public static AuthorizationResponse CreateAuthorizationResponse(AccessMask mask)
{
mask.ValidateAccessMask();
if (mask == AccessMask.LocalAdminPassword)
{
return(new LapsAuthorizationResponse());
}
if (mask == AccessMask.Jit)
{
return(new JitAuthorizationResponse());
}
if (mask == AccessMask.LocalAdminPasswordHistory)
{
return(new LapsHistoryAuthorizationResponse());
}
if (mask == AccessMask.BitLocker)
{
return(new BitLockerAuthorizationResponse());
}
throw new ArgumentException($"Invalid value for mask: {mask}");
}
public AuthorizationResponse GetAuthorizationResponse(IUser user, IComputer computer, AccessMask requestedAccess)
{
try
{
requestedAccess.ValidateAccessMask();
var info = this.authzBuilder.GetAuthorizationInformation(user, computer);
if (info.MatchedComputerTargets.Count == 0)
{
this.logger.LogTrace($"User {user.MsDsPrincipalName} is denied access to the password for computer {computer.MsDsPrincipalName} because the computer did not match any of the configured targets");
return(BuildAuthZResponseFailed(requestedAccess, AuthorizationResponseCode.NoMatchingRuleForComputer));
}
IList <SecurityDescriptorTarget> successTargets;
if (requestedAccess.HasFlag(AccessMask.LocalAdminPassword))
{
successTargets = info.SuccessfulLapsTargets;
}
else if (requestedAccess.HasFlag(AccessMask.LocalAdminPasswordHistory))
{
successTargets = info.SuccessfulLapsHistoryTargets;
}
else if (requestedAccess.HasFlag(AccessMask.Jit))
{
successTargets = info.SuccessfulJitTargets;
}
else
{
throw new AccessManagerException($"An invalid access mask combination was requested: {requestedAccess}");
}
if (successTargets.Count == 0 || !(info.EffectiveAccess.HasFlag(requestedAccess)))
{
this.logger.LogTrace($"User {user.MsDsPrincipalName} is denied {requestedAccess} access for computer {computer.MsDsPrincipalName}");
return(BuildAuthZResponseFailed(
requestedAccess,
AuthorizationResponseCode.NoMatchingRuleForUser,
GetNotificationRecipients(info.FailedTargets, false)));
}
else
{
var matchedTarget = successTargets[0];
this.logger.LogTrace($"User {user.MsDsPrincipalName} is authorized for {requestedAccess} access to computer {computer.MsDsPrincipalName} from target {matchedTarget.Id}");
return(BuildAuthZResponseSuccess(requestedAccess, matchedTarget, computer));
}
}
finally
{
this.authzBuilder.ClearCache(user, computer);
}
}
public async Task <AuthorizationResponse> GetAuthorizationResponse(IUser user, IComputer computer, AccessMask requestedAccess, IPAddress ip)
{
try
{
requestedAccess.ValidateAccessMask();
var info = this.authzBuilder.GetAuthorizationInformation(user, computer);
if (info.MatchedComputerTargets.Count == 0)
{
this.logger.LogTrace($"User {user.MsDsPrincipalName} is denied {requestedAccess} access to the computer {computer.MsDsPrincipalName} because the computer did not match any of the configured targets");
return(BuildAuthZResponseFailed(requestedAccess, AuthorizationResponseCode.NoMatchingRuleForComputer));
}
IList <SecurityDescriptorTarget> successTargets;
if (requestedAccess.HasFlag(AccessMask.LocalAdminPassword))
{
successTargets = info.SuccessfulLapsTargets;
}
else if (requestedAccess.HasFlag(AccessMask.LocalAdminPasswordHistory))
{
successTargets = info.SuccessfulLapsHistoryTargets;
}
else if (requestedAccess.HasFlag(AccessMask.Jit))
{
successTargets = info.SuccessfulJitTargets;
}
else if (requestedAccess.HasFlag(AccessMask.BitLocker))
{
successTargets = info.SuccessfulBitLockerTargets;
}
else
{
throw new AccessManagerException($"An invalid access mask combination was requested: {requestedAccess}");
}
var matchedTarget = successTargets?.FirstOrDefault(t => t.IsActive());
if (!info.EffectiveAccess.HasFlag(requestedAccess) || matchedTarget == null)
{
this.logger.LogTrace($"User {user.MsDsPrincipalName} is denied {requestedAccess} access for computer {computer.MsDsPrincipalName}");
return(BuildAuthZResponseFailed(
requestedAccess,
AuthorizationResponseCode.NoMatchingRuleForUser,
GetNotificationRecipients(info.FailedTargets, false)));
}
else
{
var rateLimitResult = await this.rateLimiter.GetRateLimitResult(user.Sid, ip, requestedAccess);
if (rateLimitResult.IsRateLimitExceeded)
{
return(BuildAuthZResponseRateLimitExceeded(user, computer, requestedAccess, rateLimitResult, ip, matchedTarget));
}
this.logger.LogTrace($"User {user.MsDsPrincipalName} is authorized for {requestedAccess} access to computer {computer.MsDsPrincipalName} from target {matchedTarget.Id}");
return(BuildAuthZResponseSuccess(requestedAccess, matchedTarget, computer));
}
}
finally
{
this.authzBuilder.ClearCache(user, computer);
}
}
