[UPD] Logic to check groups

StyleCop.Analyzers.ruleset

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<RuleSet Name="Rules for StyleCop.Analyzers" Description="Code analysis rules for StyleCop.Analyzers.csproj." ToolsVersion="15.0">
+<RuleSet Name="Rules for StyleCop.Analyzers" Description="Code analysis rules for StyleCop.Analyzers.csproj." ToolsVersion="16.0">
   <Rules AnalyzerId="AsyncUsageAnalyzers" RuleNamespace="AsyncUsageAnalyzers">
     <Rule Id="UseConfigureAwait" Action="Warning" />
   </Rules>
@@ -70,6 +70,9 @@
   <Rules AnalyzerId="Microsoft.CodeAnalysis.CSharp.Features" RuleNamespace="Microsoft.CodeAnalysis.CSharp.Features">
     <Rule Id="IDE0003" Action="None" />
   </Rules>
+  <Rules AnalyzerId="Microsoft.NetCore.Analyzers" RuleNamespace="Microsoft.NetCore.Analyzers">
+    <Rule Id="CA1303" Action="None" />
+  </Rules>
   <Rules AnalyzerId="StyleCop.Analyzers" RuleNamespace="StyleCop.Analyzers">
     <Rule Id="SA1001" Action="None" />
     <Rule Id="SA1003" Action="None" />

appveyor.yml

@@ -1,6 +1,6 @@
 version: '3.6.{build}'
 image: 
-- Visual Studio 2017
+- Visual Studio 2019
 - Ubuntu
 platform: Any CPU
 stack: node 9
@@ -19,7 +19,7 @@ install:
 - ps: |
         if($isWindows)
         {
-            Install-Product node 8
+            Install-Product node 9
         }
 before_build:
 - ps: |

src/Unosquare.PassCore.PasswordProvider/PasswordChangeProvider.cs

@@ -17,8 +17,8 @@ public partial class PasswordChangeProvider : IPasswordChangeProvider
     {
         private readonly PasswordChangeOptions _options;
         private readonly ILogger _logger;
-        private IdentityType _idType = IdentityType.UserPrincipalName;
         private readonly DomainPasswordInformation? _domainPasswordInfo;
+        private IdentityType _idType = IdentityType.UserPrincipalName;
 
         /// <summary>
         /// Initializes a new instance of the <see cref="PasswordChangeProvider"/> class.
@@ -50,7 +50,6 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor
 
             try
             {
-
                 using (var principalContext = AcquirePrincipalContext())
                 {
                     var userPrincipal = UserPrincipal.FindByIdentity(principalContext, _idType, fixedUsername);
@@ -63,7 +62,10 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor
                         return new ApiErrorItem(ApiErrorCode.UserNotFound);
                     }
 
-                    ValidateGroups(userPrincipal);
+                    var item = ValidateGroups(userPrincipal);
+
+                    if (item != null)
+                        return item;
 
                     // Check if password change is allowed
                     if (userPrincipal.UserCannotChangePassword)
@@ -97,7 +99,7 @@ public ApiErrorItem PerformPasswordChange(string username, string currentPasswor
             catch (PasswordException passwordEx)
             {
                 var item = new ApiErrorItem(ApiErrorCode.ComplexPassword, passwordEx.Message);
-                
+
                 _logger.LogWarning(item.Message, passwordEx);
 
                 return item;
@@ -146,46 +148,35 @@ private string FixUsernameWithDomain(string username)
             return string.IsNullOrWhiteSpace(domain) || parts.Length > 1 ? username : $"{username}@{domain}";
         }
 
-        private void ValidateGroups(UserPrincipal userPrincipal)
+        private ApiErrorItem ValidateGroups(UserPrincipal userPrincipal)
         {
             try
             {
-                if (!userPrincipal.GetGroups().ToList().Any()) return;
+                if (!userPrincipal.GetGroups().Any()) return null;
 
                 if (_options.RestrictedADGroups?.Any() == true)
                 {
-                    foreach (var userPrincipalAuthGroup in userPrincipal.GetAuthorizationGroups())
+                    if (userPrincipal.GetAuthorizationGroups().Any(x => _options.RestrictedADGroups.Contains(x.Name)))
                     {
-                        if (_options.RestrictedADGroups.Contains(userPrincipalAuthGroup.Name))
-                        {
-                            throw new ApiErrorException("The User principal is listed as restricted",
-                                ApiErrorCode.ChangeNotPermitted);
-                        }
+                        return new ApiErrorItem(ApiErrorCode.ChangeNotPermitted,
+                            "The User principal is listed as restricted");
                     }
                 }
 
-                if (_options.AllowedADGroups?.Any() != true) return;
+                if (_options.AllowedADGroups?.Any() != true) return null;
 
-                foreach (var userPrincipalAuthGroup in userPrincipal.GetAuthorizationGroups())
-                {
-                    if (_options.AllowedADGroups.Contains(userPrincipalAuthGroup.Name))
-                    {
-                        return;
-                    }
-                }
+                return userPrincipal.GetAuthorizationGroups().Any(x => _options.AllowedADGroups.Contains(x.Name))
+                    ? null
+                    : new ApiErrorItem(ApiErrorCode.ChangeNotPermitted, "The User principal is not listed as allowed");
 
                 // If after iterate the user groups the user cannot change password.
-                throw new ApiErrorException("The User principal is not listed as allowed",
-                    ApiErrorCode.ChangeNotPermitted);
-            }
-            catch (ApiErrorException)
-            {
-                throw;
             }
             catch (Exception exception)
             {
                 _logger.LogError(new EventId(888), exception, nameof(ValidateGroups));
             }
+
+            return null;
         }
 
         private DomainPasswordInformation? GetDomainPasswordInformation()