-
Notifications
You must be signed in to change notification settings - Fork 0
/
UpdatePasswordProtectionCustom.cs
187 lines (178 loc) · 9.21 KB
/
UpdatePasswordProtectionCustom.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.IdentityServer.Public.ThreatDetectionFramework;
using System.Net;
using System.Diagnostics;
namespace ThreatDetectionModule
{
public class UpdatePasswordProtectionCustom : Microsoft.IdentityServer.Public.ThreatDetectionFramework.ThreatDetectionModule, IPreAuthenticationThreatDetectionModule, IPostAuthenticationThreatDetectionModule, IRequestReceivedThreatDetectionModule
{
public override string VendorName => "Ignastech";
public override string ModuleIdentifier => "UpdatePasswordProtectionCustom";
internal Config _config = new Config();
public string InternalVersion => "0.0.2.14";
private readonly string EndpointName = "/adfs/portal/updatepassword";
public override void OnAuthenticationPipelineLoad(ThreatDetectionLogger adfslogger, ThreatDetectionModuleConfiguration configData)
{
try
{
WindowsLogger.CreateWinLog();
WindowsLogger.WriteWinLogEvent($"Initiating AD FS {ModuleIdentifier} plugin. Internal Version - {InternalVersion}", EventLogEntryType.Information);
_config.InitConfig();
WindowsLogger.WriteWinLogEvent($"Configured Plugin settings:{_config}",EventLogEntryType.Information);
}
catch (Exception ex)
{
adfslogger.WriteAdminLogErrorMessage(ex.ToString());
throw;
}
}
public override void OnAuthenticationPipelineUnload(ThreatDetectionLogger adfslogger)
{
WindowsLogger.WriteWinLogEvent($"OnAuthenticationPipelineUnload: Unloading plugin", EventLogEntryType.Information);
}
public override void OnConfigurationUpdate(ThreatDetectionLogger adfslogger, ThreatDetectionModuleConfiguration configData)
{
try
{
Config PluginConfig = new Config();
_config = PluginConfig;
_config.InitConfig();
}
catch (Exception ex)
{
adfslogger.WriteAdminLogErrorMessage(ex.ToString());
throw;
}
}
public Task<ThrottleStatus> EvaluateRequest(ThreatDetectionLogger adfslogger, RequestContext requestContext)
{
if(_config.CheckIfTorNode)
{
foreach (IPAddress ipAddress in requestContext.ClientIpAddresses)
{
if (TorModule.IsTorExitNode(ipAddress))
{
string detailsMessage = $"{ipAddress} has been found to be from Tor network. Request will be denied\n" +
$"request details:\n" +
$"Local endpoint: {requestContext.LocalEndPointAbsolutePath}\n" +
$"Client Location: {requestContext.ClientLocation}\n" +
$"User Agent: {requestContext.UserAgentString}" +
$"Incoming Request Type: {requestContext.IncomingRequestType}";
WindowsLogger.WriteWinLogEvent($"{detailsMessage}",EventLogEntryType.Warning);
if(_config.TorAuditOnly == true)
{
WindowsLogger.WriteWinLogEvent($"AUDIT MODE: Tor Audit is enabled.Request has been allowed", EventLogEntryType.Warning);
}
else
{
return Task.FromResult(ThrottleStatus.Block);
}
}
}
}
return Task.FromResult(ThrottleStatus.NotEvaluated);
}
public Task<ThrottleStatus> EvaluatePreAuthentication(ThreatDetectionLogger adfslogger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, IList<Claim> additionalClams)
{
if (requestContext.LocalEndPointAbsolutePath == EndpointName)
{
if (_config.Enabled == true)
{
string [] userProps = securityContext.UserIdentifier.Split('\\');
string userName = userProps[1];
string userDomain = userProps[0];
if (!string.IsNullOrEmpty(userName))
{
try
{
WindowsLogger.WriteWinLogEvent($"Got Update Password request. Checking update password lockout status for user '{userName}'", EventLogEntryType.Information);
var counterTest = SQLLiteHandlerClass.CheckCounter(userName);
if (counterTest >= _config.RequestThreshold)
{
if(!(_config.RequestThreshold == 0))
{
WindowsLogger.WriteWinLogEvent($"Detected user '{userName}'from '{userDomain}' hit the limit of '{_config.RequestThreshold}'. Request will be denied",EventLogEntryType.Error);
if (_config.BypassPasswordUpdateProtection == true)
{
WindowsLogger.WriteWinLogEvent($"WARNING: BYPASS is enabled, request will be allowed. Normally this request would be rejected",EventLogEntryType.Warning);
return Task.FromResult<ThrottleStatus>(ThrottleStatus.Allow);
}
else
{
return Task.FromResult<ThrottleStatus>(ThrottleStatus.Block);
}
}
else
{
WindowsLogger.WriteWinLogEvent($"Threshold set to 0. Will approve request", EventLogEntryType.Information);
}
}
else
{
WindowsLogger.WriteWinLogEvent($"User '{userName}' has not been detected as locked out. Will Allow request", EventLogEntryType.Information);
}
}
catch (Exception e)
{
WindowsLogger.WriteWinLogEvent($"Exception occured\n\r{e}", EventLogEntryType.Error);
return Task.FromResult<ThrottleStatus>(ThrottleStatus.Allow);
}
}
else
{
//WindowsLogger.WriteWinLogEvent($"Got empty user name for: '{securityContext.UserIdentifier}'");
}
}
else
{
//WindowsLogger.WriteWinLogEvent("Plugin Enforcement Disabled. Allowing Request");
}
}
else
{
//.WriteWinLogEvent("Request is not targeting update password endpoint. Skipping");
}
return Task.FromResult<ThrottleStatus>(ThrottleStatus.Allow);
}
public Task<RiskScore> EvaluatePostAuthentication(ThreatDetectionLogger adfslogger, RequestContext requestContext, SecurityContext securityContext, ProtocolContext protocolContext, AuthenticationResult authenticationResult, IList<Claim> additionalClams)
{
if (requestContext.LocalEndPointAbsolutePath == EndpointName)
{
if (_config.Enabled == true)
{
string[] userProps = securityContext.UserIdentifier.Split('\\');
string userName = userProps[1];
string userDomain = userProps[0];
if (authenticationResult == AuthenticationResult.Failure)
{
WindowsLogger.WriteWinLogEvent($"User '{userName}' from '{userDomain}' Failed Authentication. Will Increase counter", EventLogEntryType.Warning);
try
{
SQLLiteHandlerClass.IncreaseCounter(userName);
}
catch (Exception ex)
{
WindowsLogger.WriteWinLogEvent($"Exception cought during Increasing Counter phase.\n\rDetails:\n\r{ex}", EventLogEntryType.Error);
}
}
else
{
//WindowsLogger.WriteWinLogEvent("User Authentication succeeded. Counter won't be increased and update password will be allowed.");
}
}
else
{
//WindowsLogger.WriteWinLogEvent("Plugin Enforcement Disabled. Allowing Request.");
}
}
else
{
//WindowsLogger.WriteWinLogEvent("Request is not targeting update password endpoint. Skipping");
}
return Task.FromResult<RiskScore>(RiskScore.NotEvaluated);
}
}
}