Skip to content

Commit

Permalink
Merge pull request #643 from bridgecrewio/feature/edge_case_handling
Browse files Browse the repository at this point in the history 
Edge case handling + extending of SAML providers
  • Loading branch information
@0xdabbad00
0xdabbad00 committed Jan 12, 2020
2 parents 01ca451 + ca42bba commit c2058ae
Show file tree
Hide file tree
Showing 9 changed files with 137 additions and 43 deletions.
4 changes: 2 additions & 2 deletions commands/prepare.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ def get_vpcs(region, outputfilter):
outputfilter["vpc-names"]
)
vpcs = query_aws(region.account, "ec2-describe-vpcs", region)
return pyjq.all(".Vpcs[]{}".format(vpc_filter), vpcs)
return pyjq.all(".Vpcs[]?{}".format(vpc_filter), vpcs)


def get_azs(vpc):
Expand All @@ -87,7 +87,7 @@ def get_vpc_peerings(region):
vpc_peerings = query_aws(
region.account, "ec2-describe-vpc-peering-connections", region
)
resource_filter = ".VpcPeeringConnections[]"
resource_filter = ".VpcPeeringConnections[]?"
return pyjq.all(resource_filter, vpc_peerings)


Expand Down
120 changes: 81 additions & 39 deletions commands/weboftrust.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,15 @@ def get_regional_vpc_peerings(region):
vpc_peerings = query_aws(
region.account, "ec2-describe-vpc-peering-connections", region
)
resource_filter = ".VpcPeeringConnections[]"
resource_filter = ".VpcPeeringConnections[]?"
return pyjq.all(resource_filter, vpc_peerings)


def get_regional_direct_connects(region):
direct_connects = query_aws(
region.account, "/directconnect-describe-connections", region
)
resource_filter = ".connections[]"
resource_filter = ".connections[]?"
return pyjq.all(resource_filter, direct_connects)


Expand Down Expand Up @@ -173,47 +173,89 @@ def get_iam_trusts(account, nodes, connections, connections_to_get):
Region(account, {"RegionName": "us-east-1"}),
)

saml_providers = query_aws(
account,
"iam-list-saml-providers",
Region(account, {"RegionName": "us-east-1"})
)["SAMLProviderList"]

for role in pyjq.all(".RoleDetailList[]", iam):
principals = pyjq.all(".AssumeRolePolicyDocument.Statement[].Principal", role)
for principal in principals:
assume_role_nodes = set()
if principal.get("Federated", None):
# TODO I should be using get-saml-provider to confirm this is really okta
if "saml-provider/okta" in principal["Federated"].lower():
node = Account(
json_blob={"id": "okta", "name": "okta", "type": "Okta"}
)
assume_role_nodes.add(node)
elif "saml-provider/onelogin" in principal["Federated"].lower():
node = Account(
json_blob={
"id": "onelogin",
"name": "onelogin",
"type": "Onelogin",
}
)
assume_role_nodes.add(node)
elif "saml-provider/adfs" in principal["Federated"].lower():
node = Account(
json_blob={"id": "adfs", "name": "adfs", "type": "ADFS"}
)
assume_role_nodes.add(node)
elif principal["Federated"] == "cognito-identity.amazonaws.com":
# TODO: Should show this somehow
continue
elif principal["Federated"] == "www.amazon.com":
node = Account(
json_blob={
"id": "Amazon.com",
"name": "Amazon.com",
"type": "Amazon",
}
)
continue
else:
raise Exception(
"Unknown federation provider: {}".format(principal["Federated"])
)
federated_principals = principal.get("Federated", None)

if federated_principals:
if not isinstance(federated_principals, list):
federated_principals = [federated_principals]

for federated_principal in federated_principals:
try:
saml_provider_arn = next(saml for saml in saml_providers if saml['Arn'] == federated_principal)['Arn']

if 'saml-provider/okta' in saml_provider_arn.lower():
node = Account(
json_blob={"id": "okta", "name": "okta", "type": "Okta"}
)
assume_role_nodes.add(node)
elif "saml-provider/onelogin" in saml_provider_arn.lower():
node = Account(
json_blob={
"id": "onelogin",
"name": "onelogin",
"type": "Onelogin",
}
)
assume_role_nodes.add(node)
elif "saml-provider/waad" in saml_provider_arn.lower():
node = Account(
json_blob={
"id": "WAAD",
"name": "WAAD",
"type": "waad",
}
)
assume_role_nodes.add(node)
elif "saml-provider/allcloud-sso" in saml_provider_arn.lower():
node = Account(
json_blob={
"id": "AllCloud-SSO",
"name": "AllCloud-SSO",
"type": "AllCloud-SSO",
}
)
assume_role_nodes.add(node)
elif "saml-provider/adfs" in saml_provider_arn.lower():
node = Account(
json_blob={"id": "adfs", "name": "adfs", "type": "ADFS"}
)
assume_role_nodes.add(node)
elif "saml-provider/auth0" in saml_provider_arn.lower():
node = Account(
json_blob={"id": "auth0", "name": "auth0", "type": "auth0"}
)
assume_role_nodes.add(node)
elif "cognito-identity.amazonaws.com" in saml_provider_arn.lower():
continue
elif "www.amazon.com" in saml_provider_arn.lower():
node = Account(
json_blob={
"id": "Amazon.com",
"name": "Amazon.com",
"type": "Amazon",
}
)
continue
else:
raise Exception(
"Unknown federation provider: {}".format(saml_provider_arn.lower())
)

except StopIteration:
if "cognito-identity.amazonaws.com" in federated_principal.lower():
# TODO: Should show this somehow
continue
raise Exception('Principal {} is not a configured SAML provider'.format(federated_principal))
if principal.get("AWS", None):
principal = principal["AWS"]
if not isinstance(principal, list):
Expand Down
2 changes: 1 addition & 1 deletion shared/find_unused.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ def find_unused_elastic_ips(region):
unused_ips = []
ips = query_aws(region.account, "ec2-describe-addresses", region)
for ip in pyjq.all(".Addresses[] | select(.AssociationId == null)", ips):
unused_ips.append({"id": ip["AllocationId"], "ip": ip["PublicIp"]})
unused_ips.append({"id": ip.get("AllocationId", "Un-allocated IP"), "ip": ip["PublicIp"]})

return unused_ips

Expand Down
2 changes: 1 addition & 1 deletion shared/iam_audit.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,7 @@ def find_admins_in_account(
Finding(
region,
"IAM_LINTER",
policy["Arn"],
policy["PolicyName"],
resource_details={"issue": str(f.issue), "severity": str(f.severity), "location": str(f.location), "policy": policy_doc},
)
)
Expand Down
Binary file added web/icons/logos/ADFS.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added web/icons/logos/allcloud.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added web/icons/logos/auth0.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added web/icons/logos/waad.png
View file
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
52 changes: 52 additions & 0 deletions web/style.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -469,6 +469,58 @@
"height": 100
}
},
{
"selector": "[type = \"auth0\"]",

"css": {
"label": "",
"background-opacity": 0,
"background-image": "./icons/logos/auth0.png",
"background-fit": "contain",
"background-clip": "none",
"width": 150,
"height": 100
}
},
{
"selector": "[type = \"ADFS\"]",

"css": {
"label": "",
"background-opacity": 0,
"background-image": "./icons/logos/ADFS.png",
"background-fit": "contain",
"background-clip": "none",
"width": 150,
"height": 100
}
},
{
"selector": "[type = \"WAAD\"]",

"css": {
"label": "",
"background-opacity": 0,
"background-image": "./icons/logos/waad.png",
"background-fit": "contain",
"background-clip": "none",
"width": 150,
"height": 100
}
},
{
"selector": "[type = \"AllCloud-SSO\"]",

"css": {
"label": "",
"background-opacity": 0,
"background-image": "./icons/logos/allcloud.png",
"background-fit": "contain",
"background-clip": "none",
"width": 150,
"height": 100
}
},
{
"selector": "[type = \"Cloudhealth\"]",

Expand Down

0 comments on commit c2058ae

Please sign in to comment.