WebDAV System Module

[SHBBusinessSolutions]

@JesperSchulz
Would you be interested in getting a System Application module for connecting to WebDAV like the Azure Blob Storage or Sharepoint API apps?

We already connected a PTE and do have a bit of experience in that regard. But we would need a bit of structure on how to create the app "in the Microsoft way" and on how to create the test automation.

[pri-kise]

@SHBBusinessSolutions you already mention good examples.
You should make use of the facade pattern and if you want to provide the possiblity to set optional parameters it's also useful to make to the "Parameter Codeunit"-Pattern.

Additionally you should focus on secure authentication patterns and avoid Support for Basic Authentication.

[JulianTillmann]

@pri-kise
thanks for the input

regarding authentication, there's not a lot of options with WebDAV available. We'll take a look a digest authentication and Microsoft should decide if we should support NTLM / kerberos.

But basic auth should be available in my opinion. The usage scenarios that we see include simple 3rd party OnPrem solutions where Basic Auth would be the lowest common denominator.

[JulianTillmann]

@JesperSchulz
is there any interest here or shoud we scrap this idea?

[JesperSchulz]

Generally, it sounds like a very useful module to have! But I worry a little about the request for Microsoft's involvement in this case, as I can't really free up any resources at the moment to provide special support for this pull request.
Do you think you could get through this project with usual support from us and the community?

[JulianTillmann]

Generally, it sounds like a very useful module to have! But I worry a little about the request for Microsoft's involvement in this case, as I can't really free up any resources at the moment to provide special support for this pull request. Do you think you could get through this project with usual support from us and the community?

I'm not sure what the "usual support" would be ;-)

I at least would need the app-manifest(s) prepared from you guys.

And some guidance on what to do with test automation, since it's an external API we're connecting to: Should there be a fixed test-webdav instance somewhere or a powershell script to setup Webdav on a Docker IIS or do we need a complete mock interface?

And maybe an input on what authentication types to support

[pri-kise]

@JulianTillmann "usual support" normally involves review of code and after some draft of your pull request, suggestions for refactoring / restructuring.

There are at least a few major principles.
Make use of the FacaPattern (https://alguidelines.dev/docs/patterns/facade-pattern/).
Add Documentation to your public codeunits.

I'm no expert in testing, but I received some feedback for my PR from @adrogin .
You can have a look at the following open PR (#21246), that also adds a new Module:
Simple Copy the app.json to you folder and change the name, the guid and provide some short description.

[JesperSchulz]

We've also got some documentation on how to get started with a new module here: http://aka.ms/newalmodule.
As pri-kise mentions, the usual support is communicating back and forth here on GitHub. We can give tips and tricks and do code reviews, but we cannot "take over" certain parts, such as writing the tests for you (or the likes of it). How about you just give it a shot, create a draft PR, and we'll guide you through it? And if you grant me access to your branch, I can even assist you with small commits if need be 😊 Let's do this!

[JulianTillmann]

@microsoft-github-policy-service agree [company="SHB Business Solutions GmbH"]

[JulianTillmann]

okay, so I made a prototype and tested it manually against IIS Webdav and Nextcloud WebDAV with BasicAuth and leaning heavily on the Sharepoint API system app.

There are basically two parts on which I need your input:

1. I would provide automated testing if I knew where and how to build the third party components. Would it be acceptable to use the docker IIS and configure a WebDAV instance against which can be tested? Or are the other WebDAV providers that need to be considered?

2. I only implemented BasicAuth right now. DigestAuth is a bit tricky and there's not much information I can implement easily for BC. What about NTLM authentication? HttpClient supports it OnPrem, does it make sense to implement it in the system application?

Looking forward to your answers

[PeterConijn]

This is an exciting idea and it certainly looks like a good start. I did notice a few generic things (I haven't flagged all of them individually):

• The MIT heading was missing in some of the objects
• Exit should not be capitalized
• A lot of superfluous whitespace in several places
• Missing xml documentation tags for public codeunits

[PeterConijn]

This pattern kind of defeats the NonDebuggable in the implementation codeunit, since you are passing the credentials as plaintext in the argument. One option to make this more secure is to consider storing the password in the isolated storage and retrieving it from there in the implementation. Would that be a viable option?

[JulianTillmann]

Same thing is happening at the SharePoint Auth., the client secret is added in plain text.

This is a Basic Auth interface. If I add an isolated storage implementation I force everybody to use this isolated storage implemenation.

Maybe I could force a Base64 encoding of the password? Would that be okay?

[PeterConijn]

Base64 is not a good security measure. Perhaps making the procedure in the public facade non-debuggable would be enough, since at that point, the process as far as this implementation goes should be reasonable secure.

[darjoo]

Base64 isn't a good security measure but that's how Authentication header Basic works, https://www.rfc-editor.org/rfc/rfc7235#section-1.1.

I don't think anyone likes credentials that can be easily seen/retrieved. There is a new datatype that may come in wave 2 release (v23) which securely prevents the values from being seen. But until then, adding NonDebuggable is the way to go. If the username/passwords are being stored in application, I'd recommend to also provide a IsolatedStorage way to set and then auth with them without retrieving it from DB which can lead to insecurely storing them.

[PeterConijn]

Since this is the public facade, I would add xml comments to the codeunit and the procedure here.

[JulianTillmann]

done

[PeterConijn]

No capitalization is needed for "exit"

[JulianTillmann]

corrected

[PeterConijn]

Codeunit access modifier is already Internal. You can remove the access modifier here.

[JulianTillmann]

removed

[darjoo]

I still see the internal modifier

[PeterConijn]

I believe the general pattern is to prefix try procedures with the word Try, so TryGetResultAsText.

Also, since the codeunit access modifier is Internal, the access modifiers for the procedures are superfluous.

[JulianTillmann]

prefix added and NonDEbuggable removed

[PeterConijn]

exit

[JulianTillmann]

corrected

[PeterConijn]

exit

[JulianTillmann]

corrected

[PeterConijn]

This is the facade, so xml documentation would need to be added here. (Also MIT stuff)

[JulianTillmann]

XML documentation and MIT headers added

[PeterConijn]

Should all these be here or not?

[JulianTillmann]

removed NonDebuggable

[darjoo]

I see that the NonDebuggable are commented out, remove them entirely if not needed.

[PeterConijn]

Remove whitespace

[JulianTillmann]

done

[JulianTillmann]

@PeterConijn
thanks for your feedback, I will clean up the code and go over the documentation once there is a clear idea of what to implement.

but I'm still not getting answers to my two fundemental questions:

1. what kind of authentication do we need to implement?
2. how would automated testing work with an external webdav component

[PeterConijn]

To start with your second question: you cannot test an actual web call, since it requires external connection. What I often do when testing such functionality is two things:

1. Test the creation of the http call
   Basically, create GET, POST, PUT, etc calls and see if the HttpClient is structured correctly. This also entails expected error handling (e.g. what should happen if a url is blank, or credentials are missing and the authentication is not set to Anonymous)

2. Create some mock responses and feed them into your response handler. This would also entail successful responses (200), but also what is expected to happen when common errors occur, such as 401, 403, 404, 500.

As far as authentication goes: that might bear a bit more thought. Basic is still being used a lot, but OAuth 2.0 is gaining traction quickly. Perhaps - and this is just an idea - we can redesign the authentication to use an interface structure, so that we can provide some methods, but it is extensible if someone needs a more exotic method.

I will be away for a couple of weeks and not be able to re-review until after, so I hope you'll forgive my lack of response after this one :)

I missed it in the CR, but given the nature of the funtionality, your test app will likely need access to your module's internals, so you may need to add the internalsVisibleTo flag in your app.json.

[JulianTillmann]

@PeterConijn
regarding tests:
so no real WebDAV endpoint is required for this testing? For Azure Blob Storage there is a Azurite instance being created as far as I understood.

mocking up a xml response seems time consuming and I would there's a big chance I would accidentaly create this mock up so that the test works. A real scenario would be better, but if that's okay with you than I'll do the mock testing

regarding authentication
Oauth2 is not supported with webdav as far as I know. I only found "Basic" and "Digest" authentication in the WebDAV specs:
http://www.webdav.org/specs/rfc2617.html
IIS is also giving us NTLM / kerberos which is still supported in the HttpClient but only "OnPrem", so I don't know if we should implement this.

But I'll put this in the backlog until you're back and concentrate on the testing for now

[Peter-Conijn]

From my personal account, but in addition to my comment on testing APIs, you might find this video by @lvanvugt handy: https://www.youtube.com/watch?v=P-8MOfNppVQ

[pri-kise]

@JulianTillmann you can have a look at the sharepoint test codeunit.
https://github.com/microsoft/ALAppExtensions/blob/main/Modules/System%20Tests/SharePoint/src/SharePointClientTest.Codeunit.al

It makes use of manual event subscribers to mock the requests.

[pri-kise]

@JesperSchulz can maybe someone of microsoft have a look at the pull request, too.
The basic requirements were met, by adding test and providing documentation for public procedures..

@JulianTillmann could maybe provide some example could how to call the public procedure and how to initialize the authentication?
You can check out the following example of the sharepoint authorization Module
https://github.com/microsoft/ALAppExtensions/tree/main/Modules/System/SharePoint%20Authorization

[PeterConijn]

Teeny thing, but Successful is with one l

[PeterConijn]

Fair point.

[PeterConijn]

I agree that it happens with older NAV objects, but not sure that is a reason to continue the practice. I will defer to Microsoft's opinion on the matter though.

[PeterConijn]

Understood.

[JesperSchulz]

Indeed looks like this PR now is in a shape, which requires us to look into it. We've implemented a new guideline to not start reviewing, before two partners have approved a PR. Hopefully that will allow things to scale better :-)

[JulianTillmann]

@JesperSchulz
so how will we proceed? Are there any chances of getting this with the next m,ajor update?

I still have the questions about authentication ...

[JesperSchulz]

The next major is more or less locked down (for new features). This would be a candidate for a minor, following the next major. I'll see if we can find someone to drive this forward, when the 2023 Wave 1 is done and dusted. Should be soon. Then we'll take care of all open questions too.

[darjoo]

Add [NonDebuggable]

[darjoo]

Base64 isn't a good security measure but that's how Authentication header Basic works, https://www.rfc-editor.org/rfc/rfc7235#section-1.1.

I don't think anyone likes credentials that can be easily seen/retrieved. There is a new datatype that may come in wave 2 release (v23) which securely prevents the values from being seen. But until then, adding NonDebuggable is the way to go. If the username/passwords are being stored in application, I'd recommend to also provide a IsolatedStorage way to set and then auth with them without retrieving it from DB which can lead to insecurely storing them.

[darjoo]

I still see the internal modifier

[darjoo]

Is this something the developers/admin etc should be able to set?

[darjoo]

Add () to the end of function calls.
All the calls to GetContentType etc

[darjoo]

I don't have a strong opinion on this as long as it makes sense. Internally, unless it's a localized (US, DK etc) field, we've been going sequentially for new tables in general.
I do notice it jumps from 20 to 22. Any reason 21 is missing?

[darjoo]

I see that the NonDebuggable are commented out, remove them entirely if not needed.

[JulianTillmann]

@darjoo
thanks for your input, I'll take a look as soon as I get around to it.

But there is still the big question open if we need to provide more than BasicAuth for WebDAV? There is NTLM available, but that's an OnPrem thing and there is a rather complicated "DigestAuth" that's possible with WebDAV.

[darjoo]

@JulianTillmann Do we know how widely used WebDAV would be used with onprem customers? I'm not sure if that'd be worth the effort at the beginning unless we know there's demand for that with the OnPrem customers.

I did take a brief look at DigestAuth, and initially I was going to recommend to implement it as well. Maybe you could take a look to see if you could estimate how much effort that would take? It did look complicated as you mentioned. I'm sure all customers will always prefer secure authentication methods, if we could add it.

[JulianTillmann]

@darjoo
We looked at WebDAV as a way to be "Universal Code"-compliant and still get a connection to the OnPrem file servers. You can easily install WebDAV components on the IIS and create fileshares. But BasicAuth is still using the AD or local Windows users, so native NTLM support is not that important in my opinion.

I'll take another look at DigestAuthentication when I get to it. Maybe we could ship this WebDAV module with BasicAuth and deliver Digest later?

[darjoo]

@JulianTillmann Yeah, that's also fine to deliver DigestAuth later.

[AndreasMoth]

Minor: This doesn't seem to be related to Authorization? Could either be moved to a different function or Rename existing function to explain what happens. I believe splitting would be best.

[JulianTillmann]

I don't understand what you mean?

[dannoe]

I think he is talking about the "Translate" header that is added with the value "F".
Why is this done? Is it related to authorization?

[AndreasMoth]

Minor, double newline

[AndreasMoth]

Docs should explain what the function does, what the parameters and return value mean, not the type that can be seen from the procedure. Ex. (I did not spend a lot of time on this so feel free to improve) Summary: "Creates WebDAV Authorization initialized with the given username and password.", Username: "The name of the user that is authenticating the call", same for password, return: "A WebDAV Authorization interface initialized with the credentials".

[AndreasMoth]

Same summary all along, also please make return value more human readable.

[AndreasMoth]

I don't see any use of RequestDigest... is this needed?

[AndreasMoth]

empty line

[AndreasMoth]

I think it makes sense to return whether the single was parsed or not. In this case exit(false)

[AndreasMoth]

This assumes all entries are created within the context of the same codeunit. Would be better if we in the caller just had a FindLast() initially, then init() and then increase the entry number by 1 if it doesn't already auto-increment.

[AndreasMoth]

All the "WebDAV Content Parser" functions are NonDebuggable, such as the Initialize, if that shouldn't be debuggable, then these functions shouldn't be debuggable either.
Personally I don't see any reason why the Initialize function is NonDebuggable though, so maybe that one should have the tag removed.

[AndreasMoth]

Again these two functions should just return the response directly instead of using a by-var variable.

[JesperSchulz]

Hi @JulianTillmann,

I'm trying to push all of the open pull requests into the product - and this one has been around for a while 😊 I can see there are quite a few unaddressed code review comments; some which must be looked at before we can proceed with this PR.

When do you think you'll find the time wrap this module up? We're not in a hurry as such, but ideally I'd love to get this one merged before its 1 year anniversary 😋

Let me know how I can help get this wrapped up! Looking forward to hear back from you!

[JulianTillmann]

@JesperSchulz
I don't see this happening soon. Since the support on other parts of the product is de facto non existant, we have to put our resources elsewhere right now.

also this has not been the best experience contributing, lot's of "style" feedback but questions about content not beeing answered. And it doesn't seem like anybody really test it in a real scenario, only mock tests are expected.

[JesperSchulz]

Sorry to hear that, Julian. All of it.
The one thing I can do something about, is the experience. I understand your feedback and will take it with me, when we plan for the next iteration of our open source story. The "process" in this first attempt to allow for contributions has indeed had its flaws - for one, it was hardly existing. We were "trying things out", so to speak. That has already changed in the BaseApp contribution pilot, and will be enforced to a whole new level when the System Application soon goes fully open source. I fully agree, that the level of collaboration must improve. And it will.
I will leave this PR open for now, as I still do have hope, that we will find the time to finish it up at some point. We're dealing with the same problems as you though - it's not always easy to find the time to do all the things we would love to do.
Anyway, thanks for giving this a shot and I hope we'll be in touch!

[microsoft-github-policy-service]

@SHBBusinessSolutions please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

Contribution License Agreement

This Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”),
and conveys certain license rights to Microsoft Corporation and its affiliates (“Microsoft”) for Your
contributions to Microsoft open source projects. This Agreement is effective as of the latest signature
date below.

1. Definitions.
   “Code” means the computer software code, whether in human-readable or machine-executable form,
   that is delivered by You to Microsoft under this Agreement.
   “Project” means any of the projects owned or managed by Microsoft and offered under a license
   approved by the Open Source Initiative (www.opensource.org).
   “Submit” is the act of uploading, submitting, transmitting, or distributing code or other content to any
   Project, including but not limited to communication on electronic mailing lists, source code control
   systems, and issue tracking systems that are managed by, or on behalf of, the Project for the purpose of
   discussing and improving that Project, but excluding communication that is conspicuously marked or
   otherwise designated in writing by You as “Not a Submission.”
   “Submission” means the Code and any other copyrightable material Submitted by You, including any
   associated comments and documentation.
2. Your Submission. You must agree to the terms of this Agreement before making a Submission to any
   Project. This Agreement covers any and all Submissions that You, now or in the future (except as
   described in Section 4 below), Submit to any Project.
3. Originality of Work. You represent that each of Your Submissions is entirely Your original work.
   Should You wish to Submit materials that are not Your original work, You may Submit them separately
   to the Project if You (a) retain all copyright and license information that was in the materials as You
   received them, (b) in the description accompanying Your Submission, include the phrase “Submission
   containing materials of a third party:” followed by the names of the third party and any licenses or other
   restrictions of which You are aware, and (c) follow any other instructions in the Project’s written
   guidelines concerning Submissions.
4. Your Employer. References to “employer” in this Agreement include Your employer or anyone else
   for whom You are acting in making Your Submission, e.g. as a contractor, vendor, or agent. If Your
   Submission is made in the course of Your work for an employer or Your employer has intellectual
   property rights in Your Submission by contract or applicable law, You must secure permission from Your
   employer to make the Submission before signing this Agreement. In that case, the term “You” in this
   Agreement will refer to You and the employer collectively. If You change employers in the future and
   desire to Submit additional Submissions for the new employer, then You agree to sign a new Agreement
   and secure permission from the new employer before Submitting those Submissions.
5. Licenses.

• Copyright License. You grant Microsoft, and those who receive the Submission directly or
  indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the
  Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute
  the Submission and such derivative works, and to sublicense any or all of the foregoing rights to third
  parties.
• Patent License. You grant Microsoft, and those who receive the Submission directly or
  indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under
  Your patent claims that are necessarily infringed by the Submission or the combination of the
  Submission with the Project to which it was Submitted to make, have made, use, offer to sell, sell and
  import or otherwise dispose of the Submission alone or with the Project.
• Other Rights Reserved. Each party reserves all rights not expressly granted in this Agreement.
  No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are
  granted by implication, exhaustion, estoppel or otherwise.

6. Representations and Warranties. You represent that You are legally entitled to grant the above
   licenses. You represent that each of Your Submissions is entirely Your original work (except as You may
   have disclosed under Section 3). You represent that You have secured permission from Your employer to
   make the Submission in cases where Your Submission is made in the course of Your work for Your
   employer or Your employer has intellectual property rights in Your Submission by contract or applicable
   law. If You are signing this Agreement on behalf of Your employer, You represent and warrant that You
   have the necessary authority to bind the listed employer to the obligations contained in this Agreement.
   You are not expected to provide support for Your Submission, unless You choose to do so. UNLESS
   REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, AND EXCEPT FOR THE WARRANTIES
   EXPRESSLY STATED IN SECTIONS 3, 4, AND 6, THE SUBMISSION PROVIDED UNDER THIS AGREEMENT IS
   PROVIDED WITHOUT WARRANTY OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF
   NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
7. Notice to Microsoft. You agree to notify Microsoft in writing of any facts or circumstances of which
   You later become aware that would make Your representations in this Agreement inaccurate in any
   respect.
8. Information about Submissions. You agree that contributions to Projects and information about
   contributions may be maintained indefinitely and disclosed publicly, including Your name and other
   information that You submit with Your Submission.
9. Governing Law/Jurisdiction. This Agreement is governed by the laws of the State of Washington, and
   the parties consent to exclusive jurisdiction and venue in the federal courts sitting in King County,
   Washington, unless no federal subject matter jurisdiction exists, in which case the parties consent to
   exclusive jurisdiction and venue in the Superior Court of King County, Washington. The parties waive all
   defenses of lack of personal jurisdiction and forum non-conveniens.
10. Entire Agreement/Assignment. This Agreement is the entire agreement between the parties, and
    supersedes any and all prior agreements, understandings or communications, written or oral, between
    the parties relating to the subject matter hereof. This Agreement may be assigned by Microsoft.