Example #1
0
        private static void UpdateTargetPasswordExpiry(TargetElement target, ComputerPrincipal computer)
        {
            TimeSpan t = TimeSpan.Parse(target.ExpireAfter);

            LapController.logger.Trace($"Target rule requires password to change after {t}");
            DateTime newDateTime = DateTime.UtcNow.Add(t);

            LapController.SetExpiryTime(new DirectoryEntry($"LDAP://{computer.DistinguishedName}"), newDateTime);
            LapController.logger.Trace($"Set expiry time for {computer.SamAccountName} to {newDateTime.ToLocalTime()}");
        }
Example #2
0
        public ActionResult Get(LapRequestModel model)
        {
            if (!this.ModelState.IsValid)
            {
                return(this.View());
            }

            UserPrincipal user = null;

            try
            {
                model.FailureReason = null;

                try
                {
                    user = this.GetCurrentUser();

                    if (user == null)
                    {
                        throw new NoMatchingPrincipalException();
                    }
                }
                catch (NoMatchingPrincipalException ex)
                {
                    return(this.LogAndReturnErrorResponse(model, UIMessages.SsoIdentityNotFound, EventIDs.SsoIdentityNotFound, null, ex));
                }

                if (RateLimiter.IsRateLimitExceeded(model, user, this.Request))
                {
                    return(this.View("RateLimitExceeded"));
                }

                Reporting.LogSuccessEvent(EventIDs.UserRequestedPassword, string.Format(LogMessages.UserHasRequestedPassword, user.SamAccountName, model.ComputerName));

                ComputerPrincipal computer = Directory.GetComputerPrincipal(model.ComputerName);

                if (computer == null)
                {
                    return(this.LogAndReturnErrorResponse(model, UIMessages.ComputerNotFoundInDirectory, EventIDs.ComputerNotFound, string.Format(LogMessages.ComputerNotFoundInDirectory, user.SamAccountName, model.ComputerName)));
                }

                TargetElement target = this.GetMatchingTargetOrNull(computer);
                if (target == null)
                {
                    return(this.AuditAndReturnErrorResponse(
                               model: model,
                               userMessage: UIMessages.NotAuthorized,
                               eventID: EventIDs.AuthZFailedNoTargetMatch,
                               logMessage: string.Format(LogMessages.NoTargetsExist, user.SamAccountName, computer.SamAccountName),
                               user: user,
                               computer: computer));
                }

                foreach (ReaderElement reader in target.Readers.OfType <ReaderElement>())
                {
                    if (this.IsReaderAuthorized(reader, user))
                    {
                        logger.Trace($"User {user.SamAccountName} matches reader principal {reader.Principal} is authorized to read passwords from target {target.Name}");

                        SearchResult searchResult = Directory.GetDirectoryEntry(computer, Directory.AttrSamAccountName, Directory.AttrMsMcsAdmPwd, Directory.AttrMsMcsAdmPwdExpirationTime);

                        if (!searchResult.Properties.Contains(Directory.AttrMsMcsAdmPwd))
                        {
                            return(this.LogAndReturnErrorResponse(model, UIMessages.NoLapsPassword, EventIDs.LapsPasswordNotPresent, string.Format(LogMessages.NoLapsPassword, computer.SamAccountName, user.SamAccountName)));
                        }

                        if (target.ExpireAfter != null)
                        {
                            LapController.UpdateTargetPasswordExpiry(target, computer);
                            searchResult = Directory.GetDirectoryEntry(computer, Directory.AttrSamAccountName, Directory.AttrMsMcsAdmPwd, Directory.AttrMsMcsAdmPwdExpirationTime);
                        }

                        Reporting.PerformAuditSuccessActions(model, target, reader, user, computer, searchResult);

                        return(this.View("Show", LapController.CreateLapEntryModel(searchResult)));
                    }
                }

                return(this.AuditAndReturnErrorResponse(
                           model: model,
                           userMessage: UIMessages.NotAuthorized,
                           eventID: EventIDs.AuthZFailedNoReaderPrincipalMatch,
                           logMessage: string.Format(LogMessages.AuthZFailedNoReaderPrincipalMatch, user.SamAccountName, computer.SamAccountName),
                           target: target,
                           user: user,
                           computer: computer));
            }
            catch (Exception ex)
            {
                return(this.LogAndReturnErrorResponse(model, UIMessages.UnexpectedError, EventIDs.UnexpectedError, string.Format(LogMessages.UnhandledError, model.ComputerName, user?.SamAccountName ?? LogMessages.UnknownComputerPlaceholder), ex));
            }
        }