Skip to content
This repository has been archived by the owner on Jun 2, 2023. It is now read-only.

Commit

Permalink
[UPD] Logic to check groups
Browse files Browse the repository at this point in the history
  • Loading branch information
geoperez committed Oct 8, 2019
1 parent 301bbe5 commit 5e56858
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 29 deletions.
5 changes: 4 additions & 1 deletion StyleCop.Analyzers.ruleset
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="utf-8"?>
<RuleSet Name="Rules for StyleCop.Analyzers" Description="Code analysis rules for StyleCop.Analyzers.csproj." ToolsVersion="15.0">
<RuleSet Name="Rules for StyleCop.Analyzers" Description="Code analysis rules for StyleCop.Analyzers.csproj." ToolsVersion="16.0">
<Rules AnalyzerId="AsyncUsageAnalyzers" RuleNamespace="AsyncUsageAnalyzers">
<Rule Id="UseConfigureAwait" Action="Warning" />
</Rules>
Expand Down Expand Up @@ -70,6 +70,9 @@
<Rules AnalyzerId="Microsoft.CodeAnalysis.CSharp.Features" RuleNamespace="Microsoft.CodeAnalysis.CSharp.Features">
<Rule Id="IDE0003" Action="None" />
</Rules>
<Rules AnalyzerId="Microsoft.NetCore.Analyzers" RuleNamespace="Microsoft.NetCore.Analyzers">
<Rule Id="CA1303" Action="None" />
</Rules>
<Rules AnalyzerId="StyleCop.Analyzers" RuleNamespace="StyleCop.Analyzers">
<Rule Id="SA1001" Action="None" />
<Rule Id="SA1003" Action="None" />
Expand Down
4 changes: 2 additions & 2 deletions appveyor.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
version: '3.6.{build}'
image:
- Visual Studio 2017
- Visual Studio 2019
- Ubuntu
platform: Any CPU
stack: node 9
Expand All @@ -19,7 +19,7 @@ install:
- ps: |
if($isWindows)
{
Install-Product node 8
Install-Product node 9
}
before_build:
- ps: |
Expand Down
43 changes: 17 additions & 26 deletions src/Unosquare.PassCore.PasswordProvider/PasswordChangeProvider.cs
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ public partial class PasswordChangeProvider : IPasswordChangeProvider
{
private readonly PasswordChangeOptions _options;
private readonly ILogger _logger;
private IdentityType _idType = IdentityType.UserPrincipalName;
private readonly DomainPasswordInformation? _domainPasswordInfo;
private IdentityType _idType = IdentityType.UserPrincipalName;

/// <summary>
/// Initializes a new instance of the <see cref="PasswordChangeProvider"/> class.
Expand Down Expand Up @@ -50,7 +50,6 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor

try
{

using (var principalContext = AcquirePrincipalContext())
{
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, _idType, fixedUsername);
Expand All @@ -63,7 +62,10 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor
return new ApiErrorItem(ApiErrorCode.UserNotFound);
}

ValidateGroups(userPrincipal);
var item = ValidateGroups(userPrincipal);

if (item != null)
return item;

// Check if password change is allowed
if (userPrincipal.UserCannotChangePassword)
Expand Down Expand Up @@ -97,7 +99,7 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor
catch (PasswordException passwordEx)
{
var item = new ApiErrorItem(ApiErrorCode.ComplexPassword, passwordEx.Message);

_logger.LogWarning(item.Message, passwordEx);

return item;
Expand Down Expand Up @@ -146,46 +148,35 @@ private string FixUsernameWithDomain(string username)
return string.IsNullOrWhiteSpace(domain) || parts.Length > 1 ? username : $"{username}@{domain}";
}

private void ValidateGroups(UserPrincipal userPrincipal)
private ApiErrorItem ValidateGroups(UserPrincipal userPrincipal)
{
try
{
if (!userPrincipal.GetGroups().ToList().Any()) return;
if (!userPrincipal.GetGroups().Any()) return null;

if (_options.RestrictedADGroups?.Any() == true)
{
foreach (var userPrincipalAuthGroup in userPrincipal.GetAuthorizationGroups())
if (userPrincipal.GetAuthorizationGroups().Any(x => _options.RestrictedADGroups.Contains(x.Name)))
{
if (_options.RestrictedADGroups.Contains(userPrincipalAuthGroup.Name))
{
throw new ApiErrorException("The User principal is listed as restricted",
ApiErrorCode.ChangeNotPermitted);
}
return new ApiErrorItem(ApiErrorCode.ChangeNotPermitted,
"The User principal is listed as restricted");
}
}

if (_options.AllowedADGroups?.Any() != true) return;
if (_options.AllowedADGroups?.Any() != true) return null;

foreach (var userPrincipalAuthGroup in userPrincipal.GetAuthorizationGroups())
{
if (_options.AllowedADGroups.Contains(userPrincipalAuthGroup.Name))
{
return;
}
}
return userPrincipal.GetAuthorizationGroups().Any(x => _options.AllowedADGroups.Contains(x.Name))
? null
: new ApiErrorItem(ApiErrorCode.ChangeNotPermitted, "The User principal is not listed as allowed");

// If after iterate the user groups the user cannot change password.
throw new ApiErrorException("The User principal is not listed as allowed",
ApiErrorCode.ChangeNotPermitted);
}
catch (ApiErrorException)
{
throw;
}
catch (Exception exception)
{
_logger.LogError(new EventId(888), exception, nameof(ValidateGroups));
}

return null;
}

private DomainPasswordInformation? GetDomainPasswordInformation()
Expand Down

0 comments on commit 5e56858

Please sign in to comment.