public void CreateDynamicGroup(string groupou, string jitGroupName, string userName)
{
string groupname = Guid.NewGuid().ToString();
string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}";
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
options.DynamicGroupMappings.Add(new JitDynamicGroupMapping()
{
Domain = jitGroup.Sid.AccountDomainSid.ToString(),
GroupOU = groupou,
GroupNameTemplate = groupname
});
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _);
Thread.Sleep(TimeSpan.FromSeconds(20));
IGroup ttlGroup = directory.GetGroup(fqGroupName);
Assert.IsNotNull(ttlGroup);
Assert.AreEqual(groupname, ttlGroup.SamAccountName);
directory.IsSidInPrincipalToken(ttlGroup.Sid, jitGroup.Sid);
directory.IsSidInPrincipalToken(user.Sid, ttlGroup.Sid);
directory.IsSidInPrincipalToken(user.Sid, jitGroup.Sid);
}
public void TestDynamicGroupAccessExtensionNotAllowed(string groupou, string jitGroupName, string userName)
{
string groupname = Guid.NewGuid().ToString();
string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}";
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
options.DynamicGroupMappings.Add(new JitDynamicGroupMapping()
{
Domain = jitGroup.Sid.AccountDomainSid.ToString(),
GroupOU = groupou,
GroupNameTemplate = groupname
});
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
TimeSpan allowedAccess = provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _);
Assert.AreEqual(1, allowedAccess.TotalMinutes);
Thread.Sleep(TimeSpan.FromSeconds(20));
TimeSpan allowedAccess2 = provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _);
Assert.LessOrEqual(allowedAccess2.TotalSeconds, 50);
}
public void TestPamGroupAccessExtensionNotAllowed(string jitGroupName, string userName)
{
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
TimeSpan allowedAccess = provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(1), out _);
TimeSpan?actualTtl = jitGroup.GetMemberTtl(user);
Assert.AreEqual(1, allowedAccess.TotalMinutes);
Assert.IsNotNull(actualTtl);
Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60);
Thread.Sleep(TimeSpan.FromSeconds(10));
TimeSpan allowedAccess2 = provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(2), out _);
actualTtl = jitGroup.GetMemberTtl(user);
Assert.IsNotNull(actualTtl);
Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60);
Assert.LessOrEqual(allowedAccess2.TotalSeconds, 60);
}
public void TestDynamicGroupAccessUndo(string groupou, string jitGroupName, string userName)
{
string groupname = Guid.NewGuid().ToString();
string fqGroupName = $"{jitGroupName.Split('\\')[0]}\\{groupname}";
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
options.DynamicGroupMappings.Add(new JitDynamicGroupMapping()
{
Domain = jitGroup.Sid.AccountDomainSid.ToString(),
GroupOU = groupou,
GroupNameTemplate = groupname
});
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
provider.GrantJitAccessDynamicGroup(jitGroup, user, true, TimeSpan.FromMinutes(1), out Action undo);
Thread.Sleep(TimeSpan.FromSeconds(20));
Assert.IsNotNull(this.directory.GetGroup(fqGroupName));
undo();
Thread.Sleep(TimeSpan.FromSeconds(20));
Assert.IsFalse(this.directory.TryGetGroup(fqGroupName, out _));
}
public void ThrowOnNoMappingForDomain(string jitGroupName, string userName)
{
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
Assert.Throws <NoDynamicGroupMappingForDomainException>(() => provider.GrantJitAccessDynamicGroup(jitGroup, user, false, TimeSpan.FromMinutes(1), out _));
}
public void AddUserToGroupPam(string jitGroupName, string userName)
{
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
this.provider = new JitAccessProvider(directory, logger, this.GetOptions());
provider.GrantJitAccessPam(jitGroup, user, false, TimeSpan.FromMinutes(1), out _);
directory.IsSidInPrincipalToken(user.Sid, jitGroup.Sid);
}
public void TestPamGroupAccessUndo(string jitGroupName, string computerName, string userName)
{
IGroup jitGroup = directory.GetGroup(jitGroupName);
jitGroup.RemoveMembers();
IUser user = directory.GetUser(userName);
IComputer computer = directory.GetComputer(computerName);
this.provider = new JitAccessProvider(directory, logger, this.GetOptions(), discoveryServices);
TimeSpan allowedAccess = provider.GrantJitAccessPam(jitGroup, user, null, false, TimeSpan.FromMinutes(1), out Action undo);
TimeSpan?actualTtl = jitGroup.GetMemberTtl(user);
Assert.AreEqual(1, allowedAccess.TotalMinutes);
Assert.IsNotNull(actualTtl);
Assert.LessOrEqual(actualTtl.Value.TotalSeconds, 60);
undo();
Assert.IsNull(jitGroup.GetMemberTtl(user));
}
