- Code refactor

- fix Dockerfile
- enrich logging with audit messages

Author: Seji64

src/Dockerfile

@@ -27,6 +27,7 @@ RUN apt update && \
     ln -s /usr/lib/x86_64-linux-gnu/liblber-2.5.so.0 /usr/lib/liblber.so.2 && \
     pip3 install dpapi-ng[kerberos] --break-system-packages
 COPY --from=publish /app/publish .
+RUN chown app -R /app/
 HEALTHCHECK CMD curl --fail http://localhost:8080/healthz || exit
 USER app
 ENTRYPOINT ["dotnet", "LAPS-WebUI.dll"]

src/Interfaces/ISessionManagerService.cs

@@ -8,5 +8,7 @@ public interface ISessionManagerService
         public Task<LdapForNet.LdapCredential> GetLdapCredentialsAsync();
         public Task<List<string>> GetDomainsAsync();
         public Task<string> GetDomainAsync();
+        public Task<string> GetUsernameAsync();
+
     }
 }

src/LogEnrichers/AuditPrefixEnricher.cs

@@ -0,0 +1,24 @@
+namespace LAPS_WebUI.LogEnrichers;
+
+using Serilog.Core;
+using Serilog.Events;
+
+public class AuditPrefixEnricher : ILogEventEnricher
+{
+    private const string PropertyName = "AuditPrefix";
+
+    public void Enrich(LogEvent logEvent, ILogEventPropertyFactory propertyFactory)
+    {
+        if (logEvent.Properties.TryGetValue("Audit", out LogEventPropertyValue? auditProp) &&
+            auditProp is ScalarValue { Value: bool and true })
+        {
+            LogEventProperty auditPrefix = propertyFactory.CreateProperty(PropertyName, "[AUDIT] ");
+            logEvent.AddPropertyIfAbsent(auditPrefix);
+        }
+        else
+        {
+            LogEventProperty empty = propertyFactory.CreateProperty(PropertyName, "");
+            logEvent.AddPropertyIfAbsent(empty);
+        }
+    }
+}

src/Pages/LAPS.razor.cs

@@ -59,7 +59,7 @@ private async Task ClearLapsPassword(AdComputer computer)
                         _ => LAPSVersion.v1
                     };
 
-                    DialogParameters parameters = new DialogParameters { ["ContentText"] = $"Clear LAPS {version} Password on Computer '{computer.Name}' ?{Environment.NewLine}You have to invoke gpupdate /force on computer '{computer.Name}' in order so set a new LAPS password", ["CancelButtonText"] = "Cancel", ["ConfirmButtonText"] = "Clear", ["ConfirmButtonColor"] = Color.Error };
+                    DialogParameters parameters = new() { ["ContentText"] = $"Clear LAPS {version} Password on Computer '{computer.Name}' ?{Environment.NewLine}You have to invoke gpupdate /force on computer '{computer.Name}' in order so set a new LAPS password", ["CancelButtonText"] = "Cancel", ["ConfirmButtonText"] = "Clear", ["ConfirmButtonColor"] = Color.Error };
                     IDialogReference dialog = await Dialog.ShowAsync<Confirmation>("Clear LAPS Password", parameters,new DialogOptions() { NoHeader = true });
                     DialogResult? result = await dialog.Result;
 
@@ -68,7 +68,10 @@ private async Task ClearLapsPassword(AdComputer computer)
                         computer.LapsInformations.Clear();
                         await InvokeAsync(StateHasChanged);
                         await LdapService.ClearLapsPassword(DomainName ?? await SessionManager.GetDomainAsync(), LdapCredential ?? await SessionManager.GetLdapCredentialsAsync(), computer.DistinguishedName, version);
-                        Snackbar.Add($"LAPS {version} Password for computer '{computer.Name}' successfully cleared! - Please invoke gpupdate on {computer.Name} to set a new LAPS Password", Severity.Success);
+                        Snackbar.Add($"LAPS {version} Password for computer '{computer.Name}' successfully cleared! - Please invoke 'gpupdate' on {computer.Name} to set a new LAPS Password", Severity.Success);
+                        string currentUsername = await SessionManager.GetUsernameAsync();
+                        Log.ForContext("Audit", true)
+                            .Information("LAPS password cleared for computer '{ComputerName}' (LAPS version: {LAPSVersion}) by user '{UserName}'", computer.Name, version, currentUsername);
                     }
                 }
             }
@@ -118,10 +121,7 @@ private async Task RefreshComputerDetailsAsync(AdComputer computer, bool supress
             {
                 Log.Error("{ErrorMessage}", ex.Message);
 
-                if (placeHolder != null)
-                {
-                    placeHolder.LapsInformations = backup;
-                }
+                placeHolder?.LapsInformations = backup;
 
                 if (!supressNotify)
                 {
@@ -157,7 +157,7 @@ private async Task FetchComputerDetailsAsync(string distinguishedName, string co
                     if (!selectedComputer.FailedToRetrieveLapsDetails && tab != null)
                     {
                         await InvokeAsync(StateHasChanged);
-                        tab.ActivatePanel(tab.Panels.First(x => !x.Disabled));
+                        await tab.ActivatePanelAsync(tab.Panels.First(x => !x.Disabled));
                     }
 
                 }

src/Pages/Login.razor.cs

@@ -1,5 +1,6 @@
 using LAPS_WebUI.Models;
 using Microsoft.AspNetCore.Components.Forms;
+using Serilog;
 
 namespace LAPS_WebUI.Pages
 {
@@ -28,10 +29,12 @@ private async Task OnValidSubmitAsync(EditContext context)
             {
                 if (await SessionManager.LoginAsync(_loginRequest.DomainName ?? string.Empty, _loginRequest.Username ?? string.Empty, _loginRequest.Password ?? string.Empty))
                 {
+                    Log.ForContext("Audit",true).Information("User '{Username}'  successfully logged in.", _loginRequest.Username);
                     NavigationManager.NavigateTo("/laps");
                 }
                 else
                 {
+                    Log.ForContext("Audit",true).Warning("User '{Username}' failed logged in.", _loginRequest.Username);
                     throw new Exception("Login failed!");
                 }
             }

src/Pages/Logout.razor.cs

@@ -6,6 +6,8 @@ protected override async Task OnAfterRenderAsync(bool firstRender)
         {
             if (await SessionManager.IsUserLoggedInAsync())
             {
+                string username = await SessionManager.GetUsernameAsync();
+                Serilog.Log.Information("User logged out: {Username}", username);
                 await SessionManager.LogoutAsync();
             }
 

src/Program.cs

@@ -1,6 +1,7 @@
 using Blazored.SessionStorage;
 using CurrieTechnologies.Razor.Clipboard;
 using LAPS_WebUI.Interfaces;
+using LAPS_WebUI.LogEnrichers;
 using LAPS_WebUI.Models;
 using LAPS_WebUI.Services;
 using MudBlazor;
@@ -17,6 +18,8 @@
 // Add services to the container.
 builder.Services.AddSerilog((services, lc) => lc
     .ReadFrom.Configuration(builder.Configuration)
+    .Enrich.With<AuditPrefixEnricher>()
+    .Enrich.FromLogContext()
     .ReadFrom.Services(services));
 
 builder.Services.AddRazorPages();

src/Services/LDAPService.cs

@@ -139,6 +139,9 @@ private static string EscapeLdapSearchFilter(string searchFilter)
             AdComputer? adComputer;
             Domain domain = _domains.Value.SingleOrDefault(x => x.Name == domainName) ?? throw new Exception($"No configured domain found with name {domainName}");
 
+            Log.ForContext("Audit", true)
+               .Information("Retrieving Active Directory computer details for DN '{DistinguishedName}' using user '{Username}'", distinguishedName, ldapCredential.UserName);
+            
             if (ldapCredential is null)
             {
                 throw new Exception("Failed to get LDAP Credentials");
@@ -178,6 +181,9 @@ private static string EscapeLdapSearchFilter(string searchFilter)
                         PasswordSetDate = null
                     };
 
+                    Log.ForContext("Audit", true)
+                        .Information("Successfully retrieved LAPS v1 password for computer '{ComputerName}' (DN: '{DistinguishedName}') by user '{Username}'", adComputer.Name, distinguishedName, ldapCredential.UserName);
+                    
                     adComputer.LapsInformations.Add(lapsInformationEntry);
                 }
 
@@ -217,6 +223,8 @@ private static string EscapeLdapSearchFilter(string searchFilter)
                     };
 
                     adComputer.LapsInformations.Add(lapsInformationEntry);
+                    Log.ForContext("Audit", true)
+                        .Information("Successfully retrieved LAPS v2 password for computer '{ComputerName}' (DN: '{DistinguishedName}') by user '{Username}'", adComputer.Name, distinguishedName, ldapCredential.UserName);
 
                     if (ldapSearchResult.DirectoryAttributes.Any(x => x.Name == "msLAPS-EncryptedPasswordHistory"))
                     {
@@ -240,10 +248,13 @@ private static string EscapeLdapSearchFilter(string searchFilter)
                                 };
 
                                 adComputer.LapsInformations.Add(historicLapsInformationEntry);
+                                Log.ForContext("Audit", true)
+                                    .Information("Successfully retrieved LAPS v2 password history for computer '{ComputerName}' (DN: '{DistinguishedName}') by user '{Username}'", adComputer.Name, distinguishedName, ldapCredential.UserName);
                             }
                             else
                             {
-                                Log.Warning("Failed to decrypt LAPS History entry");
+                                Log.ForContext("Audit", true)
+                                    .Warning("Failed decrypt LAPS v2 password history for computer '{ComputerName}' (DN: '{DistinguishedName}') by user '{Username}'", adComputer.Name, distinguishedName, ldapCredential.UserName);
                             }
                         }
                     }
@@ -300,9 +311,10 @@ private static async Task<string> DecryptLapsPayload(byte[] value, LdapCredentia
             }
             catch (Exception ex)
             {
-                Log.Error("Decrypt LAPS Password failed. Please check if Domain Controllers are reachable and your python environment is setup correctly");
+                Log.ForContext("Audit", true)
+                    .Error("Failed to decrypt LAPS password on behalf for user '{Username}'", ldapCredential.UserName);
                 Log.Debug("Error Stacktrace => {ErrorMessage}", ex.Message);
-                throw new ArgumentException("Failed to decrypt LAPSv2 Password");
+                throw new ArgumentException("Decrypt LAPS Password failed. Please check if Domain Controllers are reachable and your python environment is setup correctly");
             }
 
         }

src/Services/SessionManagerService.cs

@@ -10,6 +10,12 @@ public class SessionManagerService(
         ICryptService cryptService)
         : ISessionManagerService
     {
+
+        public async Task<string> GetUsernameAsync()
+        {
+            return await sessionStorageService.GetItemAsync<string>("username");
+        }
+        
         public async Task<List<string>> GetDomainsAsync()
         {
             return (await ldapService.GetDomainsAsync()).Select(x => x.Name).ToList();
@@ -43,14 +49,13 @@ public async Task<bool> LoginAsync(string domainName, string username, string pa
             {
                 return false;
             }
-            else
-            {
-                await sessionStorageService.SetItemAsync("loggedIn", bindResult);
-                await sessionStorageService.SetItemAsync("domainName", domainName);
-                await sessionStorageService.SetItemAsync("ldapCredentials", new LdapCredential() { UserName = cryptService.EncryptString(username), Password = cryptService.EncryptString(password) });
 
-                return true;
-            }
+            await sessionStorageService.SetItemAsync("loggedIn", bindResult);
+            await sessionStorageService.SetItemAsync("username", username);
+            await sessionStorageService.SetItemAsync("domainName", domainName);
+            await sessionStorageService.SetItemAsync("ldapCredentials", new LdapCredential() { UserName = cryptService.EncryptString(username), Password = cryptService.EncryptString(password) });
+
+            return true;
         }
         public async Task<bool> LogoutAsync()
         {

src/appsettings.json

@@ -7,9 +7,13 @@
       }
     },
     "WriteTo": [
-      { "Name": "Console" }
+      { "Name": "Console",
+        "Args": {
+          "outputTemplate": "{Timestamp:yyyy-MM-dd HH:mm:ss} [{Level:u3}] {AuditPrefix}{Message:lj}{NewLine}{Exception}"
+        }
+      }
     ],
-    "Enrich": [ "FromLogContext"]
+    "Enrich": [ "FromLogContext", "WithAuditPrefix"]
   },
   "AllowedHosts": "*"
 }