New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor/127 cli refactoring #151
Conversation
Codecov Report
@@ Coverage Diff @@
## develop #151 +/- ##
==========================================
- Coverage 30.28% 30.1% -0.18%
==========================================
Files 66 66
Lines 4316 4298 -18
==========================================
- Hits 1307 1294 -13
+ Misses 3009 3004 -5
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, I was indeed able to use the parameters I used previously to create a report! I've tried with these arguments : aws --force --no-browser --thread-config 1 --services iam --ruleset default.json. And they all worked as intended! 💯
A small word of notice though, it seems like the provider used must now be the first argument (which wasn't the case when --provider was used). I don't think that's an issue, simply noting that we should write it down somewhere...
...speaking of which, should I clone Scout2's wiki? 🤔
@zer0x64 I'm guessing this is because you're now validating the parameters per-provider, instead of the soup of params we had before? I mean it would make sense to have the
Yes I think it would be a good thing to start. Maybe leave of the bits that currently don't apply/work (looking at you ListAll/RulesGenerator!!!). |
They actually now uses completely independant subparsers! It's works a little bit like git now: You cannot use git -am "commit message" commit, as the -am switch relates to the "commit" parser. The same thing happens here |
Co-Authored-By: zer0x64 <17575242+zer0x64@users.noreply.github.com>
Co-Authored-By: zer0x64 <17575242+zer0x64@users.noreply.github.com>
GeneralI've tried this for AWS, GCP and Azure with basic parameters. I really like this PR, makes the CLI much more clean. A couple comments below. parameters vs valuesWould it be possible to have
I'd hate to break backwards compatibility over a detail. Generaly parameters are preceded by --help conformityI really like the new For azure it's great:
For GCP shouldn't this be split between
Same for AWS, I'd put these under
And these under
GCPFor service accounts, the parameter is now Trying to run for a user account seems to fail (I assume something isn't being passed down the code):
|
Also note that the command line will try to infer the argument name if possible when receiving partial switch. For | ||
example, this will work and use the selected profile: | ||
|
||
$python Scout.py aws --pro PROFILE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--profile
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can remove that part, but that was exactly what I was trying to show: The default behavior of argparse is to infer the switch if it cannot find it. So in that case, --pro, --prof, --profi, and so on would all work in place of --profile. But if this is confusing, we can remove it and let people figure it out by themselves!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Damn, didn't know that! And hadn't read the paragraph above 😅 . So yeah, keep it!
There was a bug in |
The way the subparsers works(so we can only show the useful help options), we cannot strictly do this. However, a simple fix would be to add a dummy --provider argument before that's useless, but wouldn't break compatibility. However, I don't see how I could do it using argparse so it can be put anywhere(it would still have to be the first parameters.
I "could" do the --ruleset and --listall part in a working way, but I'm not sure if we still keep them. Also, t would break compatibility for python 2.6-3.6 as they added the "required" parameter on subparsers in 3.7 and before that it was simply always required.
Will do!
The "KEY_FILE" is a really easy fix. If I do that, will I have to restore the --key-file argument? Just thought it would be cleaner to only need one switch in that case.
Is this the fix that has been pushed to develop? Also, for single letters(like -p for --provider), I can make a bunch of them, as long as they don't conflict(if, let say, I have a -u for --username in azure, it won't conflict with another -u aws-specifc switch). Do you want me to implement a few of them? |
Co-Authored-By: zer0x64 <17575242+zer0x64@users.noreply.github.com>
As we've decided to deprecate listall/rulesgenerator at least for now I think that simplifies the issue. I'm ok with removing the
No, you won't have to.
I agree, as you will always have to specify the path of the key file when using an SA. So yeah just make it clear that what has to be provided is the path of the key file 😃
No, I think something might be wrong with how the parameters are passed when using the
I think it can be useful where it makes sense. The great think with how you've implemented this is that indeed there's less possibility for conflict 👍 |
Everything fixed, some arguments also have single-letter switches(I did what I could without causing conflict) and to --provider switch still works withough polluting the help message. Are we ready to merge? |
Please do, I'll try to test as many use cases as I can this week 😃 |
As per #127
If I did my job right, you should be able to use your old commands by simply removing the --provider switch. This is all documented in the README.md. So, to run an AWS scan with a profile, the command would be:
./Scout.py aws --profile PROFILE_NAME
This code is really error-prone and not tested that much. Especially, I haven't tested GCP at all and with a bunch of AWS switches. It would be useful to have someone on each to test out a bit seeing if something broke.