public TimeSpan GrantJitAccessPam(IGroup group, IUser user, bool canExtend, TimeSpan requestedExpiry, out Action undo) { TimeSpan?existingTtl = group.GetMemberTtl(user); if (existingTtl != null) { this.logger.LogTrace("User {user} is already a member of {group} with {ttl} left remaining on their membership", user.MsDsPrincipalName, group.MsDsPrincipalName, existingTtl.Value); } if (existingTtl != null && !canExtend) { this.logger.LogTrace("User {user} is not allowed to extend their access window in group {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); undo = () => { }; return(existingTtl.Value); } group.AddMember(user, requestedExpiry); this.logger.LogInformation(EventIDs.JitPamAccessGranted, "User {user} was added to group {group} with a membership expiry of {ttl}", user.MsDsPrincipalName, group.MsDsPrincipalName, requestedExpiry); undo = () => { this.logger.LogTrace("Rolling back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); group.RemoveMember(user); this.logger.LogInformation(EventIDs.JitPamAccessRevoked, "Rolled back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); }; return(requestedExpiry); }
public void TestTimeBasedMembershipCrossForest(string groupName, string memberName) { IGroup group = this.directory.GetGroup(groupName); ISecurityPrincipal p = this.directory.GetUser(memberName); group.AddMember(p, TimeSpan.FromSeconds(10)); Thread.Sleep(TimeSpan.FromSeconds(5)); Assert.IsTrue(IsSidDnInGroup(group, p), "The user was not found in the group"); Thread.Sleep(TimeSpan.FromSeconds(15)); Assert.IsFalse(IsSidDnInGroup(group, p), "The user was still in the group"); }
public void TestTimeBasedMembershipIntraForest(string groupName, string memberName) { IGroup group = this.directory.GetGroup(groupName); ISecurityPrincipal p = this.directory.GetUser(memberName); group.AddMember(p, TimeSpan.FromSeconds(10)); Thread.Sleep(TimeSpan.FromSeconds(5)); CollectionAssert.Contains(group.GetMemberDNs(), p.DistinguishedName); Thread.Sleep(TimeSpan.FromSeconds(15)); CollectionAssert.DoesNotContain(group.GetMemberDNs(), p.DistinguishedName); }
public TimeSpan GrantJitAccessDynamicGroup(IGroup group, IUser user, bool canExtend, TimeSpan requestedExpiry, out Action undo) { JitDynamicGroupMapping mapping = this.FindDomainMapping(group); string groupName = this.BuildGroupSamAccountName(mapping, user, group); string description = this.BuildGroupDescription(mapping); string fqGroupName = $"{this.BuildGroupDomain(group)}\\{groupName}"; TimeSpan grantedExpiry = requestedExpiry; this.logger.LogTrace("Processing request to have {user} added to the JIT group {group} via dynamicObject {dynamicGroup}", user.MsDsPrincipalName, group.MsDsPrincipalName, fqGroupName); if (directory.TryGetGroup(fqGroupName, out IGroup dynamicGroup)) { this.logger.LogTrace("Dynamic group {dynamicGroup} already exists in the directory with a remaining ttl of {ttl}", dynamicGroup.MsDsPrincipalName, dynamicGroup.EntryTtl); if (!canExtend) { this.logger.LogTrace("User {user} is not permitted to extend the access, so the ttl will remain unchanged", user.MsDsPrincipalName); grantedExpiry = dynamicGroup.EntryTtl ?? new TimeSpan(); } else { dynamicGroup.ExtendTtl(requestedExpiry); this.logger.LogTrace("User {user} is permitted to extend the access, so the ttl will was updated to {ttl}", user.MsDsPrincipalName, requestedExpiry); } } else { this.logger.LogTrace("Creating a new dynamic group {groupName} in {ou} with ttl of {ttl}", groupName, mapping.GroupOU, grantedExpiry); dynamicGroup = this.directory.CreateTtlGroup(groupName, groupName, description, mapping.GroupOU, grantedExpiry); this.logger.LogInformation(EventIDs.JitDynamicGroupCreated, "Created a new dynamic group {groupName} in {ou} with ttl of {ttl}", groupName, mapping.GroupOU, grantedExpiry); } this.logger.LogTrace("Adding user {user} to dynamic group {dynamicGroup}", user.MsDsPrincipalName, dynamicGroup.MsDsPrincipalName); dynamicGroup.AddMember(user); this.logger.LogTrace("Adding dynamic group {dynamicGroup} to the JIT group {jitGroup}", dynamicGroup.MsDsPrincipalName, group.MsDsPrincipalName); group.AddMember(dynamicGroup); undo = () => { this.logger.LogTrace("Rolling back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName); this.directory.DeleteGroup(fqGroupName); this.logger.LogInformation(EventIDs.JitDynamicGroupDeleted, "Rolled back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName); }; return(grantedExpiry); }
public void AddGroupMemberToTtlGroup() { string groupName = TestContext.CurrentContext.Random.GetString(10, "abcdefghijklmnop"); this.directory.CreateTtlGroup(groupName, groupName, "TTL test group 2", "OU=Laps Testing,DC=idmdev1,DC=local", TimeSpan.FromMinutes(1)); Thread.Sleep(20000); IGroup group = this.directory.GetGroup($"IDMDEV1\\{groupName}"); ISecurityPrincipal user = this.directory.GetUser("IDMDEV1\\user1"); group.AddMember(user); CollectionAssert.Contains(group.GetMemberDNs(), user.DistinguishedName); this.directory.DeleteGroup($"IDMDEV1\\{groupName}"); }
public void AddGroupMemberToTtlGroup() { string groupName = TestContext.CurrentContext.Random.GetString(10, "abcdefghijklmnop"); string dc = discoveryServices.GetDomainController(C.DevLocal); this.directory.CreateTtlGroup(groupName, groupName, "TTL test group 2", C.AmsTesting_DevDN, dc, TimeSpan.FromMinutes(1), GroupType.DomainLocal, true); Thread.Sleep(20000); IGroup group = this.directory.GetGroup($"{C.Dev}\\{groupName}"); ISecurityPrincipal user = this.directory.GetUser(C.DEV_User1); group.AddMember(user); CollectionAssert.Contains(group.GetMemberDNs(), user.DistinguishedName); this.directory.DeleteGroup($"{C.Dev}\\{groupName}"); }
public TimeSpan GrantJitAccessPam(IGroup group, IUser user, string dcLocatorTarget, bool canExtend, TimeSpan requestedExpiry, out Action undo) { TimeSpan?existingTtl = group.GetMemberTtl(user); if (existingTtl != null) { this.logger.LogTrace("User {user} is already a member of {group} with {ttl} left remaining on their membership", user.MsDsPrincipalName, group.MsDsPrincipalName, existingTtl.Value); } if (existingTtl != null && !canExtend) { this.logger.LogTrace("User {user} is not allowed to extend their access window in group {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); undo = () => { }; return(existingTtl.Value); } this.discoveryServices.FindDcAndExecuteWithRetry(dcLocatorTarget, this.discoveryServices.GetDomainNameDns(group.Sid), DsGetDcNameFlags.DS_DIRECTORY_SERVICE_REQUIRED | DsGetDcNameFlags.DS_WRITABLE_REQUIRED, this.GetDcLocatorMode(), dc => { this.logger.LogTrace("Attempting to perform pam group operation against DC {dc}", dc); group.RetargetToDc(dc); this.logger.LogTrace("Adding user {user} to group {group}", user.MsDsPrincipalName, group.Path); group.AddMember(user, requestedExpiry); this.logger.LogInformation(EventIDs.JitPamAccessGranted, "User {user} was added to group {group} with a membership expiry of {ttl}", user.MsDsPrincipalName, group.MsDsPrincipalName, requestedExpiry); return(true); }); undo = () => { this.logger.LogTrace("Rolling back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); group.RemoveMember(user); this.logger.LogInformation(EventIDs.JitPamAccessRevoked, "Rolled back JIT access by removing {user} from {group}", user.MsDsPrincipalName, group.MsDsPrincipalName); }; return(requestedExpiry); }
public TimeSpan GrantJitAccessDynamicGroup(IGroup group, IUser user, string dcLocatorTarget, bool canExtend, TimeSpan requestedExpiry, out Action undo) { JitDynamicGroupMapping mapping = this.FindDomainMapping(group); string groupName = this.BuildGroupSamAccountName(mapping, user, group); string description = this.BuildGroupDescription(mapping); string fqGroupName = $"{this.BuildGroupDomain(group)}\\{groupName}"; TimeSpan grantedExpiry = requestedExpiry; this.logger.LogTrace("Processing request to have {user} added to the JIT group {group} via dynamicObject {dynamicGroup}", user.MsDsPrincipalName, group.Path, fqGroupName); IGroup dynamicGroup = null; this.discoveryServices.FindDcAndExecuteWithRetry(dcLocatorTarget, this.discoveryServices.GetDomainNameDns(mapping.GroupOU), DsGetDcNameFlags.DS_DIRECTORY_SERVICE_REQUIRED | DsGetDcNameFlags.DS_WRITABLE_REQUIRED, this.GetDcLocatorMode(), dc => { this.logger.LogTrace("Attempting to perform dynamic group operation against DC {dc}", dc); group.RetargetToDc(dc); if (directory.TryGetGroup(fqGroupName, out dynamicGroup)) { dynamicGroup.RetargetToDc(dc); this.logger.LogTrace("Dynamic group {dynamicGroup} already exists in the directory with a remaining TTL of {ttl}", dynamicGroup.Path, dynamicGroup.EntryTtl); if (!canExtend) { this.logger.LogTrace("User {user} is not permitted to extend the access, so the TTL will remain unchanged", user.MsDsPrincipalName); grantedExpiry = dynamicGroup.EntryTtl ?? new TimeSpan(); } else { dynamicGroup.ExtendTtl(requestedExpiry); this.logger.LogTrace("User {user} is permitted to extend the access, so the TTL will was updated to {ttl}", user.MsDsPrincipalName, requestedExpiry); } } else { this.logger.LogTrace("Creating a new dynamic group {groupName} in {ou} with TTL of {ttl}", groupName, mapping.GroupOU, grantedExpiry); dynamicGroup = this.directory.CreateTtlGroup(groupName, groupName, description, mapping.GroupOU, dc, grantedExpiry, mapping.GroupType, true); this.logger.LogInformation(EventIDs.JitDynamicGroupCreated, "Created a new dynamic group {group}", dynamicGroup.Path, grantedExpiry); } this.logger.LogTrace("Adding user {user} to dynamic group {dynamicGroup}", user.MsDsPrincipalName, dynamicGroup.Path); dynamicGroup.AddMember(user); this.logger.LogTrace("Adding dynamic group {dynamicGroup} to the JIT group {jitGroup}", dynamicGroup.Path, group.Path); group.AddMember(dynamicGroup); return(true); }); undo = () => { if (dynamicGroup != null) { this.logger.LogTrace("Rolling back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup?.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName); this.directory.DeleteGroup(fqGroupName); this.logger.LogInformation(EventIDs.JitDynamicGroupDeleted, "Rolled back JIT access by deleting dynamic group {dynamicGroup} created for {user} to become a member of {group}", dynamicGroup?.MsDsPrincipalName, user.MsDsPrincipalName, group.MsDsPrincipalName); } }; return(grantedExpiry); }