/// <summary> /// OnAuthenticationPipelineLoad method override /// </summary> public override void OnAuthenticationPipelineLoad(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData) { try { ReadConfigFile(logger, configData); } catch (Exception ex) { logger?.WriteAdminLogErrorMessage(ex.ToString()); throw; } }
/// <summary> /// EvaluateRequest method implentation for interface IRequestReceivedThreatDetectionModule /// </summary> public Task <ThrottleStatus> EvaluateRequest(ThreatDetectionLogger logger, RequestContext requestContext) { try { if (requestContext.LocalEndPointAbsolutePath.ToLower().StartsWith("/adfs/proxy")) { return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow)); } #if extranetonly if (requestContext.ClientLocation.HasValue && requestContext.ClientLocation.Value == NetworkLocation.Extranet) #endif { foreach (IPAddress clientIpAddress in requestContext.ClientIpAddresses) { logger?.WriteDebugMessage($"Block saw IP {clientIpAddress}"); string ss = clientIpAddress.ToString(); string ff = string.Empty; int i = IndexOfNth(ss, '.', 2); if (i != -1) { ff = ss.Substring(0, i); } else { ff = ss; } List <string> filtered = _blockedIPs.Where(x => x.StartsWith(ff)).ToList(); foreach (string s in filtered) { try { if (this.IsInSubnet(clientIpAddress, s)) { logger?.WriteDebugMessage($"Blocked request from IP {clientIpAddress}"); return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block)); } } catch (Exception ex) { logger?.WriteDebugMessage($"Error {ex.Message} for IP {clientIpAddress}"); } } } } return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow)); } catch { return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block)); } }
/// <summary> /// ReadConfigFile method implementation /// </summary> private void ReadConfigFile(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData) { List <string> ipAddressSet = new List <string>(); _blockedIPs.Clear(); using (var sr = new StreamReader(configData.ReadData())) { while (sr.Peek() >= 0) { string line = string.Empty; try { line = sr.ReadLine(); if (string.IsNullOrEmpty(line)) { continue; } if (line.StartsWith("#")) { continue; } string[] values = line.Split(';'); foreach (string s in values) { string ipAddress = s; if (string.IsNullOrEmpty(ipAddress.Trim())) { continue; } if (!ipAddress.Contains('/')) { ipAddress += "/32"; } logger?.WriteDebugMessage($"Loaded IP {ipAddress}"); ipAddressSet.Add(ipAddress); } } catch (Exception ex) { logger?.WriteAdminLogErrorMessage($"Failed reading IP {line} exception {ex}"); } } } _blockedIPs = ipAddressSet; }
/// <summary> /// Implements the interface method. /// This method compares the IP (if from extranet) from the authentication request with all the banned IPs. If a match is found, method returns Throttelstatus as 2 (Block), else it returns 1 (Allow). /// </summary> /// <param name="logger"></param> /// <param name="requestContext"></param> /// <returns></returns> public Task <ThrottleStatus> EvaluateRequest(ThreatDetectionLogger logger, RequestContext requestContext) { if (requestContext.ClientLocation.HasValue && requestContext.ClientLocation.Value == NetworkLocation.Extranet) { foreach (IPAddress clientIpAddress in requestContext.ClientIpAddresses) { logger?.WriteDebugMessage($"Block saw IP {clientIpAddress}"); if (this._blockedIPs.Contains(clientIpAddress)) { logger?.WriteDebugMessage($"Blocked request from IP {clientIpAddress}"); return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block)); } } } return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow)); }
/// <summary> /// Parses the config file and store it in HashSet /// </summary> /// <param name="logger"></param> /// <param name="configData"></param> private void ReadConfigFile(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData) { HashSet <IPAddress> ipAddressSet = new HashSet <IPAddress>(); TextFieldParser textFieldParser = new TextFieldParser(configData.ReadData()) { TextFieldType = FieldType.Delimited }; textFieldParser.SetDelimiters(";", ","); while (!textFieldParser.EndOfData) { string[] ipValueList = textFieldParser.ReadFields(); if (null == ipValueList) { continue; } foreach (var ipValue in ipValueList) { try { if (string.IsNullOrEmpty(ipValue)) { continue; } IPAddress ipAddress = IPAddress.Parse(ipValue); ipAddressSet.Add(ipAddress); logger?.WriteDebugMessage($"Loaded IP {ipAddress}"); } catch (Exception ex) { // Continue to load additional IPs from the configuration file. logger?.WriteAdminLogErrorMessage($"Failed reading IP {ipValue} exception {ex}"); } } } _blockedIPs = ipAddressSet; }
public Task <ThrottleStatus> EvaluatePreAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, IList <Claim> additionalClams) { try { RiskScore isRisky = RiskyUserHelper.GetRiskScore(securityContext.UserIdentifier); if (isRisky == RiskScore.High) { logger?.WriteAdminLogErrorMessage($"EvaluatePreAuthentication: Blocked request for user {securityContext.UserIdentifier}"); return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block)); } logger?.WriteDebugMessage($"EvaluatePreAuthentication: Allowed request for user {securityContext.UserIdentifier}"); return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow)); } catch (Exception ex) { logger.WriteAdminLogErrorMessage(ex.ToString()); throw; } throw new NotImplementedException(); }
/// <summary> /// OnConfigurationUpdate method override /// </summary> public override void OnConfigurationUpdate(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData) { ReadConfigFile(logger, configData); }
/// <summary> /// OnAuthenticationPipelineUnload method override /// </summary> public override void OnAuthenticationPipelineUnload(ThreatDetectionLogger logger) { _blockedIPs.Clear(); }
/// <summary> /// EvaluatePostAuthentication method implentation for interface IPostAuthenticationThreatDetectionModule /// </summary> public Task <RiskScore> EvaluatePostAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, AuthenticationResult authenticationResult, IList <Claim> additionalClaims) { return(Task.FromResult <RiskScore>(RiskScore.NotEvaluated)); }
/// <summary> /// EvaluatePreAuthentication method implentation for interface IPreAuthenticationThreatDetectionModule /// </summary> public Task <ThrottleStatus> EvaluatePreAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, IList <Claim> additionalClaims) { return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow)); }
public override void OnAuthenticationPipelineUnload(ThreatDetectionLogger logger) { }
Task <RiskScore> IPostAuthenticationThreatDetectionModule.EvaluatePostAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, AuthenticationResult authenticationResult, IList <Claim> additionalClams) { try { RiskScore isRisky = RiskyUserHelper.GetRiskScore(securityContext.UserIdentifier); if (isRisky == RiskScore.High || isRisky == RiskScore.Medium) { logger?.WriteAdminLogErrorMessage($"EvaluatePostAuthentication: Risk Score {isRisky} returned for user {securityContext.UserIdentifier}"); } else { logger?.WriteDebugMessage($"EvaluatePostAuthentication: Risk Score {isRisky} returned for user {securityContext.UserIdentifier}"); } return(Task.FromResult <RiskScore>(isRisky)); } catch (Exception ex) { logger.WriteAdminLogErrorMessage(ex.ToString()); throw; } throw new NotImplementedException(); }
/// <summary> /// ADFS calls this method while loading the module /// </summary> /// <param name="logger"></param> /// <param name="configData"></param> public override void OnAuthenticationPipelineLoad(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData) { }