public void CreateDynamicGroup(string groupou, string jitGroupName, string userName) { string groupname = Guid.NewGuid().ToString(); string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}"; IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); options.DynamicGroupMappings.Add(new JitDynamicGroupMapping() { Domain = jitGroup.Sid.AccountDomainSid.ToString(), GroupOU = groupou, GroupNameTemplate = groupname }); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _); Thread.Sleep(TimeSpan.FromSeconds(20)); IGroup ttlGroup = directory.GetGroup(fqGroupName); Assert.IsNotNull(ttlGroup); Assert.AreEqual(groupname, ttlGroup.SamAccountName); directory.IsSidInPrincipalToken(ttlGroup.Sid, jitGroup.Sid); directory.IsSidInPrincipalToken(user.Sid, ttlGroup.Sid); directory.IsSidInPrincipalToken(user.Sid, jitGroup.Sid); }
public void TestDynamicGroupAccessExtensionNotAllowed(string groupou, string jitGroupName, string userName) { string groupname = Guid.NewGuid().ToString(); string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}"; IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); options.DynamicGroupMappings.Add(new JitDynamicGroupMapping() { Domain = jitGroup.Sid.AccountDomainSid.ToString(), GroupOU = groupou, GroupNameTemplate = groupname }); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); TimeSpan allowedAccess = provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _); Assert.AreEqual(1, allowedAccess.TotalMinutes); Thread.Sleep(TimeSpan.FromSeconds(20)); TimeSpan allowedAccess2 = provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _); Assert.LessOrEqual(allowedAccess2.TotalSeconds, 50); }
public void TestPamGroupAccessExtensionNotAllowed(string jitGroupName, string userName) { IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); TimeSpan allowedAccess = provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(1), out _); TimeSpan?actualTtl = jitGroup.GetMemberTtl(user); Assert.AreEqual(1, allowedAccess.TotalMinutes); Assert.IsNotNull(actualTtl); Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60); Thread.Sleep(TimeSpan.FromSeconds(10)); TimeSpan allowedAccess2 = provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(2), out _); actualTtl = jitGroup.GetMemberTtl(user); Assert.IsNotNull(actualTtl); Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60); Assert.LessOrEqual(allowedAccess2.TotalSeconds, 60); }
public void TestDynamicGroupAccessUndo(string groupou, string jitGroupName, string userName) { string groupname = Guid.NewGuid().ToString(); string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}"; IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); options.DynamicGroupMappings.Add(new JitDynamicGroupMapping() { Domain = jitGroup.Sid.AccountDomainSid.ToString(), GroupOU = groupou, GroupNameTemplate = groupname }); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); provider.GrantJitAccessDynamicGroup(jitGroup, user, true, TimeSpan.FromMinutes(1), out Action undo); Thread.Sleep(TimeSpan.FromSeconds(20)); Assert.IsNotNull(this.directory.GetGroup(fqGroupName)); undo(); Thread.Sleep(TimeSpan.FromSeconds(20)); Assert.IsFalse(this.directory.TryGetGroup(fqGroupName, out _)); }
public void ThrowOnNoMappingForDomain(string jitGroupName, string userName) { IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); Assert.Throws <NoDynamicGroupMappingForDomainException>(() => provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _)); }
public void AddUserToGroupPam(string jitGroupName, string userName) { IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); this.provider = new JitAccessProvider(directory, logger, this.GetOptions()); provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(1), out _); directory.IsSidInPrincipalToken(user.Sid, jitGroup.Sid); }
public void TestPamGroupAccessUndo(string jitGroupName, string computerName, string userName) { IGroup jitGroup = directory.GetGroup(jitGroupName); jitGroup.RemoveMembers(); IUser user = directory.GetUser(userName); IComputer computer = directory.GetComputer(computerName); this.provider = new JitAccessProvider(directory, logger, this.GetOptions(), discoveryServices); TimeSpan allowedAccess = provider.GrantJitAccessPam(jitGroup, user, null, false, TimeSpan.FromMinutes(1), out Action undo); TimeSpan?actualTtl = jitGroup.GetMemberTtl(user); Assert.AreEqual(1, allowedAccess.TotalMinutes); Assert.IsNotNull(actualTtl); Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60); undo(); Assert.IsNull(jitGroup.GetMemberTtl(user)); }