public TimeSpan GrantJitAccessPam(IGroup group, IUser user, bool canExtend, TimeSpan requestedExpiry, out Action undo)
{
TimeSpan?existingTtl = group.GetMemberTtl(user);
if (existingTtl != null)
{
this.logger.LogTrace("User {user} is already a member of {group} with {ttl} left remaining on their membership", user.MsDsPrincipalName, group.MsDsPrincipalName, existingTtl.Value);
}
if (existingTtl != null && !canExtend)
{
this.logger.LogTrace("User {user} is not allowed to extend their access window in group {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
undo = () => { };
return(existingTtl.Value);
}
group.AddMember(user, requestedExpiry);
this.logger.LogInformation(EventIDs.JitPamAccessGranted, "User {user} was added to group {group} with a membership expiry of {ttl}", user.MsDsPrincipalName, group.MsDsPrincipalName, requestedExpiry);
undo = () =>
{
this.logger.LogTrace("Rolling back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
group.RemoveMember(user);
this.logger.LogInformation(EventIDs.JitPamAccessRevoked, "Rolled back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
};
return(requestedExpiry);
}
public void TestTimeBasedMembershipCrossForest(string groupName, string memberName)
{
IGroup group = this.directory.GetGroup(groupName);
ISecurityPrincipal p = this.directory.GetUser(memberName);
group.AddMember(p, TimeSpan.FromSeconds(10));
Thread.Sleep(TimeSpan.FromSeconds(5));
Assert.IsTrue(IsSidDnInGroup(group, p), "The user was not found in the group");
Thread.Sleep(TimeSpan.FromSeconds(15));
Assert.IsFalse(IsSidDnInGroup(group, p), "The user was still in the group");
}
public void TestTimeBasedMembershipIntraForest(string groupName, string memberName)
{
IGroup group = this.directory.GetGroup(groupName);
ISecurityPrincipal p = this.directory.GetUser(memberName);
group.AddMember(p, TimeSpan.FromSeconds(10));
Thread.Sleep(TimeSpan.FromSeconds(5));
CollectionAssert.Contains(group.GetMemberDNs(), p.DistinguishedName);
Thread.Sleep(TimeSpan.FromSeconds(15));
CollectionAssert.DoesNotContain(group.GetMemberDNs(), p.DistinguishedName);
}
public TimeSpan GrantJitAccessDynamicGroup(IGroup group, IUser user, bool canExtend, TimeSpan requestedExpiry, out Action undo)
{
JitDynamicGroupMapping mapping = this.FindDomainMapping(group);
string groupName = this.BuildGroupSamAccountName(mapping, user, group);
string description = this.BuildGroupDescription(mapping);
string fqGroupName = $"{this.BuildGroupDomain(group)}\\{groupName}";
TimeSpan grantedExpiry = requestedExpiry;
this.logger.LogTrace("Processing request to have {user} added to the JIT group {group} via dynamicObject {dynamicGroup}", user.MsDsPrincipalName, group.MsDsPrincipalName, fqGroupName);
if (directory.TryGetGroup(fqGroupName, out IGroup dynamicGroup))
{
this.logger.LogTrace("Dynamic group {dynamicGroup} already exists in the directory with a remaining ttl of {ttl}", dynamicGroup.MsDsPrincipalName, dynamicGroup.EntryTtl);
if (!canExtend)
{
this.logger.LogTrace("User {user} is not permitted to extend the access, so the ttl will remain unchanged", user.MsDsPrincipalName);
grantedExpiry = dynamicGroup.EntryTtl ?? new TimeSpan();
}
else
{
dynamicGroup.ExtendTtl(requestedExpiry);
this.logger.LogTrace("User {user} is permitted to extend the access, so the ttl will was updated to {ttl}", user.MsDsPrincipalName, requestedExpiry);
}
}
else
{
this.logger.LogTrace("Creating a new dynamic group {groupName} in {ou} with ttl of {ttl}", groupName, mapping.GroupOU, grantedExpiry);
dynamicGroup = this.directory.CreateTtlGroup(groupName, groupName, description, mapping.GroupOU, grantedExpiry);
this.logger.LogInformation(EventIDs.JitDynamicGroupCreated, "Created a new dynamic group {groupName} in {ou} with ttl of {ttl}", groupName, mapping.GroupOU, grantedExpiry);
}
this.logger.LogTrace("Adding user {user} to dynamic group {dynamicGroup}", user.MsDsPrincipalName, dynamicGroup.MsDsPrincipalName);
dynamicGroup.AddMember(user);
this.logger.LogTrace("Adding dynamic group {dynamicGroup} to the JIT group {jitGroup}", dynamicGroup.MsDsPrincipalName, group.MsDsPrincipalName);
group.AddMember(dynamicGroup);
undo = () =>
{
this.logger.LogTrace("Rolling back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName);
this.directory.DeleteGroup(fqGroupName);
this.logger.LogInformation(EventIDs.JitDynamicGroupDeleted, "Rolled back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName);
};
return(grantedExpiry);
}
public void AddGroupMemberToTtlGroup()
{
string groupName = TestContext.CurrentContext.Random.GetString(10, "abcdefghijklmnop");
this.directory.CreateTtlGroup(groupName, groupName, "TTL test group 2", "OU=Laps Testing,DC=idmdev1,DC=local", TimeSpan.FromMinutes(1));
Thread.Sleep(20000);
IGroup group = this.directory.GetGroup($"IDMDEV1\\{groupName}");
ISecurityPrincipal user = this.directory.GetUser("IDMDEV1\\user1");
group.AddMember(user);
CollectionAssert.Contains(group.GetMemberDNs(), user.DistinguishedName);
this.directory.DeleteGroup($"IDMDEV1\\{groupName}");
}
public void AddGroupMemberToTtlGroup()
{
string groupName = TestContext.CurrentContext.Random.GetString(10, "abcdefghijklmnop");
string dc = discoveryServices.GetDomainController(C.DevLocal);
this.directory.CreateTtlGroup(groupName, groupName, "TTL test group 2", C.AmsTesting_DevDN, dc, TimeSpan.FromMinutes(1), GroupType.DomainLocal, true);
Thread.Sleep(20000);
IGroup group = this.directory.GetGroup($"{C.Dev}\\{groupName}");
ISecurityPrincipal user = this.directory.GetUser(C.DEV_User1);
group.AddMember(user);
CollectionAssert.Contains(group.GetMemberDNs(), user.DistinguishedName);
this.directory.DeleteGroup($"{C.Dev}\\{groupName}");
}
public TimeSpan GrantJitAccessPam(IGroup group, IUser user, string dcLocatorTarget, bool canExtend, TimeSpan requestedExpiry, out Action undo)
{
TimeSpan?existingTtl = group.GetMemberTtl(user);
if (existingTtl != null)
{
this.logger.LogTrace("User {user} is already a member of {group} with {ttl} left remaining on their membership", user.MsDsPrincipalName, group.MsDsPrincipalName, existingTtl.Value);
}
if (existingTtl != null && !canExtend)
{
this.logger.LogTrace("User {user} is not allowed to extend their access window in group {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
undo = () => { };
return(existingTtl.Value);
}
this.discoveryServices.FindDcAndExecuteWithRetry(dcLocatorTarget, this.discoveryServices.GetDomainNameDns(group.Sid), DsGetDcNameFlags.DS_DIRECTORY_SERVICE_REQUIRED | DsGetDcNameFlags.DS_WRITABLE_REQUIRED, this.GetDcLocatorMode(), dc =>
{
this.logger.LogTrace("Attempting to perform pam group operation against DC {dc}", dc);
group.RetargetToDc(dc);
this.logger.LogTrace("Adding user {user} to group {group}", user.MsDsPrincipalName, group.Path);
group.AddMember(user, requestedExpiry);
this.logger.LogInformation(EventIDs.JitPamAccessGranted, "User {user} was added to group {group} with a membership expiry of {ttl}", user.MsDsPrincipalName, group.MsDsPrincipalName, requestedExpiry);
return(true);
});
undo = () =>
{
this.logger.LogTrace("Rolling back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
group.RemoveMember(user);
this.logger.LogInformation(EventIDs.JitPamAccessRevoked, "Rolled back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName);
};
return(requestedExpiry);
}
public TimeSpan GrantJitAccessDynamicGroup(IGroup group, IUser user, string dcLocatorTarget, bool canExtend, TimeSpan requestedExpiry, out Action undo)
{
JitDynamicGroupMapping mapping = this.FindDomainMapping(group);
string groupName = this.BuildGroupSamAccountName(mapping, user, group);
string description = this.BuildGroupDescription(mapping);
string fqGroupName = $"{this.BuildGroupDomain(group)}\\{groupName}";
TimeSpan grantedExpiry = requestedExpiry;
this.logger.LogTrace("Processing request to have {user} added to the JIT group {group} via dynamicObject {dynamicGroup}", user.MsDsPrincipalName, group.Path, fqGroupName);
IGroup dynamicGroup = null;
this.discoveryServices.FindDcAndExecuteWithRetry(dcLocatorTarget, this.discoveryServices.GetDomainNameDns(mapping.GroupOU), DsGetDcNameFlags.DS_DIRECTORY_SERVICE_REQUIRED | DsGetDcNameFlags.DS_WRITABLE_REQUIRED, this.GetDcLocatorMode(), dc =>
{
this.logger.LogTrace("Attempting to perform dynamic group operation against DC {dc}", dc);
group.RetargetToDc(dc);
if (directory.TryGetGroup(fqGroupName, out dynamicGroup))
{
dynamicGroup.RetargetToDc(dc);
this.logger.LogTrace("Dynamic group {dynamicGroup} already exists in the directory with a remaining TTL of {ttl}", dynamicGroup.Path, dynamicGroup.EntryTtl);
if (!canExtend)
{
this.logger.LogTrace("User {user} is not permitted to extend the access, so the TTL will remain unchanged", user.MsDsPrincipalName);
grantedExpiry = dynamicGroup.EntryTtl ?? new TimeSpan();
}
else
{
dynamicGroup.ExtendTtl(requestedExpiry);
this.logger.LogTrace("User {user} is permitted to extend the access, so the TTL will was updated to {ttl}", user.MsDsPrincipalName, requestedExpiry);
}
}
else
{
this.logger.LogTrace("Creating a new dynamic group {groupName} in {ou} with TTL of {ttl}", groupName, mapping.GroupOU, grantedExpiry);
dynamicGroup = this.directory.CreateTtlGroup(groupName, groupName, description, mapping.GroupOU, dc, grantedExpiry, mapping.GroupType, true);
this.logger.LogInformation(EventIDs.JitDynamicGroupCreated, "Created a new dynamic group {group}", dynamicGroup.Path, grantedExpiry);
}
this.logger.LogTrace("Adding user {user} to dynamic group {dynamicGroup}", user.MsDsPrincipalName, dynamicGroup.Path);
dynamicGroup.AddMember(user);
this.logger.LogTrace("Adding dynamic group {dynamicGroup} to the JIT group {jitGroup}", dynamicGroup.Path, group.Path);
group.AddMember(dynamicGroup);
return(true);
});
undo = () =>
{
if (dynamicGroup != null)
{
this.logger.LogTrace("Rolling back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup?.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName);
this.directory.DeleteGroup(fqGroupName);
this.logger.LogInformation(EventIDs.JitDynamicGroupDeleted, "Rolled back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup?.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName);
}
};
return(grantedExpiry);
}
