private static void UpdateTargetPasswordExpiry(TargetElement target, ComputerPrincipal computer)
{
TimeSpan t = TimeSpan.Parse(target.ExpireAfter);
LapController.logger.Trace($"Target rule requires password to change after {t}");
DateTime newDateTime = DateTime.UtcNow.Add(t);
LapController.SetExpiryTime(new DirectoryEntry($"LDAP://{computer.DistinguishedName}"), newDateTime);
LapController.logger.Trace($"Set expiry time for {computer.SamAccountName} to {newDateTime.ToLocalTime()}");
}
public ActionResult Get(LapRequestModel model)
{
if (!this.ModelState.IsValid)
{
return(this.View());
}
UserPrincipal user = null;
try
{
model.FailureReason = null;
try
{
user = this.GetCurrentUser();
if (user == null)
{
throw new NoMatchingPrincipalException();
}
}
catch (NoMatchingPrincipalException ex)
{
return(this.LogAndReturnErrorResponse(model, UIMessages.SsoIdentityNotFound, EventIDs.SsoIdentityNotFound, null, ex));
}
if (RateLimiter.IsRateLimitExceeded(model, user, this.Request))
{
return(this.View("RateLimitExceeded"));
}
Reporting.LogSuccessEvent(EventIDs.UserRequestedPassword, string.Format(LogMessages.UserHasRequestedPassword, user.SamAccountName, model.ComputerName));
ComputerPrincipal computer = Directory.GetComputerPrincipal(model.ComputerName);
if (computer == null)
{
return(this.LogAndReturnErrorResponse(model, UIMessages.ComputerNotFoundInDirectory, EventIDs.ComputerNotFound, string.Format(LogMessages.ComputerNotFoundInDirectory, user.SamAccountName, model.ComputerName)));
}
TargetElement target = this.GetMatchingTargetOrNull(computer);
if (target == null)
{
return(this.AuditAndReturnErrorResponse(
model: model,
userMessage: UIMessages.NotAuthorized,
eventID: EventIDs.AuthZFailedNoTargetMatch,
logMessage: string.Format(LogMessages.NoTargetsExist, user.SamAccountName, computer.SamAccountName),
user: user,
computer: computer));
}
foreach (ReaderElement reader in target.Readers.OfType <ReaderElement>())
{
if (this.IsReaderAuthorized(reader, user))
{
logger.Trace($"User {user.SamAccountName} matches reader principal {reader.Principal} is authorized to read passwords from target {target.Name}");
SearchResult searchResult = Directory.GetDirectoryEntry(computer, Directory.AttrSamAccountName, Directory.AttrMsMcsAdmPwd, Directory.AttrMsMcsAdmPwdExpirationTime);
if (!searchResult.Properties.Contains(Directory.AttrMsMcsAdmPwd))
{
return(this.LogAndReturnErrorResponse(model, UIMessages.NoLapsPassword, EventIDs.LapsPasswordNotPresent, string.Format(LogMessages.NoLapsPassword, computer.SamAccountName, user.SamAccountName)));
}
if (target.ExpireAfter != null)
{
LapController.UpdateTargetPasswordExpiry(target, computer);
searchResult = Directory.GetDirectoryEntry(computer, Directory.AttrSamAccountName, Directory.AttrMsMcsAdmPwd, Directory.AttrMsMcsAdmPwdExpirationTime);
}
Reporting.PerformAuditSuccessActions(model, target, reader, user, computer, searchResult);
return(this.View("Show", LapController.CreateLapEntryModel(searchResult)));
}
}
return(this.AuditAndReturnErrorResponse(
model: model,
userMessage: UIMessages.NotAuthorized,
eventID: EventIDs.AuthZFailedNoReaderPrincipalMatch,
logMessage: string.Format(LogMessages.AuthZFailedNoReaderPrincipalMatch, user.SamAccountName, computer.SamAccountName),
target: target,
user: user,
computer: computer));
}
catch (Exception ex)
{
return(this.LogAndReturnErrorResponse(model, UIMessages.UnexpectedError, EventIDs.UnexpectedError, string.Format(LogMessages.UnhandledError, model.ComputerName, user?.SamAccountName ?? LogMessages.UnknownComputerPlaceholder), ex));
}
}
