public bool InitActiveRolesClient()
{
Log.Info("Initializing Active Roles Client");
if (Config.ARSGJitAccessAttribute == null)
{
Log.Error("Bad configuration. ARSGJitProvisioningAttribute must be set");
return(false);
}
Log.Info("Using ARSGJitProvisioningAttribute: " + Config.ARSGJitAccessAttribute);
if (Config.ActiveRolesUsername == null)
{
Log.Info("Authenticating to Active Roles using current windows identity: " + WindowsIdentity.GetCurrent().Name);
ActiveRolesClient = new ActiveRolesDirectoryServicesClient();
}
else
{
Log.Info("Authenticating to Active Roles using username/password for: " + Config.ActiveRolesUsername);
ActiveRolesClient = new ActiveRolesDirectoryServicesClient(Config.ActiveRolesUsername, Config.ActiveRolesPassword);
}
try
{
ActiveRolesClient.GetAttributeSchemaOmSyntax(Config.ARSGJitAccessAttribute);
}
catch (ActiveRolesClientException e)
{
Log.Error(e.Message);
return(false);
}
return(true);
}
void HandleAccessRequestEvent(string eventName, string eventBody)
{
var accessRequestEvent = JsonConvert.DeserializeObject <AccessRequestEvent>(eventBody);
Log.Debug($"Recieved event: {eventName}, AssetId: {accessRequestEvent.AssetId}, AccountId: {accessRequestEvent.AccountId}");
var assetAccount = SafeguardClient.GetAssetAccount(accessRequestEvent.AccountId);
if (assetAccount.PlatformType == "MicrosoftAD")
{
if (eventName == "AccessRequestAvailable")
{
ActiveRolesClient.SetObjectAttribute(assetAccount.DistinguishedName, Config.ARSGJitAccessAttribute, "true");
Log.Info($"Grant access for: {assetAccount.DistinguishedName}. Set {Config.ARSGJitAccessAttribute} = true.");
}
else
{
ActiveRolesClient.SetObjectAttribute(assetAccount.DistinguishedName, Config.ARSGJitAccessAttribute, "false");
Log.Info($"Revoke access for: {assetAccount.DistinguishedName}. Set {Config.ARSGJitAccessAttribute} = false.");
}
}
else
{
Log.Debug($"Ignored event for {assetAccount.Name}, because PlatformType is: {assetAccount.PlatformType}");
}
}
