public ActionResult _RequestAccess(AccessRequestModel model)
{
if (!ModelState.IsValid)
{
return(Json(new { success = false, message = ModelState.GetErrors() }));
}
const string subject = "CED Access Request";
var recipient = WebConfigHelper.AdminEmails; // WebConfigHelper.HelpDeskUserName;
var body = "Message: " + model.AdditionalNotes;
body += "<br><br>Events: " + model.EventNames;
body += "<br>Office: " + model.OfficeName;
body += "<br>Sender: " + model.FirstName + " " + model.LastName;
try
{
new EmailHelper().SendEmail(subject, body, recipient);
// EMAIL LOGGING
LogEmail(null, recipient, body, null, "_RequestAccess");
return(Json(new { success = true }));
}
catch (Exception exc)
{
var log = CreateInternalLog(exc);
ExternalLogHelper.Log(log, LoggingEventType.Error);
return(Json(new { success = false, message = exc.Message }));
}
}
public AccessRequestModel CreateRequest([FromBody] CreationAccessRequestModel model)
{
AccessRequestModel result = default(AccessRequestModel);
Execute(() =>
{
var resources =
Mapper.Map <IEnumerable <AccessibleResourceModel>, IEnumerable <AccessibleResource> >(
model.RequestedResources);
var requester = GetCurrentUser();
var request = _accessRequestService.MakeRequest(
model.RequestSubject, model.RequestMessage, resources, requester);
var mappedRequest = Mapper.Map <AccessRequest, AccessRequestModel>(request);
return(mappedRequest);
}, onSuccess: m =>
{
result = m;
}, onFail: e =>
{
ThrowInternalServerError(e.Message);
});
return(result);
}
private bool TryGetComputer(AccessRequestModel model, IUser user, out IComputer computer, out IActionResult failure)
{
computer = null;
failure = null;
try
{
computer = this.directory.GetComputer(model.ComputerName) ?? throw new ObjectNotFoundException();
return(true);
}
catch (AmbiguousNameException ex)
{
this.logger.LogEventError(EventIDs.ComputerNameAmbiguous, string.Format(LogMessages.ComputerNameAmbiguous, user.MsDsPrincipalName, model.ComputerName), ex);
model.FailureReason = UIMessages.ComputerNameAmbiguous;
failure = this.View("AccessRequest", model);
}
catch (ObjectNotFoundException ex)
{
this.logger.LogEventError(EventIDs.ComputerNotFoundInDirectory, string.Format(LogMessages.ComputerNotFoundInDirectory, user.MsDsPrincipalName, model.ComputerName), ex);
model.FailureReason = UIMessages.ComputerNotFoundInDirectory;
failure = this.View("AccessRequest", model);
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.ComputerDiscoveryError, string.Format(LogMessages.ComputerDiscoveryError, user.MsDsPrincipalName, model.ComputerName), ex);
model.FailureReason = UIMessages.ComputerDiscoveryError;
failure = this.View("AccessRequest", model);
}
return(false);
}
private IActionResult GetLapsPassword(AccessRequestModel model, IUser user, IComputer computer, LapsAuthorizationResponse authResponse)
{
try
{
DateTime?newExpiry = authResponse.ExpireAfter.Ticks > 0 ? DateTime.UtcNow.Add(authResponse.ExpireAfter) : (DateTime?)null;
PasswordEntry current = this.passwordProvider.GetCurrentPassword(computer, newExpiry, authResponse.RetrievalLocation);
if (current == null)
{
throw new NoPasswordException();
}
this.reporting.GenerateAuditEvent(new AuditableAction
{
AuthzResponse = authResponse,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
IsSuccess = true,
User = user,
Computer = computer,
EventID = EventIDs.ComputerPasswordActiveAccessGranted,
ComputerExpiryDate = current.ExpiryDate?.ToLocalTime().ToString(CultureInfo.CurrentUICulture)
});
return(this.View("AccessResponseCurrentPassword", new CurrentPasswordModel()
{
ComputerName = computer.MsDsPrincipalName,
Password = current.Password,
ValidUntil = current.ExpiryDate?.ToLocalTime(),
}));
}
catch (NoPasswordException)
{
this.logger.LogEventError(EventIDs.LapsPasswordNotPresent, string.Format(LogMessages.NoLapsPassword, computer.MsDsPrincipalName, user.MsDsPrincipalName));
model.FailureReason = UIMessages.NoLapsPassword;
return(this.View("AccessResponseNoPasswords", new NoPasswordModel
{
Heading = UIMessages.HeadingPasswordDetails,
Message = UIMessages.NoLapsPassword,
ComputerName = computer.MsDsPrincipalName
}));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.LapsPasswordError, string.Format(LogMessages.LapsPasswordError, computer.MsDsPrincipalName, user.MsDsPrincipalName), ex);
return(this.View("AccessRequestError", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.LapsPasswordError
}));
}
}
private IActionResult GetLapsPasswordHistory(AccessRequestModel model, IUser user, IComputer computer, LapsHistoryAuthorizationResponse authResponse)
{
try
{
IList <PasswordEntry> history;
try
{
history = this.passwordProvider.GetPasswordHistory(computer);
if (history == null)
{
throw new NoPasswordException();
}
}
catch (NoPasswordException)
{
this.logger.LogEventError(EventIDs.NoLapsPasswordHistory, string.Format(LogMessages.NoLapsPasswordHistory, computer.MsDsPrincipalName, user.MsDsPrincipalName));
return(this.View("AccessResponseNoPasswords", new NoPasswordModel
{
Heading = UIMessages.HeadingPasswordDetails,
Message = UIMessages.NoLapsPasswordHistory,
ComputerName = computer.MsDsPrincipalName
}));
}
this.reporting.GenerateAuditEvent(new AuditableAction
{
AuthzResponse = authResponse,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
IsSuccess = true,
User = user,
Computer = computer,
EventID = EventIDs.ComputerPasswordHistoryAccessGranted
});
return(this.View("AccessResponsePasswordHistory", new PasswordHistoryModel
{
ComputerName = computer.MsDsPrincipalName,
PasswordHistory = history
}));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.LapsPasswordHistoryError, string.Format(LogMessages.LapsPasswordHistoryError, computer.MsDsPrincipalName, user.MsDsPrincipalName), ex);
return(this.View("AccessRequestError", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.LapsPasswordHistoryError
}));
}
}
private IActionResult GetAuthorizationResponse(AccessRequestModel model, IUser user, IComputer computer)
{
try
{
// Do authorization check first.
AuthorizationResponse authResponse = this.authorizationService.GetAuthorizationResponse(user, computer, model.RequestType);
if (!authResponse.IsAuthorized())
{
this.AuditAuthZFailure(model, authResponse, user, computer);
model.FailureReason = UIMessages.NotAuthorized;
return(this.View("AccessRequest", model));
}
// Do actual work only if authorized.
if (authResponse.EvaluatedAccess == AccessMask.Laps)
{
return(this.GetLapsPassword(model, user, computer, (LapsAuthorizationResponse)authResponse));
}
else if (authResponse.EvaluatedAccess == AccessMask.LapsHistory)
{
return(this.GetLapsPasswordHistory(model, user, computer, (LapsHistoryAuthorizationResponse)authResponse));
}
else if (authResponse.EvaluatedAccess == AccessMask.Jit)
{
return(this.GrantJitAccess(model, user, computer, (JitAuthorizationResponse)authResponse));
}
else
{
throw new AccessManagerException(@"The evaluated access response mask was not supported");
}
}
catch (AuditLogFailureException ex)
{
this.logger.LogEventError(EventIDs.AuthZFailedAuditError, string.Format(LogMessages.AuthZFailedAuditError, user.MsDsPrincipalName, model.ComputerName), ex);
return(this.View("Error", new ErrorModel
{
Heading = UIMessages.AccessDenied,
Message = UIMessages.AuthZFailedAuditError
}));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.AuthZError, string.Format(LogMessages.AuthZError, user.MsDsPrincipalName, computer.MsDsPrincipalName), ex);
return(this.View("Error", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.AuthZError
}));
}
}
private IActionResult GrantJitAccess(AccessRequestModel model, IUser user, IComputer computer, JitAuthorizationResponse authResponse)
{
Action undo = null;
try
{
TimeSpan grantedAccessLength = this.jitAccessProvider.GrantJitAccess(this.directory.GetGroup(authResponse.AuthorizingGroup), user, authResponse.AllowExtension, authResponse.ExpireAfter, out undo);
DateTime expiryDate = DateTime.Now.Add(grantedAccessLength);
this.reporting.GenerateAuditEvent(new AuditableAction
{
AuthzResponse = authResponse,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
IsSuccess = true,
User = user,
Computer = computer,
EventID = EventIDs.ComputerJitAccessGranted,
ComputerExpiryDate = expiryDate.ToString(CultureInfo.CurrentCulture)
});
var jitDetails = new JitDetailsModel(computer.MsDsPrincipalName, user.MsDsPrincipalName, expiryDate);
return(this.View("Jit", jitDetails));
}
catch (Exception ex)
{
if (undo != null)
{
this.logger.LogEventWarning(EventIDs.JitRollbackInProgress, LogMessages.JitRollbackInProgress, ex);
try
{
undo();
}
catch (Exception ex2)
{
this.logger.LogEventError(EventIDs.JitRollbackFailed, LogMessages.JitRollbackFailed, ex2);
}
}
this.logger.LogEventError(EventIDs.JitError, string.Format(LogMessages.JitError, computer.MsDsPrincipalName, user.MsDsPrincipalName), ex);
ErrorModel errorModel = new ErrorModel
{
Heading = UIMessages.UnableToGrantAccess,
Message = UIMessages.JitError
};
return(this.View("Error", errorModel));
}
}
public IActionResult AccessResponse(AccessRequestModel model)
{
model.ShowReason = this.userInterfaceSettings.UserSuppliedReason != AuditReasonFieldState.Hidden;
model.ReasonRequired = this.userInterfaceSettings.UserSuppliedReason == AuditReasonFieldState.Required;
model.RequestType = model.RequestType == 0 ? AccessMask.Laps : model.RequestType;
if (!this.ModelState.IsValid)
{
return(this.View("AccessRequest", model));
}
IUser user = null;
IComputer computer = null;
model.FailureReason = null;
try
{
if (!TryGetUser(out user, out IActionResult actionResult))
{
return(actionResult);
}
this.logger.LogEventSuccess(EventIDs.UserRequestedAccessToComputer, string.Format(LogMessages.UserHasRequestedAccessToComputer, user.MsDsPrincipalName, model.ComputerName));
if (!ValidateRateLimit(model, user, out actionResult))
{
return(actionResult);
}
if (!ValidateRequestReason(model, user, out actionResult))
{
return(actionResult);
}
if (!TryGetComputer(model, user, out computer, out actionResult))
{
return(actionResult);
}
return(GetAuthorizationResponse(model, user, computer));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.UnexpectedError, string.Format(LogMessages.UnhandledError, computer?.MsDsPrincipalName, user?.MsDsPrincipalName), ex);
return(this.View("Error", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.UnexpectedError
}));
}
}
private bool ValidateRequestReason(AccessRequestModel model, IUser user, out IActionResult actionResult)
{
actionResult = null;
if (string.IsNullOrWhiteSpace(model.UserRequestReason) && this.userInterfaceSettings.UserSuppliedReason == AuditReasonFieldState.Required)
{
logger.LogEventError(EventIDs.ReasonRequired, string.Format(LogMessages.ReasonRequired, user.MsDsPrincipalName));
model.FailureReason = UIMessages.ReasonRequired;
actionResult = this.View("AccessRequest", model);
return(false);
}
return(true);
}
private bool ValidateRateLimit(AccessRequestModel model, IUser user, out IActionResult view)
{
view = null;
var rateLimitResult = this.rateLimiter.GetRateLimitResult(user.Sid.ToString(), this.Request);
if (rateLimitResult.IsRateLimitExceeded)
{
this.LogRateLimitEvent(model, user, rateLimitResult);
view = this.View("RateLimitExceeded");
return(false);
}
return(true);
}
private IActionResult GetPreAuthorizationResponse(AccessRequestModel model, IUser user, IComputer computer)
{
try
{
AuthorizationResponse authResponse = this.authorizationService.GetPreAuthorization(user, computer);
if (!authResponse.IsAuthorized())
{
this.AuditAuthZFailure(model, authResponse, user, computer);
return(this.View("AccessRequestError", new ErrorModel
{
Heading = UIMessages.AccessDenied,
Message = UIMessages.NotAuthorized
}));
}
model.AllowedRequestTypes = authResponse.EvaluatedAccess;
if (model.AllowedRequestTypes.HasFlag(AccessMask.LocalAdminPassword))
{
model.RequestType = AccessMask.LocalAdminPassword;
}
else if (model.AllowedRequestTypes.HasFlag(AccessMask.LocalAdminPasswordHistory))
{
model.RequestType = AccessMask.LocalAdminPasswordHistory;
}
else
{
model.RequestType = AccessMask.Jit;
}
model.ComputerName = computer.MsDsPrincipalName;
return(this.View("AccessRequestType", model));
}
catch (Exception ex)
{
this.logger.LogEventError(EventIDs.PreAuthZError, string.Format(LogMessages.PreAuthZError, user.MsDsPrincipalName, computer.MsDsPrincipalName), ex);
return(this.View("AccessRequestError", new ErrorModel
{
Heading = UIMessages.UnableToProcessRequest,
Message = UIMessages.PreAuthZError
}));
}
}
public ServiceResponse RequestAccess(AccessRequestModel model)
{
DateTime startTime = DateTime.Now;
var userFacade = this.Container.GetInstance <UserFacade>();
try
{
var url = ConfigurationManager.AppSettings[Constants.ConfigurationConstants.Url];
userFacade.RequestAccess(url, model.Record, base.Email);
base.LogMessage("RequestAccess", DateTime.Now - startTime);
return(new ServiceResponse());
}
catch (Exception ex)
{
return(base.HandleException(ex));
}
}
private void AuditAuthZFailure(AccessRequestModel model, AuthorizationResponse authorizationResponse, IUser user, IComputer computer)
{
AuditableAction action = new AuditableAction
{
AuthzResponse = authorizationResponse,
User = user,
Computer = computer,
IsSuccess = false,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
EvaluatedAccess = GetEvaluatedAccessDescription(authorizationResponse.EvaluatedAccess),
Message = authorizationResponse.Code switch
{
AuthorizationResponseCode.IpRateLimitExceeded => LogMessages.AuthZResponseIpRateLimitExceeded,
AuthorizationResponseCode.UserRateLimitExceeded => LogMessages.AuthZResponseUserRateLimitExceeded,
AuthorizationResponseCode.ExplicitlyDenied => LogMessages.AuthZResponseExplicitlyDenied,
AuthorizationResponseCode.NoMatchingRuleForComputer => LogMessages.AuthZResponseNoMatchingRuleForComputer,
AuthorizationResponseCode.NoMatchingRuleForUser => LogMessages.AuthZResponseNoMatchingRuleForUser,
_ => LogMessages.AuthZResponseFallback,
},
private bool ValidateRateLimit(AccessRequestModel model, IUser user, out IActionResult view)
{
view = null;
var rateLimitResult = this.rateLimiter.GetRateLimitResult(user.Sid.ToString(), this.Request);
if (rateLimitResult.IsRateLimitExceeded)
{
this.LogRateLimitEvent(model, user, rateLimitResult);
var errorModel = new ErrorModel
{
Message = UIMessages.RateLimitError,
Heading = "Too many requests"
};
view = this.View("AccessRequestError", errorModel);
return(false);
}
return(true);
}
private void AuditAuthZFailure(AccessRequestModel model, AuthorizationResponse authorizationResponse, IUser user, IComputer computer)
{
AuditableAction action = new AuditableAction
{
AuthzResponse = authorizationResponse,
User = user,
Computer = computer,
IsSuccess = false,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
Message = string.Format(LogMessages.AuthorizationFailed, user.MsDsPrincipalName, model.ComputerName),
EventID = authorizationResponse.Code switch
{
AuthorizationResponseCode.NoMatchingRuleForComputer => EventIDs.AuthZFailedNoTargetMatch,
AuthorizationResponseCode.NoMatchingRuleForUser => EventIDs.AuthZFailedNoReaderPrincipalMatch,
AuthorizationResponseCode.ExplicitlyDenied => EventIDs.AuthZExplicitlyDenied,
_ => EventIDs.AuthZFailed,
}
};
this.reporting.GenerateAuditEvent(action);
}
private void LogRateLimitEvent(AccessRequestModel model, IUser user, RateLimitResult rateLimitResult)
{
AuditableAction action = new AuditableAction
{
User = user,
IsSuccess = false,
RequestedComputerName = model.ComputerName,
RequestReason = model.UserRequestReason,
};
if (rateLimitResult.IsUserRateLimit)
{
action.EventID = EventIDs.RateLimitExceededUser;
action.Message = string.Format(LogMessages.RateLimitExceededUser, user.MsDsPrincipalName, rateLimitResult.IPAddress, rateLimitResult.Threshold, rateLimitResult.Duration);
}
else
{
action.EventID = EventIDs.RateLimitExceededIP;
action.Message = string.Format(LogMessages.RateLimitExceededIP, user.MsDsPrincipalName, rateLimitResult.IPAddress, rateLimitResult.Threshold, rateLimitResult.Duration);
}
this.reporting.GenerateAuditEvent(action);
}
public HttpResponseMessage GetStudents(AccessRequestModel model)
{
return(Request.CreateResponse(HttpStatusCode.OK, this.userManager.GetStudents(model.TestID, model.Group)));
}
