private Dictionary <string, string> BuildTokenDictionary(AuditableAction action)
{
LapsAuthorizationResponse lapsAuthZResponse = action.AuthzResponse as LapsAuthorizationResponse;
JitAuthorizationResponse jitAuthZResponse = action.AuthzResponse as JitAuthorizationResponse;
Dictionary <string, string> pairs = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase)
{
{ "{user.SamAccountName}", action.User?.SamAccountName },
{ "{user.MsDsPrincipalName}", action.User?.MsDsPrincipalName },
{ "{user.DisplayName}", action.User?.DisplayName },
{ "{user.UserPrincipalName}", action.User?.UserPrincipalName },
{ "{user.Sid}", action.User?.Sid?.ToString() },
{ "{user.DistinguishedName}", action.User?.DistinguishedName },
{ "{user.Description}", action.User?.Description },
{ "{user.EmailAddress}", action.User?.EmailAddress },
{ "{user.Guid}", action.User?.Guid?.ToString() },
{ "{user.GivenName}", action.User?.GivenName },
{ "{user.Surname}", action.User?.Surname },
{ "{computer.SamAccountName}", action.Computer?.SamAccountName },
{ "{computer.MsDsPrincipalName}", action.Computer?.MsDsPrincipalName },
{ "{computer.DistinguishedName}", action.Computer?.DistinguishedName },
{ "{computer.Description}", action.Computer?.Description },
{ "{computer.DisplayName}", action.Computer?.DisplayName },
{ "{computer.Guid}", action.Computer?.Guid?.ToString() },
{ "{computer.Sid}", action.Computer?.Sid?.ToString() },
{ "{request.ComputerName}", action.RequestedComputerName },
{ "{request.Reason}", action.RequestReason ?? "(not provided)" },
{ "{AuthzResult.NotificationChannels}", string.Join(",", action.AuthzResponse?.NotificationChannels ?? new List <string>()) },
{ "{AuthzResult.MatchedRuleDescription}", action.AuthzResponse?.MatchedRuleDescription },
{ "{AuthzResult.MatchedRule}", action.AuthzResponse?.MatchedRule },
{ "{AuthzResult.ExpireAfter}", (lapsAuthZResponse?.ExpireAfter ?? jitAuthZResponse?.ExpireAfter)?.ToString() },
{ "{AuthzResult.ResponseCode}", action.AuthzResponse?.Code.ToString() },
{ "{AuthzResult.AccessType}", action.AuthzResponse?.EvaluatedAccess.ToString() },
{ "{AuthzResult.AccessTypeDescription}", action.EvaluatedAccess ?? action.AuthzResponse?.EvaluatedAccess.ToDescription() },
{ "{AuthZResult.AccessExpiryDate}", action.AccessExpiryDate },
{ "{message}", action.Message },
{ "{request.IPAddress}", httpContextAccessor.HttpContext?.Connection?.RemoteIpAddress?.ToString() },
{ "{request.Hostname}", this.TryResolveHostName(httpContextAccessor.HttpContext?.Connection?.RemoteIpAddress) },
{ "{datetime}", DateTime.Now.ToString(CultureInfo.CurrentCulture) },
{ "{datetimeutc}", DateTime.UtcNow.ToString(CultureInfo.CurrentCulture) },
{ "{computer.LapsExpiryDate}", action.AccessExpiryDate }, //deprecated
};
return(pairs);
}
private IActionResult GrantJitAccess(AccessRequestModel model, IUser user, IComputer computer, JitAuthorizationResponse authResponse)
{
Action undo = null;
try
{
TimeSpan grantedAccessLength = this.jitAccessProvider.GrantJitAccess(this.directory.GetGroup(authResponse.AuthorizingGroup), user, authResponse.AllowExtension, authResponse.ExpireAfter, out undo);
DateTime expiryDate = DateTime.Now.Add(grantedAccessLength);
this.reporting.GenerateAuditEvent(new AuditableAction
{
AuthzResponse = authResponse,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
IsSuccess = true,
User = user,
Computer = computer,
EventID = EventIDs.ComputerJitAccessGranted,
ComputerExpiryDate = expiryDate.ToString(CultureInfo.CurrentCulture)
});
var jitDetails = new JitDetailsModel(computer.MsDsPrincipalName, user.MsDsPrincipalName, expiryDate);
return(this.View("Jit", jitDetails));
}
catch (Exception ex)
{
if (undo != null)
{
this.logger.LogEventWarning(EventIDs.JitRollbackInProgress, LogMessages.JitRollbackInProgress, ex);
try
{
undo();
}
catch (Exception ex2)
{
this.logger.LogEventError(EventIDs.JitRollbackFailed, LogMessages.JitRollbackFailed, ex2);
}
}
this.logger.LogEventError(EventIDs.JitError, string.Format(LogMessages.JitError, computer.MsDsPrincipalName, user.MsDsPrincipalName), ex);
ErrorModel errorModel = new ErrorModel
{
Heading = UIMessages.UnableToGrantAccess,
Message = UIMessages.JitError
};
return(this.View("Error", errorModel));
}
}
