Change logic to check for both CredentialAttribute and PSCredential type

Author: Quoc Truong

Rules/AvoidUserNameAndPasswordParams.cs

@@ -56,14 +56,9 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                     TypeInfo paramType = (TypeInfo)paramAst.StaticType;
                     String paramName = paramAst.Name.VariablePath.ToString();
 
-                    // if this is pscredential type, skip
-                    if (paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof (PSCredential)))
-                    {
-                        continue;
-                    }
-
-                    // if this has credential attribute, skip
-                    if (paramAst.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                    // if this is pscredential type with credential attribute, skip
+                    if ((paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof (PSCredential)))
+                        && paramAst.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
                     {
                         continue;
                     }

Rules/Strings.Designer.cs

@@ -217,13 +217,13 @@
     <value>One Char</value>
   </data>
   <data name="UsePSCredentialTypeDescription" xml:space="preserve">
-    <value>Checks that cmdlets that have a Credential parameter accept PSCredential or has a CredentialAttribute. This comes from the PowerShell teams best practices.</value>
+    <value>Checks that cmdlets that have a Credential parameter accept PSCredential with CredentialAttribute. This comes from the PowerShell teams best practices.</value>
   </data>
   <data name="UsePSCredentialTypeError" xml:space="preserve">
-    <value>The Credential parameter in '{0}' must be of the type PSCredential or has a CredentialAttribute.</value>
+    <value>The Credential parameter in '{0}' must be of the type PSCredential with CredentialAttribute.</value>
   </data>
   <data name="UsePSCredentialTypeErrorSB" xml:space="preserve">
-    <value>The Credential parameter in a found script block must be of the type PSCredential or has a CredentialAttribute.</value>
+    <value>The Credential parameter in a found script block must be of the type PSCredential with CredentialAttribute.</value>
   </data>
   <data name="UsePSCredentialTypeCommonName" xml:space="preserve">
     <value>PSCredential</value>
@@ -511,10 +511,10 @@
     <value>Avoid Using Username and Password Parameters</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsDescription" xml:space="preserve">
-    <value>Functions should only take in a credential parameter of type PSCredential or has a CredentialAttribute instead of username and password parameters.</value>
+    <value>Functions should only take in a credential parameter of type PSCredential with CredentialAttribute instead of username and password parameters.</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsError" xml:space="preserve">
-    <value>Function '{0}' has both username and password parameters. A credential parameter of type PSCredential or has a CredentialAttribute should be used.</value>
+    <value>Function '{0}' has both username and password parameters. A credential parameter of type PSCredential with a CredentialAttribute should be used.</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsName" xml:space="preserve">
     <value>AvoidUsingUserNameAndPassWordParams</value>

Rules/Strings.resx

@@ -11,6 +11,7 @@
 //
 
 using System;
+using System.Reflection;
 using System.Linq;
 using System.Collections.Generic;
 using System.Management.Automation;
@@ -51,9 +52,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in funcDefAst.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase)
-                            && parameter.StaticType != typeof(PSCredential) 
-                            && !parameter.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeError, funcName), funcDefAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -64,9 +63,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in funcDefAst.Body.ParamBlock.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase)
-                            && parameter.StaticType != typeof(PSCredential)
-                            && !parameter.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeError, funcName), funcDefAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -80,9 +77,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in scriptBlockAst.ParamBlock.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase)
-                            && parameter.StaticType != typeof(PSCredential)
-                            && !parameter.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeErrorSB), scriptBlockAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -91,6 +86,24 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
             }
         }
 
+        private bool WrongCredentialUsage(ParameterAst parameter)
+        {
+            if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase))
+            {
+                TypeInfo paramType = (TypeInfo)parameter.StaticType;
+
+                if ((paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof(PSCredential)))
+                    && parameter.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                {
+                    return false;
+                }
+
+                return true;
+            }
+
+            return false;
+        }
+
         /// <summary>
         /// GetName: Retrieves the name of this rule.
         /// </summary>

Rules/UsePSCredentialType.cs

@@ -1,6 +1,6 @@
 Import-Module PSScriptAnalyzer
 
-$violationMessage = "Function 'Verb-Noun' has both username and password parameters. A credential parameter of type PSCredential or has a CredentialAttribute should be used."
+$violationMessage = "Function 'Verb-Noun' has both username and password parameters. A credential parameter of type PSCredential with a CredentialAttribute should be used."
 $violationName = "PSAvoidUsingUserNameAndPasswordParams"
 $directory = Split-Path -Parent $MyInvocation.MyCommand.Path
 $violations = Invoke-ScriptAnalyzer $directory\AvoidUserNameAndPasswordParams.ps1 | Where-Object {$_.RuleName -eq $violationName}

Tests/Rules/AvoidUserNameAndPasswordParams.tests.ps1

@@ -8,11 +8,7 @@ function MyFunction2 ($param1, $passwords)
 
 }
 
-function MyFunction3 ([PSCredential]$username, $passwords)
-{
-}
-
-function MyFunction4
+function MyFunction3
 {
     [CmdletBinding()]
     [Alias()]
@@ -24,10 +20,11 @@ function MyFunction4
                    ValueFromPipelineByPropertyName=$true,
                    Position=0)]
         [System.Management.Automation.CredentialAttribute()]
+        [pscredential]
         $UserName,
 
         # Param2 help description
-        [int]
+        [pscredential]
         [System.Management.Automation.CredentialAttribute()]
         $Password
     )

Tests/Rules/AvoidUserNameAndPasswordParamsNoViolations.ps1

@@ -1,5 +1,5 @@
 Import-Module PSScriptAnalyzer 
-$violationMessage = "The Credential parameter in 'Credential' must be of the type PSCredential or has a CredentialAttribute."
+$violationMessage = "The Credential parameter in 'Credential' must be of the type PSCredential with CredentialAttribute."
 $violationName = "PSUsePSCredentialType"
 $directory = Split-Path -Parent $MyInvocation.MyCommand.Path
 $violations = Invoke-ScriptAnalyzer $directory\PSCredentialType.ps1 | Where-Object {$_.RuleName -eq $violationName}

Tests/Rules/PSCredentialType.tests.ps1

@@ -1,8 +1,4 @@
-function Credential([pscredential]$credential) {
-
-}
-
-function Credential2
+function Credential
 {
     [CmdletBinding()]
     [Alias()]
@@ -14,6 +10,7 @@ function Credential2
                    ValueFromPipelineByPropertyName=$true,
                    Position=0)]
         [System.Management.Automation.CredentialAttribute()]
+        [pscredential]
         $Credential
     )
-}
+}