/// <summary>
/// OnAuthenticationPipelineLoad method override
/// </summary>
public override void OnAuthenticationPipelineLoad(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData)
{
try
{
ReadConfigFile(logger, configData);
}
catch (Exception ex)
{
logger?.WriteAdminLogErrorMessage(ex.ToString());
throw;
}
}
/// <summary>
/// EvaluateRequest method implentation for interface IRequestReceivedThreatDetectionModule
/// </summary>
public Task <ThrottleStatus> EvaluateRequest(ThreatDetectionLogger logger, RequestContext requestContext)
{
try
{
if (requestContext.LocalEndPointAbsolutePath.ToLower().StartsWith("/adfs/proxy"))
{
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow));
}
#if extranetonly
if (requestContext.ClientLocation.HasValue && requestContext.ClientLocation.Value == NetworkLocation.Extranet)
#endif
{
foreach (IPAddress clientIpAddress in requestContext.ClientIpAddresses)
{
logger?.WriteDebugMessage($"Block saw IP {clientIpAddress}");
string ss = clientIpAddress.ToString();
string ff = string.Empty;
int i = IndexOfNth(ss, '.', 2);
if (i != -1)
{
ff = ss.Substring(0, i);
}
else
{
ff = ss;
}
List <string> filtered = _blockedIPs.Where(x => x.StartsWith(ff)).ToList();
foreach (string s in filtered)
{
try
{
if (this.IsInSubnet(clientIpAddress, s))
{
logger?.WriteDebugMessage($"Blocked request from IP {clientIpAddress}");
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block));
}
}
catch (Exception ex)
{
logger?.WriteDebugMessage($"Error {ex.Message} for IP {clientIpAddress}");
}
}
}
}
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow));
}
catch
{
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block));
}
}
/// <summary>
/// ReadConfigFile method implementation
/// </summary>
private void ReadConfigFile(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData)
{
List <string> ipAddressSet = new List <string>();
_blockedIPs.Clear();
using (var sr = new StreamReader(configData.ReadData()))
{
while (sr.Peek() >= 0)
{
string line = string.Empty;
try
{
line = sr.ReadLine();
if (string.IsNullOrEmpty(line))
{
continue;
}
if (line.StartsWith("#"))
{
continue;
}
string[] values = line.Split(';');
foreach (string s in values)
{
string ipAddress = s;
if (string.IsNullOrEmpty(ipAddress.Trim()))
{
continue;
}
if (!ipAddress.Contains('/'))
{
ipAddress += "/32";
}
logger?.WriteDebugMessage($"Loaded IP {ipAddress}");
ipAddressSet.Add(ipAddress);
}
}
catch (Exception ex)
{
logger?.WriteAdminLogErrorMessage($"Failed reading IP {line} exception {ex}");
}
}
}
_blockedIPs = ipAddressSet;
}
/// <summary>
/// Implements the interface method.
/// This method compares the IP (if from extranet) from the authentication request with all the banned IPs. If a match is found, method returns Throttelstatus as 2 (Block), else it returns 1 (Allow).
/// </summary>
/// <param name="logger"></param>
/// <param name="requestContext"></param>
/// <returns></returns>
public Task <ThrottleStatus> EvaluateRequest(ThreatDetectionLogger logger, RequestContext requestContext)
{
if (requestContext.ClientLocation.HasValue && requestContext.ClientLocation.Value == NetworkLocation.Extranet)
{
foreach (IPAddress clientIpAddress in requestContext.ClientIpAddresses)
{
logger?.WriteDebugMessage($"Block saw IP {clientIpAddress}");
if (this._blockedIPs.Contains(clientIpAddress))
{
logger?.WriteDebugMessage($"Blocked request from IP {clientIpAddress}");
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block));
}
}
}
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow));
}
/// <summary>
/// Parses the config file and store it in HashSet
/// </summary>
/// <param name="logger"></param>
/// <param name="configData"></param>
private void ReadConfigFile(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData)
{
HashSet <IPAddress> ipAddressSet = new HashSet <IPAddress>();
TextFieldParser textFieldParser = new TextFieldParser(configData.ReadData())
{
TextFieldType = FieldType.Delimited
};
textFieldParser.SetDelimiters(";", ",");
while (!textFieldParser.EndOfData)
{
string[] ipValueList = textFieldParser.ReadFields();
if (null == ipValueList)
{
continue;
}
foreach (var ipValue in ipValueList)
{
try
{
if (string.IsNullOrEmpty(ipValue))
{
continue;
}
IPAddress ipAddress = IPAddress.Parse(ipValue);
ipAddressSet.Add(ipAddress);
logger?.WriteDebugMessage($"Loaded IP {ipAddress}");
}
catch (Exception ex)
{
// Continue to load additional IPs from the configuration file.
logger?.WriteAdminLogErrorMessage($"Failed reading IP {ipValue} exception {ex}");
}
}
}
_blockedIPs = ipAddressSet;
}
public Task <ThrottleStatus> EvaluatePreAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, IList <Claim> additionalClams)
{
try
{
RiskScore isRisky = RiskyUserHelper.GetRiskScore(securityContext.UserIdentifier);
if (isRisky == RiskScore.High)
{
logger?.WriteAdminLogErrorMessage($"EvaluatePreAuthentication: Blocked request for user {securityContext.UserIdentifier}");
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Block));
}
logger?.WriteDebugMessage($"EvaluatePreAuthentication: Allowed request for user {securityContext.UserIdentifier}");
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow));
}
catch (Exception ex)
{
logger.WriteAdminLogErrorMessage(ex.ToString());
throw;
}
throw new NotImplementedException();
}
/// <summary>
/// OnConfigurationUpdate method override
/// </summary>
public override void OnConfigurationUpdate(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData)
{
ReadConfigFile(logger, configData);
}
/// <summary>
/// OnAuthenticationPipelineUnload method override
/// </summary>
public override void OnAuthenticationPipelineUnload(ThreatDetectionLogger logger)
{
_blockedIPs.Clear();
}
/// <summary>
/// EvaluatePostAuthentication method implentation for interface IPostAuthenticationThreatDetectionModule
/// </summary>
public Task <RiskScore> EvaluatePostAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, AuthenticationResult authenticationResult, IList <Claim> additionalClaims)
{
return(Task.FromResult <RiskScore>(RiskScore.NotEvaluated));
}
/// <summary>
/// EvaluatePreAuthentication method implentation for interface IPreAuthenticationThreatDetectionModule
/// </summary>
public Task <ThrottleStatus> EvaluatePreAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, IList <Claim> additionalClaims)
{
return(Task.FromResult <ThrottleStatus>(ThrottleStatus.Allow));
}
public override void OnAuthenticationPipelineUnload(ThreatDetectionLogger logger)
{
}
Task <RiskScore> IPostAuthenticationThreatDetectionModule.EvaluatePostAuthentication(ThreatDetectionLogger logger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, AuthenticationResult authenticationResult, IList <Claim> additionalClams)
{
try
{
RiskScore isRisky = RiskyUserHelper.GetRiskScore(securityContext.UserIdentifier);
if (isRisky == RiskScore.High || isRisky == RiskScore.Medium)
{
logger?.WriteAdminLogErrorMessage($"EvaluatePostAuthentication: Risk Score {isRisky} returned for user {securityContext.UserIdentifier}");
}
else
{
logger?.WriteDebugMessage($"EvaluatePostAuthentication: Risk Score {isRisky} returned for user {securityContext.UserIdentifier}");
}
return(Task.FromResult <RiskScore>(isRisky));
}
catch (Exception ex)
{
logger.WriteAdminLogErrorMessage(ex.ToString());
throw;
}
throw new NotImplementedException();
}
/// <summary>
/// ADFS calls this method while loading the module
/// </summary>
/// <param name="logger"></param>
/// <param name="configData"></param>
public override void OnAuthenticationPipelineLoad(ThreatDetectionLogger logger, ThreatDetectionModuleConfiguration configData)
{
}
