Wednesday, 6 May 2015
Sunday, 26 April 2015
Code Reviews for SharePoint
Overview: Customisation in SharePoint takes different forms and having suitable environments to test code in before setting it free in production is essential. This post looks at various types of customization and how to code review. As a solutions architect and when I was running the Application Development CoE for a large multinational having standards and a code review checklist help immensely. Improving code quality and finding issues early reduces the cost of building applications so code reviews are a good idea.
There are several automated tools for performing code review that target different application platforms (think FTC in SP2010 vs App Model in SP2013). When automating the tools, it is good to select the templates/rules that match your organisation and maturity. Ensure you customise the rules so they not reporting issues when in fact these are your standards (an example is naming in FxCop differs from the SharePoint code naming conventions used by different businesses).
Note: The code review requires depends on CSOM, FTC or JavaScript. Depending on what is being created/built will require different code review.
There are several automation tools that can help identify poor quality code early within the development process. Like peer reviews, these tools can help developers implement their code in the correct manner.
Note: Define your coding standards, have up to date architecture diagrams for architects and have the rules when and what features your developers can use. It's fairly common for outsourcing companies to build a solution to find out you don't allow the technology they have built with. I remember an InfoPath based solution coming into my app development center a few years ago and they could not understand that the organisation would not merely turn on InfoPath.
Note: A lot of the tools we previously used in SP 2010 for FTC solutions are not relevant to SP 2013, namely SPDisposeCheck.
Code Review Tooling Options:
The 3 areas where code reviews can be performed are:
Summary:
Code reviews improve maintainability, pick up bugs, ensure efficient code, code that shall run in production, improve security, performance and reduce the total cost of ownership. Automated tools are worth considering and the top tool for me is SPCAF. Do code review early, often and automate.
JavaScript Code Review Checklist:
5.> Only used approved frameworks like jquery, notify if any other frameworks are used.
6.> Commenting. Ensure method names tell coders what the method is performing. Add comments that explain the method. Don't be afraid to add value by adding inline comments.
HTML/CSS
SQL Standards (Establish SQL standards), a small example is:
This list goes on but as a starting point... Pls post if you feel anything else is relevant.
There are several automated tools for performing code review that target different application platforms (think FTC in SP2010 vs App Model in SP2013). When automating the tools, it is good to select the templates/rules that match your organisation and maturity. Ensure you customise the rules so they not reporting issues when in fact these are your standards (an example is naming in FxCop differs from the SharePoint code naming conventions used by different businesses).
Note: The code review requires depends on CSOM, FTC or JavaScript. Depending on what is being created/built will require different code review.
There are several automation tools that can help identify poor quality code early within the development process. Like peer reviews, these tools can help developers implement their code in the correct manner.
Note: Define your coding standards, have up to date architecture diagrams for architects and have the rules when and what features your developers can use. It's fairly common for outsourcing companies to build a solution to find out you don't allow the technology they have built with. I remember an InfoPath based solution coming into my app development center a few years ago and they could not understand that the organisation would not merely turn on InfoPath.
Note: A lot of the tools we previously used in SP 2010 for FTC solutions are not relevant to SP 2013, namely SPDisposeCheck.
Code Review Tooling Options:
- Visual Studio
- FxCop (Config in VS so it runs with the same rule set as SPCAF)
- StyleCop (Config in VS so it runs with the same rule set as SPCAF - forces enforcement of code style at design time)
- SPDisposeCheck (SP 2010 only, don't use in SP2013 even for FTC solutions)
- MSOCAF
- SPCAF (SharePoint Code Analysis Framework)
- Black Duck - Build into CI/CD pipeline checks for open source software and identifies potential security issues and highlights licencing concerns.
The 3 areas where code reviews can be performed are:
- Developer at run time (think Visual Studio)
- Continuous delivery (think gated check-ins)
- Formal Code reviews (think solutions architect and quality manager)
Summary:
Code reviews improve maintainability, pick up bugs, ensure efficient code, code that shall run in production, improve security, performance and reduce the total cost of ownership. Automated tools are worth considering and the top tool for me is SPCAF. Do code review early, often and automate.
JavaScript Code Review Checklist:
1.> Project Structure - js into script folder in the solution file (group images, css, js and file types so the projects are easy to understand and consistent in layout)
3.> Always use Javascript namespaces - avoid conflicts
4.> Move hard coding to constants at the top of the file, not
single use meaningful info like undefined in. Move declarations to the top.
7.> Display friendly messages to the users if something goes wrong and add error handling to tracking /logging such as console.log() or log to ULS from an app using the provide JS api or log to a common logging mechanism.
8.> Single spacing (no flower potting)
9.> Remove commented out
code/unused comment out calls etc.
10.> Always end your switch statements with a default statement.
11.> Ensure coding standard are consistent consider using http://www.jslint.com/
12.> Code adheres to your agreed coding standards and example is http://google-styleguide.googlecode.com/svn/trunk/javascriptguide.xml
C# Coding Standards for SharePoint
This is a checklist, the recommendations need
to be matched to your business and some scenarios such as complied C# for
PowerShell plugin won’t use all the items in this checklist.
- Have you followed the Enterprise design guidelines, branding guidelines and coding standards.
- Have you used the Commenting standards e.g. http://msdn.microsoft.com/en-us/library/b2s063f7.aspx
- Avoid declaring inline literal strings
- Check empty string using length e.g. if (email.Length()=0) don't use if (email.Empty || email = "")
- Use StringBuilder for concatenation don’t keep appending strings
- Return Empty array rather than null
- Methods must be short and focused. Method names must be meaningful
- Use method Overloading, not different names for the same method. Try keep Classes small i..e under 500 lines. If larger use #Regions to split up the code. Pass objects into Methods rather than multiple variables if more than 6 parameters.
- Enumerators should be used where possible, code is more understandable and options are easy to reuse.
- Only import namespaces you need and dlls. Split code into separate assemblies and use company standard naming with appropriate namespaces naming.
- Make helper functions i.e. don't rewrite code several times - refactor
- Open connections (SQL and SharePoint) as late as possible and ensure you wrap in error handling and dispose of connections in the finally statement
- Reuse core code libraries (ensure commonly re-used functionality is add into core libraries cross-cutting concerns/logging/ email)
- Use exception Management/Try catch. Try catch must try catch specific errors and lastly catch all errors. No business logic must rely on using catch statements. Don't throw exceptions within exceptions. Catch errors as specifically as possible, die gracefully and appropriately, log the errors using the CoE code core block that puts exceptions in the farms ULS and event viewer. And potentiall the enterprise logging platform.
- Dispose of SPSite and SPWeb Server site objects where appropriate. Run http://code.msdn.microsoft.com/SPDisposeCheck before deployment
- Run stylecop and code analysis on code regularly and before deployment
- Your code is x64 bit compiled.
Have a common code/core code library that deals with cross cutting concerns, logging, caching etc.
using Microsoft.Practices.ServiceLocation;
using Microsoft.Practices.SharePoint.Common.ServiceLocation;
using
Microsoft.Practices.SharePoint.Common.Logging;
ILogger _logger =
SharePointServiceLocator.GetCurrent().GetInstance<ILogger>();
Exception
ex = new ApplicationException("This is my test exception");
_logger.LogToOperations(ex);
Security in C# and SP
- Plain text passwords are not in stored Web.config, Machine.config, or any files that contain configuration settings.
- Input surfaces such as application pages, site pages, web parts and other customizations perform client and server side validation to protect from cross-site scripting (XSS) and SQL injection.
- Minimal use of elevated privileges to interact with SharePoint objects.
- Sensitive data is not stored in URLs, unencrypted cookies in hidden form fields, query strings or with code.
HTML/CSS
Section 508 US Standard to ensure federal agencies
WCAG 2.1 compliant standard should be adhered to and will cover: Jaws/Browser testing, screen zooms and brail readers. WCAG 2.2 is due out in 2021.
RWD testing e.g. Mobile/Phone testing
SEO
SQL Standards (Establish SQL standards), a small example is:
- No spacing in naming objects
- Do not use reserves words in SQL
- Name tables in sigular e.g. "Patient" not "Patients"
- No Underscore in table naming and use Camel case e.g. "PatientResult", underscores are fine in column and Store proc naming.
- Do not prefix tables e.g. "tbl_Patient" or "tblPatient"
- Prefix view with "vw" e.g. vwPatientHistory
- Boolean columns prefixed with "Is" e.g. IsActive
- Stored Procs prefix with "usp" not "sp". E.g. uspDeletePatient, use the format usp_Verb_Noun
- Prefix functions with ufn
- label foreign key using the prefix fk and follow the format fkTableColumn e.g. fkPatientId
- Make your -SQL readable not on 1 line. Use line-breaks, no empty lines and indent spacing to make the code readable.
- How to comment must be standardised
This list goes on but as a starting point... Pls post if you feel anything else is relevant.
Saturday, 25 April 2015
DevOps Tooling
DevOps Tooling Notes
DevOps Tooling is broken down into the following areas, note the tools often overlap in function. The list is not exhaustive but these are the more common tools I have come across.
http://www.incyclesoftware.com/2014/02/executing-selenium-ui-tests-release-management/
More Info:
http://blog.sharepointsite.co.uk/2014/02/devops-and-sharepoint.html
http://www.networkworld.com/article/2172097/virtualization/puppet-vs--chef-vs--ansible-vs--salt.html
http://blog.sharepointsite.co.uk/2013/11/iac-presentation-for-sharepoint.html
DevOps Tooling is broken down into the following areas, note the tools often overlap in function. The list is not exhaustive but these are the more common tools I have come across.
- Version Control: TFS, Git, SVN, ...
- Bug Tracking: ServiceNow, Jira, ZenDesk
- Continuous Testing: Selenium, Jasmin or Mocha or Unit.js (JavaScript testing), NUnit, Web Tests (Visual Studio), SpecFlow
- Continuous Integration (CI): TeamCity, Jenkins, Azure DevOps (bigger)
- Configuration Management and Deployment: Puppet, Chef, ANSIBLE, SALT (all installed on Linux, obviously work on Windows environments)
- Containers: Docker, Kubernetes, Microsoft Containers. I think the Azure AKS is pretty much containers for Azure now.
- Other: PowerShell, VMWare, HyperV
- Swagger - awesome. Swagger is a set of tools that help document, build and test your API (Your API conforms to the OpenAPI specification or Swagger specification). Great way to get a contract for users of the API early on. Updated 2019/11/25: Link to Swagger post
- Swagger UI, Swagger Integrator,...
- Apiary - UI to create an API and publish with mocks. I prefer Swagger or on simple projects APIM.
- API Management (APIM) - flexible Azure service for bring together multiple API securely. Same as MuleSoft. Can import OpenAPI's v2 or v3 to create a hosted API. Can mock and built in test tool.
- RAML is an alternative to Swagger and Apiary (never used)
- Blueprint - API documentation tool. Pretty simple and nice results.
- Postman - send http requests to the API. Postman is a REST client useful to check your API. This is my main tool for testing, exploring REST based API's.
- SoapUI - if working with SOAP/XML.
- Slate - API documentation - I always use OAS/OpenAPI/Swagger.
- Fiddler - I'm old school and still love Fiddler and it's capabilities. Fiddler is a great HTTP debugger.
- BURP - an HTTP debugger to review traffic. I've used BURP for security testing and it is great for API debugging.
- Charles is another HTTP debugger (never used).
- cURL - Cmd line to test API's using HTTP, separate exe to run on Windows, Windows 10 has cURL built in.
- Visual Studio
- Wireshark - Over the years I have needed packet sniffing to fix issues and always go to Wireshark, I used the tool in the 90's but it had a different name. Extremely useful for issues relating to firewalls, especially when an environment reacts differently to another working DTAP environment.
- Tcpdump is another packet sniffer
http://www.incyclesoftware.com/2014/02/executing-selenium-ui-tests-release-management/
More Info:
http://blog.sharepointsite.co.uk/2014/02/devops-and-sharepoint.html
http://www.networkworld.com/article/2172097/virtualization/puppet-vs--chef-vs--ansible-vs--salt.html
http://blog.sharepointsite.co.uk/2013/11/iac-presentation-for-sharepoint.html
Sunday, 19 April 2015
PhoneGap and SharePoint
For Mobile
Start HTML5 Mobile web App, then PhoneGap (wrapper to interact with devices),
Xamarin, recompiles to each platform, lastly write for each native platform thin iOS/objective C for Apple. PhoneGap and Xamarin are comparable with respect to performance and have trade-offs based on code reuse, developer skill set, and integration into standard developer tool sets
Idea: Start by building HTML5 sites with a responsive design then leverage these HTML5, CSS and JS assets hooking into SharePoint and extend with device capabilities using Hybrid framework (PhoneGap)
Also see:
https://xamarin.com/
Xamarin, recompiles to each platform, lastly write for each native platform thin iOS/objective C for Apple. PhoneGap and Xamarin are comparable with respect to performance and have trade-offs based on code reuse, developer skill set, and integration into standard developer tool sets
Idea: Start by building HTML5 sites with a responsive design then leverage these HTML5, CSS and JS assets hooking into SharePoint and extend with device capabilities using Hybrid framework (PhoneGap)
| Feature | HTML5 | PhoneGap |
| Web view | Yes | Yes |
| Audio/Video files | Yes | Yes |
| Location | Yes | Yes |
| Local storage Yes | Yes | |
| Camera | No | Yes |
| Accelerometer | No | Yes |
| Yes | ||
| Notifications (local, alert, push) | No | Yes |
| Compass | No | Yes |
| Native UI | No | No |
| Access to full API/SDK | No | No |
Also see:
https://xamarin.com/
Saturday, 11 April 2015
Empty Developer Dashboard in SP2013
Problem: No data is showing up on the developer dashboard in SharePoint 2013.
Initial Hypothesis: My initial thoughts where around the SSL cert issue on the VM or potentially Fiddler causing the dev dashboard to be empty. after looking at the ULS a good developer could see the Usage and Health Data Collection Service Application was not working.
http://www.wictorwilen.se/sharepoint-2013-developer-dashboard-shows-no-data-issue
Resolution: Once the Usage SSA was configured, the dashboard started working.
Initial Hypothesis: My initial thoughts where around the SSL cert issue on the VM or potentially Fiddler causing the dev dashboard to be empty. after looking at the ULS a good developer could see the Usage and Health Data Collection Service Application was not working.
http://www.wictorwilen.se/sharepoint-2013-developer-dashboard-shows-no-data-issue
Resolution: Once the Usage SSA was configured, the dashboard started working.
Thursday, 19 March 2015
Identity Providers for SharePoint
Overview: I have worked with and evaluated a couple of Services and Federation Server products. Here is an old pot of setting up claims, at the bottom I have some thoughts on different services/server products.
Background: SAML and WS-Federation protocols are standard Single Sign-On protocols, the following version exist:
Identity Provider (IdP) Products:
- SAML 1.0, SAML 1.1, SAML 2.0
- WS-Federation
SAML enables web-based authentication scenarios including cross-domain single sign-on (SSO). SAML is a token representing a principal that normally represents a user but can represent an app.
Other terms to understand:
- Identity provider (IdP) think ADFS/Azure ACS,
- Service provider (SP) is the SAML consumer in our context this is SharePoint but this can be an MVC app.
- Realm
- Microsoft ADFS
- Ping Federate
- ThinkTexture Identity Server
- CA-SiteMinder
- IBM Tivoli (CAM)
- Oracle Access Manager
- ComponentSpace
- Shibboleth
- RSA Federated Identity Manager
- Entrust GetAccess
IdP Services:
- Azure Active Directory
- LiveId
- Yahoo
Friday, 13 March 2015
Capturing NFRs for SharePoint
Problem: Gathering Non Functional Requirements (NFRs) are always a tricky situation in IT projects. This is because it is always difficult to estimate how the system will be used before you build it. I often get business users stating extreme NFRs in the attempt to negotiate or show how world class they are (I generally think the opposite when hearing unreasonable NFR's).
An example is a CIO at a fairly small NGO telling me the on-prem. SP 2010 infrastructure needs to be up all the time so an SLA of 99.99999. This equates to 3.2 seconds downtime a year. In reality, higher SLA's start to cost a lot of money. SP2013 and SQL 2012 introduce Always On Availability Groups (AOAG) which helps improve SLA uptime but this costs in licensing infrastructure and management. I need redundancy and the ability to deal with performance issues, so the smallest possible farm consists to 6 server, 2 for each layer in SP namely: WFE, App and SQL.
Here is an old post of SP2010 SLA's but still relevant today.
The key is gather you NFR's and ensure all your usage/applications on the production farm meet expected behaviours. I have a checklist below. Going thru the Microsoft's SP Boundaries, Limits and Thresholds document shall help highlight any issues.
The high level items I cover include the following topics:
More Info:
https://technet.microsoft.com/en-us/library/ff758647.aspx
An example is a CIO at a fairly small NGO telling me the on-prem. SP 2010 infrastructure needs to be up all the time so an SLA of 99.99999. This equates to 3.2 seconds downtime a year. In reality, higher SLA's start to cost a lot of money. SP2013 and SQL 2012 introduce Always On Availability Groups (AOAG) which helps improve SLA uptime but this costs in licensing infrastructure and management. I need redundancy and the ability to deal with performance issues, so the smallest possible farm consists to 6 server, 2 for each layer in SP namely: WFE, App and SQL.
Here is an old post of SP2010 SLA's but still relevant today.
The key is gather you NFR's and ensure all your usage/applications on the production farm meet expected behaviours. I have a checklist below. Going thru the Microsoft's SP Boundaries, Limits and Thresholds document shall help highlight any issues.
The high level items I cover include the following topics:
- Availability
- Capacity
- Compatibility (Browser, device, mobile)
- Concurrency
- Performance
- Disaster Recovery (RTO, RPO)
- Scalability
- Search
- Security
- SLA
Capacity Example
Item
|
Day 1
|
Year 1
|
Year 3
|
Year 5
|
Site
Collections
|
10
|
100
|
250
|
400
|
Database Size
in GB
|
> than 1GB
|
490 GB
|
1220 GB
|
1960 GB
|
Search Index
Size in GB
|
> than 1GB
|
120 GB
|
310 GB
|
490 GB
|
No of Content
Databases
|
1
|
1
|
4
|
8
|
No of Search
Items
|
10,000
|
10 Million
|
25 Million
|
40 Million
|
No of Index Partitions
|
1
|
1
|
3
|
4
|
Item
|
Day 1
|
Year 1
|
Year 2
|
Year 3
|
Number of
Users
|
1,000
|
50,000
|
80,000
|
130,000
|
*Also calculate peak and average concurrency numbers
Average concurrency, for 20,000 users, the assumption is that 10% (2,000) users will be actively using the solution at the same time, and that 1% of the total user base (200) users will be actively making requests. For for performance testing you are looking to handle 200 users without delays and a page response time of under 5 seconds. Based on the simple guideline I've always used from Microsoft.
Peak concurrency depends on your situation for example the NFL playoffs game schedule in the when announced is not the simple 4 times the average concurrency tha would be suitable for most internal business applications. Although this example may be considered a load spike rather than a peak concurrency.
Peak concurrency depends on your situation for example the NFL playoffs game schedule in the when announced is not the simple 4 times the average concurrency tha would be suitable for most internal business applications. Although this example may be considered a load spike rather than a peak concurrency.
It also worth doing a usage distribution pattern for your users experience, so 80% may be light users, login, read 10 pages in your site and perform a single search with 1 minute gaps between interactions (wait times). the remaining 20% perform a login, upload a 100kb document, view 10 pages and perform 2 searches.
RPO & RTO:
RPO - Max amount of lost data (in time)
RTO - Max time lost (rebuild farm and get the latest backups restored) to make the system operational again.
RPO & RTO:
RTO - Max time lost (rebuild farm and get the latest backups restored) to make the system operational again.
SQL Server Sizing:
Option 1: work out the rows and bytes for storage and multiple by the number of rows and then add the tables together to get the size.
Option 2: Assume 100 bytes for each row, count the number of rows and get the storage requirements.
More Info:
https://technet.microsoft.com/en-us/library/ff758647.aspx
Subscribe to:
Posts (Atom)