You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If pmapper loads the org data, and the org includes SCPs, I get the same output with the query preset privesc * regardless of whether I use the --scps flag or not.
To Reproduce
There is 1 SCP, in playground account, attached to dev account. Let's say for example the SCP deny's iam:passrole.
Using playground creds, run pmapper orgs create
Using dev creds, run pmapper graph create --include-region us-east-1
Using dev creds, run pmapper orgs update --org ID
Using dev creds, run pmapper query --scps 'preset privesc *'
All looks good
Using dev creds, run pmapper query 'preset privesc *'
Same exact output as step 5, which was unexpected.
Expected behavior
I would expect step 7 to ignore the SCPs applied to the dev account. Not that I can think of a reason I would ever need that output, but based on the existence of the --scps flag, that's would I would expect.
The text was updated successfully, but these errors were encountered:
The --scps flag has no effect on this preset query. Instead of authorization checks, it's doing breadth-first searches of the Graph starting at each Node. However, that is a good reminder that another preset query called endgameshould allow users to include SCPs and I'll need to fix that.
I think #94 is the root cause of the unexpected behavior here. The edges and admins are defined when the Graph is created, so any mistakes there will be reflected in the privesc query, which is why you're getting the unexpected output.
Describe the bug
If pmapper loads the org data, and the org includes SCPs, I get the same output with the
query preset privesc *
regardless of whether I use the--scps
flag or not.To Reproduce
playground
account, attached todev
account. Let's say for example the SCP deny'siam:passrole
.playground
creds, runpmapper orgs create
dev
creds, runpmapper graph create --include-region us-east-1
dev
creds, runpmapper orgs update --org ID
dev
creds, runpmapper query --scps 'preset privesc *'
dev
creds, runpmapper query 'preset privesc *'
Expected behavior
I would expect step 7 to ignore the SCPs applied to the
dev
account. Not that I can think of a reason I would ever need that output, but based on the existence of the--scps
flag, that's would I would expect.The text was updated successfully, but these errors were encountered: