/// <summary>
/// NOTE: call for TFS 2010 only.
/// Adds a user to a TFS security group
/// </summary>
/// <param name="teamProjName">The name of the team project</param>
/// <param name="searchableGroupName">The name of the group in [TeamProject]\GroupName format</param>
/// <param name="userName">The name of the user to add</param>
/// <returns>True, if successful</returns>
private bool AddMemberToGroup_TFS10(string teamProjName, string searchableGroupName, string userName)
{
try
{
Identity userIdentity =
groupSecuritySvc.ReadIdentityFromSource(SearchFactor.AccountName, userName);
Identity groupIdentity =
groupSecuritySvc.ReadIdentity(SearchFactor.AccountName, searchableGroupName, QueryMembership.Direct);
if (groupSecuritySvc.IsMember(groupIdentity.Sid, userIdentity.Sid))
{
FileHelper.Log("User {0} already part of group {1}", userName, searchableGroupName);
}
else
{
groupSecuritySvc.AddMemberToApplicationGroup(groupIdentity.Sid, userIdentity.Sid);
FileHelper.Log("User {0} added to group {1}", userName, searchableGroupName);
}
}
catch (Exception ex)
{
FileHelper.Log(ex.Message);
FileHelper.Log(ex.StackTrace);
return(false);
}
return(true);
}
internal virtual void CheckBypassRulePermission()
{
// Verify whether the user is in the service account group. Throw an exception if it is not.
IGroupSecurityService gss = (IGroupSecurityService)m_srv.GetService(typeof(IGroupSecurityService));
Identity serviceAccountIdentity = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, null, QueryMembership.None);
if (!gss.IsMember(serviceAccountIdentity.Sid, m_srv.AuthenticatedUserIdentity.Sid))
{
throw new PermissionException(
string.Format(TfsWITAdapterResources.UserNotInServiceAccountGroup, m_srv.AuthenticatedUserIdentity.Domain + "\\" + m_srv.AuthenticatedUserIdentity.AccountName, m_srv.Uri.ToString()),
m_srv.AuthenticatedUserIdentity.AccountName, m_srv.AuthenticatedUserIdentity.Domain,
serviceAccountIdentity.DisplayName);
}
}
internal static void CheckBypassRulePermission(TfsTeamProjectCollection tfs)
{
// Verify whether the user is in the service account group. Throw an exception if it is not.
IGroupSecurityService gss = (IGroupSecurityService)tfs.GetService(typeof(IGroupSecurityService));
Identity serviceAccountIdentity = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, null, QueryMembership.None);
TeamFoundationIdentity authenticatedUser;
tfs.GetAuthenticatedIdentity(out authenticatedUser);
if (null == authenticatedUser)
{
return;
}
Identity authenticatedUserId = gss.Convert(authenticatedUser);
if (!gss.IsMember(serviceAccountIdentity.Sid, authenticatedUserId.Sid))
{
throw new PermissionException(
string.Format(TfsWITAdapterResources.UserNotInServiceAccountGroup, authenticatedUser.DisplayName, tfs.Uri.ToString()),
authenticatedUserId.AccountName, authenticatedUserId.Domain, serviceAccountIdentity.DisplayName);
}
TraceManager.TraceInformation("BypassRulePermission verified for user '{0}'", authenticatedUser.DisplayName);
}
/// <summary>
/// Check if the the current user is part of Service Accounts
/// </summary>
/// <param name="bisUri">Application Tier URI</param>
/// throws ConverterException if the user is not part of 'Service Accounts' security group
internal static void IsCurrentUserInServiceAccount(string bisUri)
{
try
{
// initialize gss
TeamFoundationServer tfs = TeamFoundationServerFactory.GetServer(bisUri);
IGroupSecurityService gss = (IGroupSecurityService)tfs.GetService(typeof(IGroupSecurityService));
// Get the Service Account group identity
Identity serviceGroup = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, string.Empty, QueryMembership.None);
Debug.Assert(serviceGroup != null, "serviceGroup != null");
// check if this is Windows AD user or workgroup user
int res = 0;
IntPtr ptrDomain = IntPtr.Zero;
bool isDomain = true;
int status = 0;
try
{
res = NetGetJoinInformation(null, out ptrDomain, out status);
if (0 == res && 2 == status) // workgroup name
{
isDomain = false;
}
}
finally
{
if (IntPtr.Zero != ptrDomain)
{
NetApiBufferFree(ptrDomain);
}
}
string currentUser = String.Empty;
if (!isDomain)
{
// workgroup user..
currentUser = Environment.UserName;
}
else
{
// windows AD user
currentUser = String.Concat(Environment.UserDomainName, Path.DirectorySeparatorChar, Environment.UserName);
}
Identity user = gss.ReadIdentity(SearchFactor.AccountName, currentUser, QueryMembership.None);
if (user == null || gss.IsMember(serviceGroup.Sid, user.Sid) == false)
{
// not part of service accounts group
string errMsg = UtilityMethods.Format(
VSTSResource.VstsUserNotInServiceAccounts, currentUser);
throw new ConverterException(errMsg);
}
}
catch (Exception e)
{
if (e is ConverterException)
{
throw;
}
throw new ConverterException(e.Message, e);
}
}