRemote/Trisoft.ISHRemote/Objects/Public/IshSession.cs
@@ -70,6 +70,11 @@ public class IshSession : IDisposable
 
         // one HttpClient per IshSession with potential certificate overwrites which can be reused across requests
         private readonly HttpClient _httpClient;
+        /// <summary>
+        /// OpenIdConnect Client Application Id that is typically configured in Access Management (ISHID) to allow a local redirect (http://127.0.0.1:SomePort/)
+        /// This option is not typically used but allows validating other applications like Tridion_Docs_Content_Importer
+        /// </summary>
+        private string _clientAppId = "Tridion_Docs_Content_Importer";   // TODO[Must] InfoShareOpenApiConnection ClientId is hardcoded to Tridion_Docs_Content_Importer, introduce dedidcated ISHRemote one
         private InfoShareOpenApiConnectionParameters _infoShareOpenApiConnectionParameters;
         private InfoShareOpenApiConnection _infoshareOpenApiConnection;
 
@@ -154,12 +159,13 @@ public IshSession(ILogger logger, string webServicesBaseUrl, string ishUserName,
             {
                 var wcfConnectionConfigurationUri = new Uri(_webServicesBaseUri, "owcf/connectionconfiguration.xml");
                 owcfConnectionConfiguration = LoadConnectionConfiguration(wcfConnectionConfigurationUri);
-                _logger.WriteVerbose($"LoadConnectionConfiguration found InfoShareWSUrl[{ishwsConnectionConfiguration.InfoShareWSUrl}] ApplicationName[{ishwsConnectionConfiguration.ApplicationName}] SoftwareVersion[{ishwsConnectionConfiguration.SoftwareVersion}]");
+                _logger.WriteVerbose($"LoadConnectionConfiguration found InfoShareWSUrl[{owcfConnectionConfiguration.InfoShareWSUrl}] ApplicationName[{owcfConnectionConfiguration.ApplicationName}] SoftwareVersion[{owcfConnectionConfiguration.SoftwareVersion}]");
             }
-            if (string.IsNullOrEmpty(_clientId))
+            else
             {
                 _protocol = Enumerations.Protocol.WcfSoapWithWsTrust;
             }
+
             switch (_protocol)
             {
                 case Enumerations.Protocol.Autodetect:
@@ -184,6 +190,7 @@ public IshSession(ILogger logger, string webServicesBaseUrl, string ishUserName,
                         InfoShareWSUrl = owcfConnectionConfiguration.InfoShareWSUrl,
                         IssuerUrl = owcfConnectionConfiguration.IssuerUrl,
                         Timeout = _timeout,
+                        ClientAppId = _clientAppId,
                         ClientId = _clientId,
                         ClientSecret = SecureStringConversions.SecureStringToString(_clientSecureSecret)
                     };
@@ -469,6 +476,18 @@ public string AccessToken
             }
         }
 
+        /// <summary>
+        /// OpenIdConnect Client Application Id that is typically configured in Access Management (ISHID) to allow a local redirect (http://127.0.0.1:SomePort/)
+        /// This option is not typically used but allows validating other applications like Tridion_Docs_Content_Importer
+        /// </summary>
+        public string ClientAppId
+        {
+            get { return _clientAppId; }
+            // Setter is a bit silly as New-IShSession doesn't set it in time, we'll see...
+            set { _clientAppId = value; }
+        }
+
+
         public string Separator
         {
             get { return _separator; }

diff --git a/Source/ISHRemote/Trisoft.ISHRemote/Properties/launchSettings.json b/Source/ISHRemote/Trisoft.ISHRemote/Properties/launchSettings.json
@@ -3,7 +3,7 @@
     "PS5 New-IshSession OpenApi SystemBrowser": {
       "commandName": "Executable",
       "executablePath": "%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\powershell.exe",
-      "commandLineArgs": "-NoExit -Command \"& Import-Module \"..\\ISHRemote\\ISHRemote.psm1 -Verbose; New-IshSession -WsBaseUrl https://mecdev12qa01.global.sdl.corp/ISHWSORA19/ -IshUserName admin -IshPassword admin -Protocol OpenApiWithOpenIdConnect  -ClientId \"c826e7e1-c35c-43fe-9756-e1b61f44bb40\"  -IgnoreSslPolicyErrors -debug\"",
+      "commandLineArgs": "-NoExit -Command \"& Import-Module \"..\\ISHRemote\\ISHRemote.psm1 -Verbose; New-IshSession -WsBaseUrl https://mecdev12qa01.global.sdl.corp/ISHWSORA19/ -IshUserName admin -IshPassword admin -Protocol OpenApiWithOpenIdConnect -IgnoreSslPolicyErrors -debug\"",
       "nativeDebugging": true
     },
     "PS5 New-IshSession OpenApi CredentialFlow": {
@@ -27,7 +27,7 @@
     "PS7 New-IshSession OpenApi SystemBrowser": {
       "commandName": "Executable",
       "executablePath": "%ProgramFiles%\\PowerShell\\7\\pwsh.exe",
-      "commandLineArgs": "-NoExit -Command \"& Import-Module \"..\\ISHRemote\\ISHRemote.psm1 -Verbose; New-IshSession -WsBaseUrl https://mecdev12qa01.global.sdl.corp/ISHWSORA19/ -IshUserName admin -IshPassword admin -Protocol OpenApiWithOpenIdConnect  -ClientId \"c826e7e1-c35c-43fe-9756-e1b61f44bb40\"  -IgnoreSslPolicyErrors -debug\"",
+      "commandLineArgs": "-NoExit -Command \"& Import-Module \"..\\ISHRemote\\ISHRemote.psm1 -Verbose; New-IshSession -WsBaseUrl https://mecdev12qa01.global.sdl.corp/ISHWSORA19/ -IshUserName admin -IshPassword admin -Protocol OpenApiWithOpenIdConnect -IgnoreSslPolicyErrors -debug\"",
       "nativeDebugging": true
     }
   }