Improved KDS Root Key selection algorithm

MichaelGrafnetter · Oct 2, 2023 · f6deab9 · f6deab9
1 parent e01c342
commit f6deab9
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/Src/DSInternals.DataStore/DirectoryAgent.cs b/Src/DSInternals.DataStore/DirectoryAgent.cs
@@ -140,6 +140,7 @@ public IEnumerable<GroupManagedServiceAccount> GetGroupManagedServiceAccounts(Da
         {
             // Fetch all KDS root keys first.
             var rootKeys = new Dictionary<Guid, KdsRootKey>();
+            KdsRootKey latestRootKey = null;
 
             foreach (var rootKey in this.GetKdsRootKeys())
             {
@@ -148,6 +149,12 @@ public IEnumerable<GroupManagedServiceAccount> GetGroupManagedServiceAccounts(Da
                 {
                     // Allow the key to be found by ID
                     rootKeys.Add(rootKey.KeyId, rootKey);
+
+                    // Check if this key is the newest found yet
+                    if(rootKey.EffectiveTime <= effectiveTime && (latestRootKey == null || latestRootKey.CreationTime < rootKey.CreationTime))
+                    {
+                        latestRootKey = rootKey;
+                    }
                 }
             }
 
@@ -159,13 +166,23 @@ public IEnumerable<GroupManagedServiceAccount> GetGroupManagedServiceAccounts(Da
 
                 if (gmsa.ManagedPasswordId != null)
                 {
-                    // Find the proper key by Guid
-                    Guid associateRootKeyId = gmsa.ManagedPasswordId.RootKeyId;
-                    bool keyFound = rootKeys.TryGetValue(associateRootKeyId, out var associatedRootKey);
+                    DateTime nextPasswordChange = gmsa.PasswordLastSet.Value.AddDays(gmsa.ManagedPasswordInterval.Value);
+                    KdsRootKey rootKeyToUse;
+                    if (nextPasswordChange <= effectiveTime)
+                    {
+                        // The existing password has already expired, so generate the managed password based on the latest Root Key
+                        rootKeyToUse = latestRootKey;
+                    }
+                    else
+                    {
+                        // Generate the managed password based on the Root Key currently associated with it
+                        Guid associateRootKeyId = gmsa.ManagedPasswordId.RootKeyId;
+                        rootKeys.TryGetValue(associateRootKeyId, out rootKeyToUse);
+                    }
 
-                    if (keyFound)
+                    if (rootKeyToUse != null)
                     {
-                        gmsa.CalculatePassword(associatedRootKey, effectiveTime);
+                        gmsa.CalculatePassword(rootKeyToUse, effectiveTime);
                     }
                 }