/// <summary> /// NOTE: call for TFS 2010 only. /// Adds a user to a TFS security group /// </summary> /// <param name="teamProjName">The name of the team project</param> /// <param name="searchableGroupName">The name of the group in [TeamProject]\GroupName format</param> /// <param name="userName">The name of the user to add</param> /// <returns>True, if successful</returns> private bool AddMemberToGroup_TFS10(string teamProjName, string searchableGroupName, string userName) { try { Identity userIdentity = groupSecuritySvc.ReadIdentityFromSource(SearchFactor.AccountName, userName); Identity groupIdentity = groupSecuritySvc.ReadIdentity(SearchFactor.AccountName, searchableGroupName, QueryMembership.Direct); if (groupSecuritySvc.IsMember(groupIdentity.Sid, userIdentity.Sid)) { FileHelper.Log("User {0} already part of group {1}", userName, searchableGroupName); } else { groupSecuritySvc.AddMemberToApplicationGroup(groupIdentity.Sid, userIdentity.Sid); FileHelper.Log("User {0} added to group {1}", userName, searchableGroupName); } } catch (Exception ex) { FileHelper.Log(ex.Message); FileHelper.Log(ex.StackTrace); return(false); } return(true); }
internal virtual void CheckBypassRulePermission() { // Verify whether the user is in the service account group. Throw an exception if it is not. IGroupSecurityService gss = (IGroupSecurityService)m_srv.GetService(typeof(IGroupSecurityService)); Identity serviceAccountIdentity = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, null, QueryMembership.None); if (!gss.IsMember(serviceAccountIdentity.Sid, m_srv.AuthenticatedUserIdentity.Sid)) { throw new PermissionException( string.Format(TfsWITAdapterResources.UserNotInServiceAccountGroup, m_srv.AuthenticatedUserIdentity.Domain + "\\" + m_srv.AuthenticatedUserIdentity.AccountName, m_srv.Uri.ToString()), m_srv.AuthenticatedUserIdentity.AccountName, m_srv.AuthenticatedUserIdentity.Domain, serviceAccountIdentity.DisplayName); } }
internal static void CheckBypassRulePermission(TfsTeamProjectCollection tfs) { // Verify whether the user is in the service account group. Throw an exception if it is not. IGroupSecurityService gss = (IGroupSecurityService)tfs.GetService(typeof(IGroupSecurityService)); Identity serviceAccountIdentity = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, null, QueryMembership.None); TeamFoundationIdentity authenticatedUser; tfs.GetAuthenticatedIdentity(out authenticatedUser); if (null == authenticatedUser) { return; } Identity authenticatedUserId = gss.Convert(authenticatedUser); if (!gss.IsMember(serviceAccountIdentity.Sid, authenticatedUserId.Sid)) { throw new PermissionException( string.Format(TfsWITAdapterResources.UserNotInServiceAccountGroup, authenticatedUser.DisplayName, tfs.Uri.ToString()), authenticatedUserId.AccountName, authenticatedUserId.Domain, serviceAccountIdentity.DisplayName); } TraceManager.TraceInformation("BypassRulePermission verified for user '{0}'", authenticatedUser.DisplayName); }
/// <summary> /// Check if the the current user is part of Service Accounts /// </summary> /// <param name="bisUri">Application Tier URI</param> /// throws ConverterException if the user is not part of 'Service Accounts' security group internal static void IsCurrentUserInServiceAccount(string bisUri) { try { // initialize gss TeamFoundationServer tfs = TeamFoundationServerFactory.GetServer(bisUri); IGroupSecurityService gss = (IGroupSecurityService)tfs.GetService(typeof(IGroupSecurityService)); // Get the Service Account group identity Identity serviceGroup = gss.ReadIdentity(SearchFactor.ServiceApplicationGroup, string.Empty, QueryMembership.None); Debug.Assert(serviceGroup != null, "serviceGroup != null"); // check if this is Windows AD user or workgroup user int res = 0; IntPtr ptrDomain = IntPtr.Zero; bool isDomain = true; int status = 0; try { res = NetGetJoinInformation(null, out ptrDomain, out status); if (0 == res && 2 == status) // workgroup name { isDomain = false; } } finally { if (IntPtr.Zero != ptrDomain) { NetApiBufferFree(ptrDomain); } } string currentUser = String.Empty; if (!isDomain) { // workgroup user.. currentUser = Environment.UserName; } else { // windows AD user currentUser = String.Concat(Environment.UserDomainName, Path.DirectorySeparatorChar, Environment.UserName); } Identity user = gss.ReadIdentity(SearchFactor.AccountName, currentUser, QueryMembership.None); if (user == null || gss.IsMember(serviceGroup.Sid, user.Sid) == false) { // not part of service accounts group string errMsg = UtilityMethods.Format( VSTSResource.VstsUserNotInServiceAccounts, currentUser); throw new ConverterException(errMsg); } } catch (Exception e) { if (e is ConverterException) { throw; } throw new ConverterException(e.Message, e); } }