private Dictionary <string, string> BuildTokenDictionary(AuditableAction action)
{
LapsAuthorizationResponse lapsAuthZResponse = action.AuthzResponse as LapsAuthorizationResponse;
JitAuthorizationResponse jitAuthZResponse = action.AuthzResponse as JitAuthorizationResponse;
Dictionary <string, string> pairs = new Dictionary <string, string>(StringComparer.OrdinalIgnoreCase)
{
{ "{user.SamAccountName}", action.User?.SamAccountName },
{ "{user.MsDsPrincipalName}", action.User?.MsDsPrincipalName },
{ "{user.DisplayName}", action.User?.DisplayName },
{ "{user.UserPrincipalName}", action.User?.UserPrincipalName },
{ "{user.Sid}", action.User?.Sid?.ToString() },
{ "{user.DistinguishedName}", action.User?.DistinguishedName },
{ "{user.Description}", action.User?.Description },
{ "{user.EmailAddress}", action.User?.EmailAddress },
{ "{user.Guid}", action.User?.Guid?.ToString() },
{ "{user.GivenName}", action.User?.GivenName },
{ "{user.Surname}", action.User?.Surname },
{ "{computer.SamAccountName}", action.Computer?.SamAccountName },
{ "{computer.MsDsPrincipalName}", action.Computer?.MsDsPrincipalName },
{ "{computer.DistinguishedName}", action.Computer?.DistinguishedName },
{ "{computer.Description}", action.Computer?.Description },
{ "{computer.DisplayName}", action.Computer?.DisplayName },
{ "{computer.Guid}", action.Computer?.Guid?.ToString() },
{ "{computer.Sid}", action.Computer?.Sid?.ToString() },
{ "{request.ComputerName}", action.RequestedComputerName },
{ "{request.Reason}", action.RequestReason ?? "(not provided)" },
{ "{AuthzResult.NotificationChannels}", string.Join(",", action.AuthzResponse?.NotificationChannels ?? new List <string>()) },
{ "{AuthzResult.MatchedRuleDescription}", action.AuthzResponse?.MatchedRuleDescription },
{ "{AuthzResult.MatchedRule}", action.AuthzResponse?.MatchedRule },
{ "{AuthzResult.ExpireAfter}", (lapsAuthZResponse?.ExpireAfter ?? jitAuthZResponse?.ExpireAfter)?.ToString() },
{ "{AuthzResult.ResponseCode}", action.AuthzResponse?.Code.ToString() },
{ "{AuthzResult.AccessType}", action.AuthzResponse?.EvaluatedAccess.ToString() },
{ "{AuthzResult.AccessTypeDescription}", action.EvaluatedAccess ?? action.AuthzResponse?.EvaluatedAccess.ToDescription() },
{ "{AuthZResult.AccessExpiryDate}", action.AccessExpiryDate },
{ "{message}", action.Message },
{ "{request.IPAddress}", httpContextAccessor.HttpContext?.Connection?.RemoteIpAddress?.ToString() },
{ "{request.Hostname}", this.TryResolveHostName(httpContextAccessor.HttpContext?.Connection?.RemoteIpAddress) },
{ "{datetime}", DateTime.Now.ToString(CultureInfo.CurrentCulture) },
{ "{datetimeutc}", DateTime.UtcNow.ToString(CultureInfo.CurrentCulture) },
{ "{computer.LapsExpiryDate}", action.AccessExpiryDate }, //deprecated
};
return(pairs);
}
private IActionResult GetLapsPassword(AccessRequestModel model, IUser user, IComputer computer, LapsAuthorizationResponse authResponse)
{
try
{
DateTime?newExpiry = authResponse.ExpireAfter.Ticks > 0 ? DateTime.UtcNow.Add(authResponse.ExpireAfter) : (DateTime?)null;
PasswordEntry current = this.passwordProvider.GetCurrentPassword(computer, newExpiry, authResponse.RetrievalLocation);
if (current == null)
{
throw new NoPasswordException();
}
this.reporting.GenerateAuditEvent(new AuditableAction
{
AuthzResponse = authResponse,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
IsSuccess = true,
User = user,
Computer = computer,
EventID = EventIDs.ComputerPasswordActiveAccessGranted,
ComputerExpiryDate = current.ExpiryDate?.ToLocalTime().ToString(CultureInfo.CurrentUICulture)
});
return(this.View("Password", new CurrentPasswordModel()
{
ComputerName = computer.MsDsPrincipalName,
Password = current.Password,
ValidUntil = current.ExpiryDate?.ToLocalTime(),
}));
}
catch (NoPasswordException)
{
this.logger.LogEventError(EventIDs.LapsPasswordNotPresent, string.Format(LogMessages.NoLapsPassword, computer.MsDsPrincipalName, user.MsDsPrincipalName));
model.FailureReason = UIMessages.NoLapsPassword;
return(this.View("Error", new ErrorModel
{
Heading = UIMessages.HeadingPasswordDetails,
Message = UIMessages.NoLapsPassword
}));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.LapsPasswordError, string.Format(LogMessages.LapsPasswordError, computer.MsDsPrincipalName, user.MsDsPrincipalName), ex);
return(this.View("Error", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.LapsPasswordError
}));
}
}
