-
Notifications
You must be signed in to change notification settings - Fork 70
/
list-key-vault-user-access-admins.go
86 lines (76 loc) · 2.93 KB
/
list-key-vault-user-access-admins.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// Copyright (C) 2022 Specter Ops, Inc.
//
// This file is part of AzureHound.
//
// AzureHound is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// AzureHound is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package cmd
import (
"context"
"os"
"os/signal"
"time"
"github.com/bloodhoundad/azurehound/constants"
"github.com/bloodhoundad/azurehound/enums"
"github.com/bloodhoundad/azurehound/internal"
"github.com/bloodhoundad/azurehound/models"
"github.com/bloodhoundad/azurehound/pipeline"
"github.com/spf13/cobra"
)
func init() {
listRootCmd.AddCommand(listKeyVaultUserAccessAdminsCmd)
}
var listKeyVaultUserAccessAdminsCmd = &cobra.Command{
Use: "key-vault-user-access-admins",
Long: "Lists Azure Key Vault User Access Admins",
Run: listKeyVaultUserAccessAdminsCmdImpl,
SilenceUsage: true,
}
func listKeyVaultUserAccessAdminsCmdImpl(cmd *cobra.Command, args []string) {
ctx, stop := signal.NotifyContext(cmd.Context(), os.Interrupt, os.Kill)
defer gracefulShutdown(stop)
log.V(1).Info("testing connections")
if err := testConnections(); err != nil {
exit(err)
} else if azClient, err := newAzureClient(); err != nil {
exit(err)
} else {
log.Info("collecting azure key vault user access admins...")
start := time.Now()
subscriptions := listSubscriptions(ctx, azClient)
keyVaults := listKeyVaults(ctx, azClient, subscriptions)
kvRoleAssignments := listKeyVaultRoleAssignments(ctx, azClient, keyVaults)
stream := listKeyVaultUserAccessAdmins(ctx, kvRoleAssignments)
outputStream(ctx, stream)
duration := time.Since(start)
log.Info("collection completed", "duration", duration.String())
}
}
func listKeyVaultUserAccessAdmins(
ctx context.Context,
kvRoleAssignments <-chan azureWrapper[models.KeyVaultRoleAssignments],
) <-chan any {
return pipeline.Map(ctx.Done(), kvRoleAssignments, func(ra azureWrapper[models.KeyVaultRoleAssignments]) any {
filteredAssignments := internal.Filter(ra.Data.RoleAssignments, kvRoleAssignmentFilter(constants.UserAccessAdminRoleID))
kvContributors := internal.Map(filteredAssignments, func(ra models.KeyVaultRoleAssignment) models.KeyVaultUserAccessAdmin {
return models.KeyVaultUserAccessAdmin{
UserAccessAdmin: ra.RoleAssignment,
KeyVaultId: ra.KeyVaultId,
}
})
return NewAzureWrapper(enums.KindAZKeyVaultUserAccessAdmin, models.KeyVaultUserAccessAdmins{
KeyVaultId: ra.Data.KeyVaultId,
UserAccessAdmins: kvContributors,
})
})
}