Merge pull request #25 from Kentico/MVCHF10-6-external-user-verification

MVCHF10-6 UserManager not to verify external and domain users' password
Kentico · Nov 27, 2017 · 2a6e48b · 2a6e48b
2 parents 034383e + 67a8b38
commit 2a6e48b
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -195,6 +195,12 @@
 
 ## Kentico.Membership
 
+### 1.0.1 (2017-11-23)
+
+#### Fixed, Security
+
+* `UserManager` no longer successfully verifies passwords for external and domain users.
+
 ### 1.0.0 (2016-12-02)
 
 #### Release notes

diff --git a/src/Kentico.Membership/Properties/AssemblyInfo.cs b/src/Kentico.Membership/Properties/AssemblyInfo.cs
@@ -13,4 +13,4 @@
 [assembly: Guid("fbdaad92-2e23-4c73-bde9-f6fa7a21b293")]
 [assembly: AssemblyVersion("1.0.0.0")]
 [assembly: AssemblyFileVersion("1.0.0.0")]
-[assembly: AssemblyInformationalVersion("1.0.0")]
+[assembly: AssemblyInformationalVersion("1.0.1")]
diff --git a/src/Kentico.Membership/UserManager.cs b/src/Kentico.Membership/UserManager.cs
@@ -99,8 +99,9 @@ protected override Task<bool> VerifyPasswordAsync(IUserPasswordStore<User, int>
             }
 
             var userInfo = UserInfoProvider.GetUserInfo(user.UserName);
+            var result = !userInfo.IsExternal && !userInfo.UserIsDomain && !UserInfoProvider.IsUserPasswordDifferent(userInfo, password);
 
-            return Task.FromResult(!UserInfoProvider.IsUserPasswordDifferent(userInfo, password));
+            return Task.FromResult(result);
         }
 
 

diff --git a/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs b/test/Kentico.Membership.Tests/Fakes/MembershipFakeFactory.cs
@@ -38,6 +38,7 @@ internal class MembershipFakeFactory
                             USERNAME_NONEXISTENT = "NonExistentUser",
                             USERNAME_EXTERNAL = "ExternalUser",
                             USERNAME_EXTERNAL_WITH_SECURITY_STAMP = "ExternalUserWithSecurityStamp",
+                            USERNAME_DOMAIN = "DomainUser",
                             ROLE_ADMIN = "TestRoleAdmin",
                             ROLE_MEMBER = "TestRoleMember",
                             EXTERNAL_IDENTITY_KEY = "externalLogin",
@@ -52,6 +53,7 @@ internal class MembershipFakeFactory
                         UserDuplicateEmail2,
                         UserExternal,
                         UserExternalWithSecurityStamp,
+                        UserDomain,
                         UserWithoutPassword,
                         UserWithPassword,
                         UserWithSecurityStamp,
@@ -90,7 +92,7 @@ private UserInfo[] InitUsers()
         {
             UserWithPassword = new UserInfo
             {
-                UserID = 10,
+                UserID = 11,
                 UserName = USERNAME_WITH_PASSWORD,
                 Enabled = true,
             };
@@ -106,9 +108,10 @@ private UserInfo[] InitUsers()
                 UserWithoutPassword = new UserInfo { UserID = 7, UserName = USERNAME_NO_PASSWORD, Enabled = true },
                 UserExternal = new UserInfo { UserID = 8, UserName = USERNAME_EXTERNAL, Enabled = true, IsExternal = true },
                 UserExternalWithSecurityStamp = new UserInfo { UserID = 9, UserName = USERNAME_EXTERNAL_WITH_SECURITY_STAMP, Enabled = true, IsExternal = true, UserSecurityStamp = SECURITY_STAMP },
+                UserDomain = new UserInfo { UserID = 10, UserName = USERNAME_DOMAIN, Enabled = true, UserIsDomain = true },
                 UserWithPassword,
-                UserWithSecurityStamp = new UserInfo { UserID = 11, UserName = USERNAME_WITH_SECURITY_STAMP, Enabled = true, UserSecurityStamp = SECURITY_STAMP },
-                UserWithoutSecurityStamp = new UserInfo { UserID = 12, UserName = USERNAME_WITHOUT_SECURITY_STAMP, Enabled = true }           
+                UserWithSecurityStamp = new UserInfo { UserID = 12, UserName = USERNAME_WITH_SECURITY_STAMP, Enabled = true, UserSecurityStamp = SECURITY_STAMP },
+                UserWithoutSecurityStamp = new UserInfo { UserID = 13, UserName = USERNAME_WITHOUT_SECURITY_STAMP, Enabled = true }           
             };
         }
 

diff --git a/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs b/test/Kentico.Membership.Tests/Properties/AssemblyInfo.cs
@@ -11,6 +11,6 @@
 [assembly: AssemblyCulture("")]
 [assembly: ComVisible(false)]
 [assembly: Guid("5e1a8ef6-b600-4dd1-9dc8-a91ad888d539")]
-[assembly: AssemblyVersion("2.0.0.0")]
-[assembly: AssemblyFileVersion("2.0.0.0")]
-[assembly: AssemblyInformationalVersion("2.0.0")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyInformationalVersion("1.0.1")]
diff --git a/test/Kentico.Membership.Tests/UserManagerTests.cs b/test/Kentico.Membership.Tests/UserManagerTests.cs
@@ -81,6 +81,24 @@ public void VerifyPassword_UserNull_False()
         }
 
 
+        [Test]
+        public void VerifyPassword_UserIsExternal_False()
+        {
+            var user = new User(mMembershipFakeFactory.UserExternal);
+
+            Assert.IsFalse(manager.CallProtectedVerifyPassword(user, ""));
+        }
+
+
+        [Test]
+        public void VerifyPassword_UserIsDomain_False()
+        {
+            var user = new User(mMembershipFakeFactory.UserDomain);
+
+            Assert.IsFalse(manager.CallProtectedVerifyPassword(user, ""));
+        }
+
+
         [Test]
         public void VerifyPassword_PasswordFormatChanged_UserCanLogInWithOldPasswordHash()
         {