Merge pull request #391 from PowerShell/AddCredentialAttributeCheck

Add an extra check for CredentialAttribute for the credential rules

Author: Quoc Truong

Rules/AvoidUserNameAndPasswordParams.cs

@@ -11,6 +11,7 @@
 //
 
 using System;
+using System.Linq;
 using System.Collections.Generic;
 using System.Management.Automation;
 using System.Management.Automation.Language;
@@ -55,7 +56,9 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                     TypeInfo paramType = (TypeInfo)paramAst.StaticType;
                     String paramName = paramAst.Name.VariablePath.ToString();
 
-                    if (paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof (PSCredential)))
+                    // if this is pscredential type with credential attribute, skip
+                    if ((paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof (PSCredential)))
+                        && paramAst.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
                     {
                         continue;
                     }

Rules/Strings.Designer.cs

@@ -217,13 +217,13 @@
     <value>One Char</value>
   </data>
   <data name="UsePSCredentialTypeDescription" xml:space="preserve">
-    <value>Checks that cmdlets that have a Credential parameter accept PSCredential. This comes from the PowerShell teams best practices.</value>
+    <value>Checks that cmdlets that have a Credential parameter accept PSCredential with CredentialAttribute. This comes from the PowerShell teams best practices.</value>
   </data>
   <data name="UsePSCredentialTypeError" xml:space="preserve">
-    <value>The Credential parameter in '{0}' must be of the type PSCredential.</value>
+    <value>The Credential parameter in '{0}' must be of the type PSCredential with CredentialAttribute.</value>
   </data>
   <data name="UsePSCredentialTypeErrorSB" xml:space="preserve">
-    <value>The Credential parameter in a found script block must be of the type PSCredential.</value>
+    <value>The Credential parameter in a found script block must be of the type PSCredential with CredentialAttribute.</value>
   </data>
   <data name="UsePSCredentialTypeCommonName" xml:space="preserve">
     <value>PSCredential</value>
@@ -511,10 +511,10 @@
     <value>Avoid Using Username and Password Parameters</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsDescription" xml:space="preserve">
-    <value>Functions should only take in a credential parameter of type PSCredential instead of username and password parameters.</value>
+    <value>Functions should only take in a credential parameter of type PSCredential with CredentialAttribute instead of username and password parameters.</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsError" xml:space="preserve">
-    <value>Function '{0}' has both username and password parameters. A credential parameter of type PSCredential should be used.</value>
+    <value>Function '{0}' has both username and password parameters. A credential parameter of type PSCredential with a CredentialAttribute should be used.</value>
   </data>
   <data name="AvoidUsernameAndPasswordParamsName" xml:space="preserve">
     <value>AvoidUsingUserNameAndPassWordParams</value>

Rules/Strings.resx

@@ -11,6 +11,8 @@
 //
 
 using System;
+using System.Reflection;
+using System.Linq;
 using System.Collections.Generic;
 using System.Management.Automation;
 using System.Management.Automation.Language;
@@ -50,7 +52,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in funcDefAst.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase) && parameter.StaticType != typeof(PSCredential))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeError, funcName), funcDefAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -61,7 +63,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in funcDefAst.Body.ParamBlock.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase) && parameter.StaticType != typeof(PSCredential))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeError, funcName), funcDefAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -75,7 +77,7 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
                 {
                     foreach (ParameterAst parameter in scriptBlockAst.ParamBlock.Parameters)
                     {
-                        if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase) && parameter.StaticType != typeof(PSCredential))
+                        if (WrongCredentialUsage(parameter))
                         {
                             yield return new DiagnosticRecord(string.Format(CultureInfo.CurrentCulture, Strings.UsePSCredentialTypeErrorSB), scriptBlockAst.Extent, GetName(), DiagnosticSeverity.Warning, fileName);
                         }
@@ -84,6 +86,24 @@ public IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string fileName)
             }
         }
 
+        private bool WrongCredentialUsage(ParameterAst parameter)
+        {
+            if (parameter.Name.VariablePath.UserPath.Equals("Credential", StringComparison.OrdinalIgnoreCase))
+            {
+                TypeInfo paramType = (TypeInfo)parameter.StaticType;
+
+                if ((paramType == typeof(PSCredential) || (paramType.IsArray && paramType.GetElementType() == typeof(PSCredential)))
+                    && parameter.Attributes.Any(paramAttribute => paramAttribute.TypeName.GetReflectionType() == typeof(CredentialAttribute)))
+                {
+                    return false;
+                }
+
+                return true;
+            }
+
+            return false;
+        }
+
         /// <summary>
         /// GetName: Retrieves the name of this rule.
         /// </summary>

Rules/UsePSCredentialType.cs

@@ -1,6 +1,6 @@
 Import-Module PSScriptAnalyzer
 
-$violationMessage = "Function 'Verb-Noun' has both username and password parameters. A credential parameter of type PSCredential should be used."
+$violationMessage = "Function 'Verb-Noun' has both username and password parameters. A credential parameter of type PSCredential with a CredentialAttribute should be used."
 $violationName = "PSAvoidUsingUserNameAndPasswordParams"
 $directory = Split-Path -Parent $MyInvocation.MyCommand.Path
 $violations = Invoke-ScriptAnalyzer $directory\AvoidUserNameAndPasswordParams.ps1 | Where-Object {$_.RuleName -eq $violationName}

Tests/Rules/AvoidUserNameAndPasswordParams.tests.ps1

@@ -8,6 +8,24 @@ function MyFunction2 ($param1, $passwords)
 
 }
 
-function MyFunction3 ([PSCredential]$username, $passwords)
+function MyFunction3
 {
+    [CmdletBinding()]
+    [Alias()]
+    [OutputType([int])]
+    Param
+    (
+        # Param1 help description
+        [Parameter(Mandatory=$true,
+                   ValueFromPipelineByPropertyName=$true,
+                   Position=0)]
+        [System.Management.Automation.CredentialAttribute()]
+        [pscredential]
+        $UserName,
+
+        # Param2 help description
+        [pscredential]
+        [System.Management.Automation.CredentialAttribute()]
+        $Password
+    )
 }

Tests/Rules/AvoidUserNameAndPasswordParamsNoViolations.ps1

@@ -1,5 +1,5 @@
 Import-Module PSScriptAnalyzer 
-$violationMessage = "The Credential parameter in 'Credential' must be of the type PSCredential."
+$violationMessage = "The Credential parameter in 'Credential' must be of the type PSCredential with CredentialAttribute."
 $violationName = "PSUsePSCredentialType"
 $directory = Split-Path -Parent $MyInvocation.MyCommand.Path
 $violations = Invoke-ScriptAnalyzer $directory\PSCredentialType.ps1 | Where-Object {$_.RuleName -eq $violationName}

Tests/Rules/PSCredentialType.tests.ps1

@@ -1,3 +1,16 @@
-function Credential([pscredential]$credential) {
-
+function Credential
+{
+    [CmdletBinding()]
+    [Alias()]
+    [OutputType([int])]
+    Param
+    (
+        # Param1 help description
+        [Parameter(Mandatory=$true,
+                   ValueFromPipelineByPropertyName=$true,
+                   Position=0)]
+        [System.Management.Automation.CredentialAttribute()]
+        [pscredential]
+        $Credential
+    )
 }