forked from nccgroup/PMapper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgraph_from_cf_template.py
152 lines (123 loc) · 5.46 KB
/
graph_from_cf_template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Copyright (c) NCC Group and Erik Steringer 2021. This file is part of Principal Mapper.
#
# Principal Mapper is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Principal Mapper is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with Principal Mapper. If not, see <https://www.gnu.org/licenses/>.
"""This is an example Python 3 script that creates a Graph object based on the contents of an
AWS CloudFormation Template
The goal of this script is to help enable 'push-left' and get value out of PMapper earlier
in the infrastructure lifecycle.
Future improvements:
* Support all resource types that PMapper supports along with potential edges
* Support other infra-as-code options (Terraform)
"""
import argparse
import json
import yaml
import principalmapper
from principalmapper.common import Graph, Node
from principalmapper.graphing import gathering, graph_actions, iam_edges, sts_edges
def _resolve_string(resources, element) -> str:
"""Given a thing that can be an object or string, turn it into a string. Handles stuff like
{ "Fn::GetAtt": "..." } and turns it into a string."""
raise NotImplementedError('TODO: implement string handling/resolution')
def _generate_iam_id(node_type: str, counter: int) -> str:
"""Internal method to generate fake IDs for IAM resources. Format is derived from
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
"""
if node_type == 'user':
return 'AIDA{0:016d}'.format(counter)
elif node_type == 'role':
return 'AROA{0:016d}'.format(counter)
elif node_type == 'group':
return 'AGPA{0:016d}'.format(counter)
elif node_type == 'policy':
return 'ANPA{0:016d}'.format(counter)
else:
raise ValueError('Unexpected value {} for node_type param'.format(node_type))
def main():
"""Body of the script."""
# handle arguments
parser = argparse.ArgumentParser()
parser.add_argument('--account', default='000000000000', help='The account ID to assign the simulated Graph')
file_arg_group = parser.add_mutually_exclusive_group(required=True)
file_arg_group.add_argument('--json', help='The CloudFormation JSON template file to read from')
file_arg_group.add_argument('--yaml', help='The CloudFormation YAML template file to read from')
parsed_args = parser.parse_args()
# Parse file
if parsed_args.json:
print('[+] Loading file {}'.format(parsed_args.json))
fd = open(parsed_args.json)
data = json.load(fd)
else:
print('[+] Loading file {}'.format(parsed_args.yaml))
fd = open(parsed_args.yaml)
data = yaml.safe_load(fd)
fd.close()
# Create metadata
metadata = {
'account_id': parsed_args.account,
'pmapper_version': principalmapper.__version__
}
print('[+] Building a Graph object for an account with ID {}'.format(metadata['account_id']))
if 'Resources' not in data:
print('[!] Missing required template element "Resources"')
return -1
# Create space to stash all the data we generate
groups = []
policies = []
nodes = []
# Handle data from IAM
iam_id_counter = 0
template_resources = data['Resources']
# TODO: Handle policies to start
# TODO: Handle groups
for logical_id, contents in template_resources.items():
# Get data on IAM Users and Roles
if contents['Type'] == 'AWS::IAM::User':
properties = contents['Properties']
node_path = '/' if 'Path' not in properties else properties['Path']
node_arn = 'arn:aws:iam::{}:user{}'.format(
metadata['account_id'],
'{}{}'.format(node_path, properties['UserName'])
)
print('[+] Adding user {}'.format(node_arn))
nodes.append(
Node(
node_arn,
_generate_iam_id('user', iam_id_counter),
[], # TODO: add policy handling
[], # TODO: add group handling
None,
None,
0, # TODO: fix access keys stuff
False, # TODO: fix password handling
False, # TODO: implement admin checks
None, # TODO: handle permission boundaries
False, # TODO: handle MFA stuff in CF template reading
{} # TODO: add tag handling
)
)
iam_id_counter += 1
elif contents['Type'] == 'AWS::IAM::Role':
properties = contents['Properties']
# TODO: finish out roles
# TODO: update access keys for users
# Sort out administrative principals
gathering.update_admin_status(nodes)
# Create Edges
edges = iam_edges.generate_edges_locally(nodes) + sts_edges.generate_edges_locally(nodes)
# Create our graph and finish
graph = Graph(nodes, edges, policies, groups, metadata)
graph_actions.print_graph_data(graph)
if __name__ == '__main__':
main()