Skip to content

Commit

Permalink
storage account role assignment merge w/o filter
Browse files Browse the repository at this point in the history
  • Loading branch information
@crimike
crimike committed Sep 13, 2022
1 parent 425b0e9 commit 4da9e60
Show file tree
Hide file tree
Showing 13 changed files with 17 additions and 361 deletions.
2 changes: 1 addition & 1 deletion cmd/list-automation-account-role-assignments.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ func listAutomationAccountRoleAssignments(ctx context.Context, client client.Azu
go func() {
wg.Wait()
close(out)
log.Info("finished listing all automation account owners")
log.Info("finished listing all automation account role assignments")
}()

return out
Expand Down
4 changes: 2 additions & 2 deletions cmd/list-function-app-role-assignments.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,15 +119,15 @@ func listFunctionAppRoleAssignments(ctx context.Context, client client.AzureClie
Data: functionAppRoleAssignments,
},
}
log.V(1).Info("finished listing function app owners", "functionAppId", id, "count", count)
log.V(1).Info("finished listing function app role assignments", "functionAppId", id, "count", count)
}
}()
}

go func() {
wg.Wait()
close(out)
log.Info("finished listing all function app owners")
log.Info("finished listing all function app role assignments")
}()

return out
Expand Down
96 changes: 13 additions & 83 deletions cmd/list-storage-account-role-assignments.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,6 @@ import (
"time"

"github.com/bloodhoundad/azurehound/client"
"github.com/bloodhoundad/azurehound/constants"
"github.com/bloodhoundad/azurehound/enums"
"github.com/bloodhoundad/azurehound/models"
"github.com/bloodhoundad/azurehound/pipeline"
Expand Down Expand Up @@ -93,20 +92,8 @@ func listStorageAccountRoleAssignments(ctx context.Context, client client.AzureC
defer wg.Done()
for id := range stream {
var (
storageAccountOwners = models.StorageAccountOwners{
StorageAccountId: id.(string),
}
storageAccountContributors = models.StorageAccountContributors{
StorageAccountId: id.(string),
}
storageAccountDataReaders = models.StorageAccountDataReaders{
StorageAccountId: id.(string),
}
storageAccountKeyOperators = models.StorageAccountKeyOperators{
StorageAccountId: id.(string),
}
storageAccountUserAccessAdmins = models.StorageAccountUserAccessAdmins{
StorageAccountId: id.(string),
storageAccountRoleAssignments = models.AzureRoleAssignments{
ObjectId: id.(string),
}
count = 0
)
Expand All @@ -116,88 +103,31 @@ func listStorageAccountRoleAssignments(ctx context.Context, client client.AzureC
} else {
roleDefinitionId := path.Base(item.Ok.Properties.RoleDefinitionId)

if roleDefinitionId == constants.OwnerRoleID {
storageAccountOwner := models.StorageAccountOwner{
Owner: item.Ok,
StorageAccountId: item.ParentId,
}
log.V(2).Info("found storage account owner", "storageAccountOwner", storageAccountOwner)
count++
storageAccountOwners.Owners = append(storageAccountOwners.Owners, storageAccountOwner)
} else if (roleDefinitionId == constants.ContributorRoleID) ||
(roleDefinitionId == constants.StorageAccountContributorRoleID) ||
(roleDefinitionId == constants.StorageBlobDataContributorRoleID) ||
(roleDefinitionId == constants.StorageQueueDataContributorRoleID) ||
(roleDefinitionId == constants.StorageBlobDataOwnerRoleID) {
storageAccountContributor := models.StorageAccountContributor{
Contributor: item.Ok,
StorageAccountId: item.ParentId,
}
log.V(2).Info("found storage account contributor", "storageAccountContributor", storageAccountContributor)
count++
storageAccountContributors.Contributors = append(storageAccountContributors.Contributors, storageAccountContributor)
} else if (roleDefinitionId == constants.ReaderandDataAccessRoleID) ||
(roleDefinitionId == constants.StorageBlobDataReaderRoleID) ||
(roleDefinitionId == constants.StorageQueueDataMessageProcessorRoleID) ||
(roleDefinitionId == constants.StorageQueueDataReaderRoleID) ||
(roleDefinitionId == constants.StorageTableDataReaderRoleID) {
storageAccountDataReader := models.StorageAccountDataReader{
DataReader: item.Ok,
StorageAccountId: item.ParentId,
}
log.V(2).Info("found storage account data-reader", "storageAccountDataReader", storageAccountDataReader)
count++
storageAccountDataReaders.DataReaders = append(storageAccountDataReaders.DataReaders, storageAccountDataReader)
} else if roleDefinitionId == constants.StorageAccountKeyOperatorServiceRoleID {
storageAccountKeyOperator := models.StorageAccountKeyOperator{
KeyOperator: item.Ok,
StorageAccountId: item.ParentId,
}
log.V(2).Info("found storage account data-reader", "storageAccountKeyOperator", storageAccountKeyOperator)
count++
storageAccountKeyOperators.KeyOperators = append(storageAccountKeyOperators.KeyOperators, storageAccountKeyOperator)
} else if roleDefinitionId == constants.UserAccessAdminRoleID {
storageAccountUserAccessAdmin := models.StorageAccountUserAccessAdmin{
UserAccessAdmin: item.Ok,
StorageAccountId: item.ParentId,
}
log.V(2).Info("found storage account user access admin", "storageAccountUserAccessAdmin", storageAccountUserAccessAdmin)
count++
storageAccountUserAccessAdmins.UserAccessAdmins = append(storageAccountUserAccessAdmins.UserAccessAdmins, storageAccountUserAccessAdmin)
storageAccountRoleAssignment := models.AzureRoleAssignment{
Assignee: item.Ok,
ObjectId: item.ParentId,
RoleDefinitionId: roleDefinitionId,
}
log.V(2).Info("found storage account role assignment", "storageAccountRoleAssignment", storageAccountRoleAssignment)
count++
storageAccountRoleAssignments.RoleAssignments = append(storageAccountRoleAssignments.RoleAssignments, storageAccountRoleAssignment)
}
}
out <- []AzureWrapper{
{
Kind: enums.KindAZStorageAccountOwner,
Data: storageAccountOwners,
},
{
Kind: enums.KindAZStorageAccountContributor,
Data: storageAccountContributors,
},
{
Kind: enums.KindAZStorageAccountDataReader,
Data: storageAccountDataReaders,
},
{
Kind: enums.KindAZStorageAccountKeyOperator,
Data: storageAccountKeyOperators,
},
{
Kind: enums.KindAZStorageAccountUserAccessAdmin,
Data: storageAccountUserAccessAdmins,
Kind: enums.KindAZStorageAccountRoleAssignment,
Data: storageAccountRoleAssignments,
},
}
log.V(1).Info("finished listing storage account owners", "storageAccountId", id, "count", count)
log.V(1).Info("finished listing storage account role assignments", "storageAccountId", id, "count", count)
}
}()
}

go func() {
wg.Wait()
close(out)
log.Info("finished listing all storage account owners")
log.Info("finished listing all storage account role assignments")
}()

return out
Expand Down
6 changes: 1 addition & 5 deletions enums/kind.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,7 @@ const (
KindAZVMVMContributor Kind = "AZVMVMContributor"
KindAZAppRoleAssignment Kind = "AZAppRoleAssignment"
KindAZStorageAccount Kind = "AZStorageAccount"
KindAZStorageAccountContributor Kind = "AZSAContributor"
KindAZStorageAccountOwner Kind = "AZSAOwner"
KindAZStorageAccountDataReader Kind = "AZSADataReader"
KindAZStorageAccountKeyOperator Kind = "AZSAKeyOperator"
KindAZStorageAccountUserAccessAdmin Kind = "AZSAUserAccessAdmin"
KindAZStorageAccountRoleAssignment Kind = "AZStorageAccountRoleAssignment"
KindAZStorageContainer Kind = "AZStorageContainer"
KindAZAutomationAccount Kind = "AZAutomationAccount"
KindAZAutomationAccountRoleAssignment Kind = "AZAutomationAccountRoleAssignment"
Expand Down
30 changes: 0 additions & 30 deletions models/storage-account-contributor.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-account-data-reader.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-account-key-operator.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-account-owner.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-account-user-access-admin.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-container-contributor.go
View file

This file was deleted.

30 changes: 0 additions & 30 deletions models/storage-container-data-reader.go
View file

This file was deleted.

Loading

0 comments on commit 4da9e60

Please sign in to comment.