Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Only Administrators can log in

    Scheduled Pinned Locked Moved Support
    proget
    16 Posts 1 Posters 34 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      Did a bit more investigation so I get add an additional info:

      Seems users with LegacyPassword_Indicator set to "Y" in the ProGet DB Users table can login, the Users with LegacyPassword_Indicator = "N" cannot. What is a legacy password? What can be the problem?

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        I had exactly the same issue, but after assigning privileges to a user group I was able to login.

        So the things I did to get it working:

        • create a group, i.e. "developers"
        • create a user belonging to the group developers
        • assign "developer" privileges to the group developers

        Of course, the next time I would assign privileges before creating users ;)

        Best,
        Yvette

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Hi Yvette,

          thanks foy your feedback. I've tried exactly the procedure you've described but unfortunately, the problem remains the same.

          So we're still a bit lost and think about replacing ProGet with a file share since it's currently just unusable :-(

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Seems users with LegacyPassword_Indicator set to "Y" in the ProGet DB Users table can login, the Users with LegacyPassword_Indicator = "N" cannot. What is a legacy password? What can be the problem?

            We changed the way hashing was performed in 3.5, so a Legacy Password is one that's hashed in a pre-3.5 manner. When a user logs-in with a Legacy Password, the existing password is re-hashed, saved, and the LegacyPassword_Indicator is set to N.

            It's possible there's a bug with this behavior, but this would have impacted a lot of other users too, and this is the first report.

            I suspect it's related to privileges, so I would diagnose by giving everyone admin, or a specific user all privileges, then working down from there. You can also try to create a new user, and then see if that user can log-in with admin privileges.

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              May it be a problem that I've jumped over some releases and updated from 3.4.7 to 3.8.6 directly. I did that end of last week so it could be possible that the update is related to the issue.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                Maybe there is a problem in BuildInDirectory.TryGetAndValidateUser? What happens to users with a non-legacy password (= with an Indicator "N") there?

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  I'm not sure, that method hasn't changed since 3.5; unfortunately we can't test/validate this quickly or easily, but here is the code if anything comes to mind:

                      public override IUserDirectoryUser TryGetAndValidateUser(string userName, string password)
                      {
                          if (string.IsNullOrEmpty(userName))
                              throw new ArgumentNullException("userName");
                  
                          try
                          {
                              var userInfo = StoredProcs.Users_GetUser(userName).Execute();
                              var user = userInfo.Users.FirstOrDefault();
                              if (user == null)
                                  return null;
                  
                              if ((YNIndicator)user.LegacyPassword_Indicator)
                              {
                                  if (StoredProcs.Users_ValidateLogin(userName, password, null).Execute() == YNIndicator.No)
                                      return null;
                  
                                  SetPassword(userName, password);
                              }
                              else
                              {
                                  using (var rfc2898 = new Rfc2898DeriveBytes(password, user.Salt_Bytes, 10000))
                                  {
                                      var bytes = rfc2898.GetBytes(20);
                                      if (!StructuralComparisons.StructuralEqualityComparer.Equals(bytes, user.Password_Bytes))
                                          return null;
                                  }
                              }
                  
                              return new BuiltInUser(user, userInfo.UserGroups);
                          }
                          catch (Exception ex)
                          {
                              Log("TryGetAndValidateUser: " + ex.ToString());
                              return null;
                          }
                      }
                  

                  This is the set method...

                      public static void SetPassword(string userName, string password)
                      {
                          using (var rfc2898 = new Rfc2898DeriveBytes(password, 10, 10000))
                          {
                              var bytes = rfc2898.GetBytes(20);
                              StoredProcs.Users_SetPassword(userName, bytes, rfc2898.Salt).Execute();
                          }
                      }
                  
                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    First thing to mention is that this is different from what was delivered with 3.8.6. Not sure if that makes a difference but it is.

                    My guesses:

                    1. if ((YNIndicator)user.LegacyPassword_Indicator) checks if the LegacyIndicator exists at all (so checks if it's a 3.5 or later version). In my installed 3.8.6, this part is if (user.LegacyPassword_Indicator != null).

                    2. if user has a legacy password, password is upgraded (SetPassword...)

                    3. If user has no legacy password (Indicator "N"), null is returned:

                    if (StoredProcs.Users_ValidateLogin(userName, password, null).Execute() == YNIndicator.No)
                    return null;

                    As I see, null is also returned if user is null (if (user == null) return null;) or the password is wrong (if (!StructuralComparisons.StructuralEqualityComparer.Equals(bytes, user.Password_Bytes)) return null;). So returning null seems to mean "No valid login". And it seems that users with an Indicator "N" (these users have the problem in my installation) always get a return null in versions 3.5 and later?! So that may be the problem. What do you think?

                    1 Reply Last reply Reply Quote 0
                    • ? This user is from outside of this forum
                      Guest
                      last edited by

                      That logic seems correct... we can repro this issue only if the users are not granted the "General_ViewHomePage" task.

                      Once a user has a failed login, can they browse directly to a particular feed if it's typed into the URL, e.g. http://{proget-server}/feeds/{feed-name} ?

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        Yes, navigating to the feed directly works after the failed login.

                        1 Reply Last reply Reply Quote 0
                        • ? This user is from outside of this forum
                          Guest
                          last edited by

                          The users who cannot log in are mapped to the roles "Package Consumer and Adder" and "Package Consumer".

                          From the ProGet DB:

                          Roles Table:

                          Role_Id Role_Name


                          ...

                          9 Package Consumer and Adder

                          8 Package Consumer

                          Tasks Table:

                          Task_Id Task_Name Feed_Scopeable_Indicator


                          ...

                          28 General_ViewHomePage N

                          RoleTask Table

                          Role_Id Task_Id


                          ...

                          8 1

                          8 2

                          8 5

                          8 28

                          9 1

                          9 2

                          9 4

                          9 5

                          9 28

                          1 Reply Last reply Reply Quote 0
                          • ? This user is from outside of this forum
                            Guest
                            last edited by

                            Are those privileges assigned to a feed? If so, the General_ViewHomePage task will be ignored.

                            Make sure to grant General_ViewHomePage at the SYSTEM level and not scoped to a particular feed, that should resolve the issue.

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              Yes, the privileges are scoped to a certain feed. You're right, As soon as i scope to "All Feeds", login works. That's great!

                              I'm still abit confued about how to limit some people to only one feed. They should be able to Add, View, Download packages of one feed only (including uploading packages using the web ui). Other feeds should not be visible to them. How to achieve that without scoping my privilege to a certain feed.

                              What I didis to create a new Role "HomePageViewer" Role with only the General_ViewHomePage Task. Then, I've created two assignments for my ProductDevelopers group:

                              1. Principal:ProductDevelopers, Role:Package Consumer and Adder, Scope: MyFeed
                              2. Principal:ProductDevelopers, Role:HomePageViewer, Scope: (System)

                              Would that be a recommended way or did I think too complicated?

                              1 Reply Last reply Reply Quote 0

                              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                              With your input, this post could be even better 💗

                              Register Login
                              • 1 / 1
                              • First post
                                Last post
                              Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation