From 51b29a4f756835fd67db2d766971b38c22d39ec4 Mon Sep 17 00:00:00 2001 From: Ulises Rangel Date: Wed, 18 Dec 2024 12:48:23 -0600 Subject: [PATCH] chore: integration testing portability enhancement and schema cleanup (#1024) * chore: introduce harness initializer that uses the GraphTestHarness interface for harness setup * chore: fix typo and some cleanup * NewADContainer * add logic to add tierzero property for test ADUsers * add nil check * add tenantID property when creating new azure tenant * chore: remove unimplemented edges from schema for better testing alignment --------- Co-authored-by: Brandon Shearin --- cmd/api/src/analysis/azure/queries_test.go | 1 + cmd/api/src/queries/graph_integration_test.go | 4 + cmd/api/src/test/integration/graph.go | 45 +- packages/cue/bh/ad/ad.cue | 458 +++++++++--------- packages/go/analysis/ad/post.go | 2 - packages/go/graphschema/ad/ad.go | 6 +- .../bh-shared-ui/src/graphSchema.ts | 8 - 7 files changed, 263 insertions(+), 261 deletions(-) diff --git a/cmd/api/src/analysis/azure/queries_test.go b/cmd/api/src/analysis/azure/queries_test.go index 234f077c39..10f57150a5 100644 --- a/cmd/api/src/analysis/azure/queries_test.go +++ b/cmd/api/src/analysis/azure/queries_test.go @@ -33,6 +33,7 @@ import ( func TestAnalysisAzure_GraphStats(t *testing.T) { testCtx := integration.NewGraphTestContext(t, schema.DefaultGraphSchema()) + testCtx.SetupAzure() testCtx.DatabaseTest(func(harness integration.HarnessDetails, db graph.Database) { _, agg, err := azure2.GraphStats(context.TODO(), testCtx.Graph.Database) diff --git a/cmd/api/src/queries/graph_integration_test.go b/cmd/api/src/queries/graph_integration_test.go index f169f502d8..84001b834f 100644 --- a/cmd/api/src/queries/graph_integration_test.go +++ b/cmd/api/src/queries/graph_integration_test.go @@ -165,6 +165,7 @@ func TestGetEntityResults(t *testing.T) { queryCache, err := cache.NewCache(cache.Config{MaxSize: 1}) require.Nil(t, err) + testContext.SetupActiveDirectory() testContext.DatabaseTest(func(harness integration.HarnessDetails, db graph.Database) { objectID, err := harness.InboundControl.ControlledUser.Properties.Get(common.ObjectID.String()).String() require.Nil(t, err) @@ -197,6 +198,7 @@ func TestGetEntityResults_QueryShorterThanSlowQueryThreshold(t *testing.T) { queryCache, err := cache.NewCache(cache.Config{MaxSize: 1}) require.Nil(t, err) + testContext.SetupActiveDirectory() testContext.DatabaseTest(func(harness integration.HarnessDetails, db graph.Database) { objectID, err := harness.InboundControl.ControlledUser.Properties.Get(common.ObjectID.String()).String() require.Nil(t, err) @@ -230,6 +232,7 @@ func TestGetEntityResults_Cache(t *testing.T) { queryCache, err := cache.NewCache(cache.Config{MaxSize: 2}) require.Nil(t, err) + testContext.SetupActiveDirectory() testContext.DatabaseTest(func(harness integration.HarnessDetails, db graph.Database) { objectID, err := harness.InboundControl.ControlledUser.Properties.Get(common.ObjectID.String()).String() require.Nil(t, err) @@ -270,6 +273,7 @@ func TestGetEntityResults_Cache(t *testing.T) { func TestGetAssetGroupComboNode(t *testing.T) { testContext := integration.NewGraphTestContext(t, schema.DefaultGraphSchema()) + testContext.SetupActiveDirectory() testContext.DatabaseTest(func(harness integration.HarnessDetails, db graph.Database) { graphQuery := queries.NewGraphQuery(db, cache.Cache{}, config.Configuration{}) comboNode, err := graphQuery.GetAssetGroupComboNode(context.Background(), "", ad.AdminTierZero) diff --git a/cmd/api/src/test/integration/graph.go b/cmd/api/src/test/integration/graph.go index 0e4419e33b..9a788597b8 100644 --- a/cmd/api/src/test/integration/graph.go +++ b/cmd/api/src/test/integration/graph.go @@ -82,10 +82,14 @@ func (s *GraphTestContext) UpdateNode(node *graph.Node) { }) } -func (s *GraphTestContext) DatabaseTest(dbDelegate func(harness HarnessDetails, db graph.Database)) { - s.setupActiveDirectory() - s.setupAzure() +func (s *GraphTestContext) InitializeHarness(harness GraphTestHarness) { + s.Graph.WriteTransaction(s.testCtx, func(tx graph.Transaction) error { + harness.Setup(s) + return nil + }) +} +func (s *GraphTestContext) DatabaseTest(dbDelegate func(harness HarnessDetails, db graph.Database)) { dbDelegate(s.Harness, s.Graph.Database) } @@ -109,8 +113,7 @@ func (s *GraphTestContext) DatabaseTestWithSetup(setup func(harness *HarnessDeta } func (s *GraphTestContext) BatchTest(batchDelegate func(harness HarnessDetails, batch graph.Batch), assertionDelegate func(details HarnessDetails, tx graph.Transaction)) { - s.setupActiveDirectory() - s.setupAzure() + s.SetupAzureAndActiveDirectory() s.Graph.BatchOperation(s.testCtx, func(batch graph.Batch) error { batchDelegate(s.Harness, batch) @@ -124,8 +127,7 @@ func (s *GraphTestContext) BatchTest(batchDelegate func(harness HarnessDetails, } func (s *GraphTestContext) TransactionalTest(txDelegate func(harness HarnessDetails, tx graph.Transaction)) { - s.setupActiveDirectory() - s.setupAzure() + s.SetupAzureAndActiveDirectory() s.Graph.WriteTransaction(s.testCtx, func(tx graph.Transaction) error { txDelegate(s.Harness, tx) @@ -319,6 +321,7 @@ func (s *GraphTestContext) NewAzureTenant(tenantID string) *graph.Node { return s.NewNode(graph.AsProperties(graph.PropertyMap{ common.Name: "New Tenant", common.ObjectID: tenantID, + azure.TenantID: tenantID, azure.License: "license", }), azure.Entity, azure.Tenant) } @@ -345,12 +348,27 @@ func (s *GraphTestContext) NewActiveDirectoryComputer(name, domainSID string) *g }), ad.Entity, ad.Computer) } -func (s *GraphTestContext) NewActiveDirectoryUser(name, domainSID string, isTierZero ...bool) *graph.Node { +func (s *GraphTestContext) NewActiveDirectoryContainer(name, domainSID string) *graph.Node { return s.NewNode(graph.AsProperties(graph.PropertyMap{ + common.Name: name, + common.ObjectID: must.NewUUIDv4().String(), + ad.DomainSID: domainSID, + }), ad.Entity, ad.Container) +} + +func (s *GraphTestContext) NewActiveDirectoryUser(name, domainSID string, isTierZero ...bool) *graph.Node { + + propertyMap := graph.PropertyMap{ common.Name: name, common.ObjectID: strings.ToUpper(must.NewUUIDv4().String()), ad.DomainSID: domainSID, - }), ad.Entity, ad.User) + } + + if isTierZero != nil && isTierZero[0] { + propertyMap[common.SystemTags] = ad.AdminTierZero + } + + return s.NewNode(graph.AsProperties(propertyMap), ad.Entity, ad.User) } func (s *GraphTestContext) NewCustomActiveDirectoryUser(properties *graph.Properties) *graph.Node { @@ -515,7 +533,12 @@ type CertTemplateData struct { CertificatePolicy []string } -func (s *GraphTestContext) setupAzure() { +func (s *GraphTestContext) SetupAzureAndActiveDirectory() { + s.SetupAzure() + s.SetupActiveDirectory() +} + +func (s *GraphTestContext) SetupAzure() { s.Harness.AZBaseHarness.Setup(s) s.Harness.AZGroupMembership.Setup(s) s.Harness.AZEntityPanelHarness.Setup(s) @@ -530,7 +553,7 @@ func (s *GraphTestContext) setupAzure() { s.Harness.AZManagementGroup.Setup(s) } -func (s *GraphTestContext) setupActiveDirectory() { +func (s *GraphTestContext) SetupActiveDirectory() { // startServer a host of Tier Zero tagged assets s.Harness.RootADHarness.Setup(s) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 4367d76551..248cac332a 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -29,113 +29,113 @@ EdgeCompositionRelationships: [...types.#Kind] // Property name enumerations CertChain: types.#StringEnum & { - symbol: "CertChain" - schema: "ad" + symbol: "CertChain" + schema: "ad" name: "Certificate Chain" representation: "certchain" } CertName: types.#StringEnum & { - symbol: "CertName" - schema: "ad" + symbol: "CertName" + schema: "ad" name: "Certificate Name" representation: "certname" } CertThumbprint: types.#StringEnum & { - symbol: "CertThumbprint" - schema: "ad" + symbol: "CertThumbprint" + schema: "ad" name: "Certificate Thumbprint" representation: "certthumbprint" } CertThumbprints: types.#StringEnum & { - symbol: "CertThumbprints" - schema: "ad" + symbol: "CertThumbprints" + schema: "ad" name: "Certificate Thumbprints" representation: "certthumbprints" } CAName: types.#StringEnum & { - symbol: "CAName" - schema: "ad" + symbol: "CAName" + schema: "ad" name: "CA Name" representation: "caname" } CASecurityCollected: types.#StringEnum & { - symbol: "CASecurityCollected" - schema: "ad" + symbol: "CASecurityCollected" + schema: "ad" name: "CA Security Collected" representation: "casecuritycollected" } HasEnrollmentAgentRestrictions: types.#StringEnum & { - symbol: "HasEnrollmentAgentRestrictions" - schema: "ad" + symbol: "HasEnrollmentAgentRestrictions" + schema: "ad" name: "Has Enrollment Agent Restrictions" representation: "hasenrollmentagentrestrictions" } EnrollmentAgentRestrictionsCollected: types.#StringEnum & { - symbol: "EnrollmentAgentRestrictionsCollected" - schema: "ad" + symbol: "EnrollmentAgentRestrictionsCollected" + schema: "ad" name: "Enrollment Agent Restrictions Collected" representation: "enrollmentagentrestrictionscollected" } IsUserSpecifiesSanEnabled: types.#StringEnum & { - symbol: "IsUserSpecifiesSanEnabled" - schema: "ad" + symbol: "IsUserSpecifiesSanEnabled" + schema: "ad" name: "Is User Specifies San Enabled" representation: "isuserspecifiessanenabled" } IsUserSpecifiesSanEnabledCollected: types.#StringEnum & { - symbol: "IsUserSpecifiesSanEnabledCollected" - schema: "ad" + symbol: "IsUserSpecifiesSanEnabledCollected" + schema: "ad" name: "Is User Specifies San Enabled Collected" representation: "isuserspecifiessanenabledcollected" } RoleSeparationEnabled: types.#StringEnum & { - symbol: "RoleSeparationEnabled" - schema: "ad" + symbol: "RoleSeparationEnabled" + schema: "ad" name: "Role Separation Enabled" representation: "roleseparationenabled" } RoleSeparationEnabledCollected: types.#StringEnum & { - symbol: "RoleSeparationEnabledCollected" - schema: "ad" + symbol: "RoleSeparationEnabledCollected" + schema: "ad" name: "Role Separation Enabled Collected" representation: "roleseparationenabledcollected" } HasBasicConstraints: types.#StringEnum & { - symbol: "HasBasicConstraints" - schema: "ad" + symbol: "HasBasicConstraints" + schema: "ad" name: "Has Basic Constraints" representation: "hasbasicconstraints" } BasicConstraintPathLength: types.#StringEnum & { - symbol: "BasicConstraintPathLength" - schema: "ad" + symbol: "BasicConstraintPathLength" + schema: "ad" name: "Basic Constraint Path Length" representation: "basicconstraintpathlength" } UnresolvedPublishedTemplates: types.#StringEnum & { - symbol: "UnresolvedPublishedTemplates" - schema: "ad" + symbol: "UnresolvedPublishedTemplates" + schema: "ad" name: "Unresolved Published Certificate Templates" representation: "unresolvedpublishedtemplates" } DNSHostname: types.#StringEnum & { - symbol: "DNSHostname" - schema: "ad" + symbol: "DNSHostname" + schema: "ad" name: "DNS Hostname" representation: "dnshostname" } @@ -239,9 +239,9 @@ HasSPN: types.#StringEnum & { } HasLAPS: types.#StringEnum & { - symbol: "HasLAPS" - schema: "ad" - name: "LAPS Enabled" + symbol: "HasLAPS" + schema: "ad" + name: "LAPS Enabled" representation: "haslaps" } @@ -281,72 +281,72 @@ AdminCount: types.#StringEnum & { } DontRequirePreAuth: types.#StringEnum & { - symbol: "DontRequirePreAuth" - schema: "ad" - name: "Do Not Require Pre-Authentication" + symbol: "DontRequirePreAuth" + schema: "ad" + name: "Do Not Require Pre-Authentication" representation: "dontreqpreauth" } HasURA: types.#StringEnum & { - symbol: "HasURA" - schema: "ad" - name: "Has User Rights Assignment Collection" + symbol: "HasURA" + schema: "ad" + name: "Has User Rights Assignment Collection" representation: "hasura" } PasswordNeverExpires: types.#StringEnum & { - symbol: "PasswordNeverExpires" - schema: "ad" - name: "Password Never Expires" + symbol: "PasswordNeverExpires" + schema: "ad" + name: "Password Never Expires" representation: "pwdneverexpires" } PasswordNotRequired: types.#StringEnum & { - symbol: "PasswordNotRequired" - schema: "ad" - name: "Password Not Required" + symbol: "PasswordNotRequired" + schema: "ad" + name: "Password Not Required" representation: "passwordnotreqd" } FunctionalLevel: types.#StringEnum & { - symbol: "FunctionalLevel" - schema: "ad" - name: "Functional Level" + symbol: "FunctionalLevel" + schema: "ad" + name: "Functional Level" representation: "functionallevel" } TrustType: types.#StringEnum & { - symbol: "TrustType" - schema: "ad" - name: "Trust Type" + symbol: "TrustType" + schema: "ad" + name: "Trust Type" representation: "trusttype" } SidFiltering: types.#StringEnum & { - symbol: "SidFiltering" - schema: "ad" - name: "SID Filtering Enabled" + symbol: "SidFiltering" + schema: "ad" + name: "SID Filtering Enabled" representation: "sidfiltering" } TrustedToAuth: types.#StringEnum & { - symbol: "TrustedToAuth" - schema: "ad" - name: "Trusted For Constrained Delegation" + symbol: "TrustedToAuth" + schema: "ad" + name: "Trusted For Constrained Delegation" representation: "trustedtoauth" } SamAccountName: types.#StringEnum & { - symbol: "SamAccountName" - schema: "ad" - name: "SAM Account Name" + symbol: "SamAccountName" + schema: "ad" + name: "SAM Account Name" representation: "samaccountname" } HomeDirectory: types.#StringEnum & { - symbol: "HomeDirectory" - schema: "ad" - name: "Home Directory" + symbol: "HomeDirectory" + schema: "ad" + name: "Home Directory" representation: "homedirectory" } @@ -379,359 +379,359 @@ StrongCertificateBindingEnforcement: types.#StringEnum & { } CrossCertificatePair: types.#StringEnum & { - symbol: "CrossCertificatePair" - schema: "ad" - name: "Cross Certificate Pair" + symbol: "CrossCertificatePair" + schema: "ad" + name: "Cross Certificate Pair" representation: "crosscertificatepair" } EKUs: types.#StringEnum & { - symbol: "EKUs" - schema: "ad" - name: "Enhanced Key Usage" + symbol: "EKUs" + schema: "ad" + name: "Enhanced Key Usage" representation: "ekus" } SubjectAltRequireUPN: types.#StringEnum & { - symbol: "SubjectAltRequireUPN" - schema: "ad" - name: "Subject Alternative Name Require UPN" + symbol: "SubjectAltRequireUPN" + schema: "ad" + name: "Subject Alternative Name Require UPN" representation: "subjectaltrequireupn" } SubjectAltRequireDNS: types.#StringEnum & { - symbol: "SubjectAltRequireDNS" - schema: "ad" - name: "Subject Alternative Name Require DNS" + symbol: "SubjectAltRequireDNS" + schema: "ad" + name: "Subject Alternative Name Require DNS" representation: "subjectaltrequiredns" } SubjectAltRequireDomainDNS: types.#StringEnum & { - symbol: "SubjectAltRequireDomainDNS" - schema: "ad" - name: "Subject Alternative Name Require Domain DNS" + symbol: "SubjectAltRequireDomainDNS" + schema: "ad" + name: "Subject Alternative Name Require Domain DNS" representation: "subjectaltrequiredomaindns" } SubjectAltRequireEmail: types.#StringEnum & { - symbol: "SubjectAltRequireEmail" - schema: "ad" - name: "Subject Alternative Name Require Email" + symbol: "SubjectAltRequireEmail" + schema: "ad" + name: "Subject Alternative Name Require Email" representation: "subjectaltrequireemail" } SubjectAltRequireSPN: types.#StringEnum & { - symbol: "SubjectAltRequireSPN" - schema: "ad" - name: "Subject Alternative Name Require SPN" + symbol: "SubjectAltRequireSPN" + schema: "ad" + name: "Subject Alternative Name Require SPN" representation: "subjectaltrequirespn" } SubjectRequireEmail: types.#StringEnum & { - symbol: "SubjectRequireEmail" - schema: "ad" - name: "Subject Require Email" + symbol: "SubjectRequireEmail" + schema: "ad" + name: "Subject Require Email" representation: "subjectrequireemail" } AuthorizedSignatures: types.#StringEnum & { - symbol: "AuthorizedSignatures" - schema: "ad" - name: "Authorized Signatures Required" + symbol: "AuthorizedSignatures" + schema: "ad" + name: "Authorized Signatures Required" representation: "authorizedsignatures" } ApplicationPolicies: types.#StringEnum & { - symbol: "ApplicationPolicies" - schema: "ad" - name: "Application Policies Required" + symbol: "ApplicationPolicies" + schema: "ad" + name: "Application Policies Required" representation: "applicationpolicies" } IssuancePolicies: types.#StringEnum & { - symbol: "IssuancePolicies" - schema: "ad" - name: "Issuance Policies Required" + symbol: "IssuancePolicies" + schema: "ad" + name: "Issuance Policies Required" representation: "issuancepolicies" } SchemaVersion: types.#StringEnum & { - symbol: "SchemaVersion" - schema: "ad" - name: "Schema Version" + symbol: "SchemaVersion" + schema: "ad" + name: "Schema Version" representation: "schemaversion" } RequiresManagerApproval: types.#StringEnum & { - symbol: "RequiresManagerApproval" - schema: "ad" - name: "Requires Manager Approval" + symbol: "RequiresManagerApproval" + schema: "ad" + name: "Requires Manager Approval" representation: "requiresmanagerapproval" } AuthenticationEnabled: types.#StringEnum & { - symbol: "AuthenticationEnabled" - schema: "ad" - name: "Authentication Enabled" + symbol: "AuthenticationEnabled" + schema: "ad" + name: "Authentication Enabled" representation: "authenticationenabled" } SchannelAuthenticationEnabled: types.#StringEnum & { - symbol: "SchannelAuthenticationEnabled" - schema: "ad" - name: "Schannel Authentication Enabled" + symbol: "SchannelAuthenticationEnabled" + schema: "ad" + name: "Schannel Authentication Enabled" representation: "schannelauthenticationenabled" } EnrolleeSuppliesSubject: types.#StringEnum & { - symbol: "EnrolleeSuppliesSubject" - schema: "ad" - name: "Enrollee Supplies Subject" + symbol: "EnrolleeSuppliesSubject" + schema: "ad" + name: "Enrollee Supplies Subject" representation: "enrolleesuppliessubject" } CertificateApplicationPolicy: types.#StringEnum & { - symbol: "CertificateApplicationPolicy" - schema: "ad" - name: "Application Policy Extensions" + symbol: "CertificateApplicationPolicy" + schema: "ad" + name: "Application Policy Extensions" representation: "certificateapplicationpolicy" } CertificateNameFlag: types.#StringEnum & { - symbol: "CertificateNameFlag" - schema: "ad" - name: "Certificate Name Flags" + symbol: "CertificateNameFlag" + schema: "ad" + name: "Certificate Name Flags" representation: "certificatenameflag" } EffectiveEKUs: types.#StringEnum & { - symbol: "EffectiveEKUs" - schema: "ad" - name: "Effective EKUs" + symbol: "EffectiveEKUs" + schema: "ad" + name: "Effective EKUs" representation: "effectiveekus" } EnrollmentFlag: types.#StringEnum & { - symbol: "EnrollmentFlag" - schema: "ad" - name: "Enrollment Flags" + symbol: "EnrollmentFlag" + schema: "ad" + name: "Enrollment Flags" representation: "enrollmentflag" } Flags: types.#StringEnum & { - symbol: "Flags" - schema: "ad" - name: "Flags" + symbol: "Flags" + schema: "ad" + name: "Flags" representation: "flags" } NoSecurityExtension: types.#StringEnum & { - symbol: "NoSecurityExtension" - schema: "ad" - name: "No Security Extension" + symbol: "NoSecurityExtension" + schema: "ad" + name: "No Security Extension" representation: "nosecurityextension" } RenewalPeriod: types.#StringEnum & { - symbol: "RenewalPeriod" - schema: "ad" - name: "Renewal Period" + symbol: "RenewalPeriod" + schema: "ad" + name: "Renewal Period" representation: "renewalperiod" } ValidityPeriod: types.#StringEnum & { - symbol: "ValidityPeriod" - schema: "ad" - name: "Validity Period" + symbol: "ValidityPeriod" + schema: "ad" + name: "Validity Period" representation: "validityperiod" } OID: types.#StringEnum & { - symbol: "OID" - schema: "ad" - name: "OID" + symbol: "OID" + schema: "ad" + name: "OID" representation: "oid" } CertificatePolicy: types.#StringEnum & { - symbol: "CertificatePolicy" - schema: "ad" - name: "Issuance Policy Extensions" + symbol: "CertificatePolicy" + schema: "ad" + name: "Issuance Policy Extensions" representation: "certificatepolicy" } CertTemplateOID: types.#StringEnum & { - symbol: "CertTemplateOID" - schema: "ad" - name: "Certificate Template OID" + symbol: "CertTemplateOID" + schema: "ad" + name: "Certificate Template OID" representation: "certtemplateoid" } GroupLinkID: types.#StringEnum & { - symbol: "GroupLinkID" - schema: "ad" - name: "Group Link ID" + symbol: "GroupLinkID" + schema: "ad" + name: "Group Link ID" representation: "grouplinkid" } ObjectGUID: types.#StringEnum & { - symbol: "ObjectGUID" - schema: "ad" - name: "Object GUID" + symbol: "ObjectGUID" + schema: "ad" + name: "Object GUID" representation: "objectguid" } ExpirePasswordsOnSmartCardOnlyAccounts: types.#StringEnum & { - symbol: "ExpirePasswordsOnSmartCardOnlyAccounts" - schema: "ad" - name: "Expire Passwords on Smart Card only Accounts" + symbol: "ExpirePasswordsOnSmartCardOnlyAccounts" + schema: "ad" + name: "Expire Passwords on Smart Card only Accounts" representation: "expirepasswordsonsmartcardonlyaccounts" } MachineAccountQuota: types.#StringEnum & { - symbol: "MachineAccountQuota" - schema: "ad" - name: "Machine Account Quota" + symbol: "MachineAccountQuota" + schema: "ad" + name: "Machine Account Quota" representation: "machineaccountquota" } SupportedKerberosEncryptionTypes: types.#StringEnum & { - symbol: "SupportedKerberosEncryptionTypes" - schema: "ad" - name: "Supported Kerberos Encryption Types" + symbol: "SupportedKerberosEncryptionTypes" + schema: "ad" + name: "Supported Kerberos Encryption Types" representation: "supportedencryptiontypes" } TGTDelegationEnabled: types.#StringEnum & { - symbol: "TGTDelegationEnabled" - schema: "ad" - name: "TGT Delegation Enabled" + symbol: "TGTDelegationEnabled" + schema: "ad" + name: "TGT Delegation Enabled" representation: "tgtdelegationenabled" } PasswordStoredUsingReversibleEncryption: types.#StringEnum & { - symbol: "PasswordStoredUsingReversibleEncryption" - schema: "ad" - name: "Password Stored Using Reversible Encryption" + symbol: "PasswordStoredUsingReversibleEncryption" + schema: "ad" + name: "Password Stored Using Reversible Encryption" representation: "encryptedtextpwdallowed" } SmartcardRequired: types.#StringEnum & { - symbol: "SmartcardRequired" - schema: "ad" - name: "Smartcard Required" + symbol: "SmartcardRequired" + schema: "ad" + name: "Smartcard Required" representation: "smartcardrequired" } UseDESKeyOnly: types.#StringEnum & { - symbol: "UseDESKeyOnly" - schema: "ad" - name: "Use DES Key Only" + symbol: "UseDESKeyOnly" + schema: "ad" + name: "Use DES Key Only" representation: "usedeskeyonly" } LogonScriptEnabled: types.#StringEnum & { - symbol: "LogonScriptEnabled" - schema: "ad" - name: "Logon Script Enabled" + symbol: "LogonScriptEnabled" + schema: "ad" + name: "Logon Script Enabled" representation: "logonscriptenabled" } LockedOut: types.#StringEnum & { - symbol: "LockedOut" - schema: "ad" - name: "Locked Out" + symbol: "LockedOut" + schema: "ad" + name: "Locked Out" representation: "lockedout" } UserCannotChangePassword: types.#StringEnum & { - symbol: "UserCannotChangePassword" - schema: "ad" - name: "User Cannot Change Password" + symbol: "UserCannotChangePassword" + schema: "ad" + name: "User Cannot Change Password" representation: "passwordcantchange" } PasswordExpired: types.#StringEnum & { - symbol: "PasswordExpired" - schema: "ad" - name: "Password Expired" + symbol: "PasswordExpired" + schema: "ad" + name: "Password Expired" representation: "passwordexpired" } DSHeuristics: types.#StringEnum & { - symbol: "DSHeuristics" - schema: "ad" - name: "DSHeuristics" + symbol: "DSHeuristics" + schema: "ad" + name: "DSHeuristics" representation: "dsheuristics" } UserAccountControl: types.#StringEnum & { - symbol: "UserAccountControl" - schema: "ad" - name: "User Account Control" + symbol: "UserAccountControl" + schema: "ad" + name: "User Account Control" representation: "useraccountcontrol" } TrustAttributes: types.#StringEnum & { - symbol: "TrustAttributes" - schema: "ad" - name: "Trust Attributes" + symbol: "TrustAttributes" + schema: "ad" + name: "Trust Attributes" representation: "trustattributes" } LockoutDuration: types.#StringEnum & { - symbol: "LockoutDuration" - schema: "ad" - name: "Lockout Duration" + symbol: "LockoutDuration" + schema: "ad" + name: "Lockout Duration" representation: "lockoutduration" } LockoutObservationWindow: types.#StringEnum & { - symbol: "LockoutObservationWindow" - schema: "ad" - name: "Lockout Observation Window" + symbol: "LockoutObservationWindow" + schema: "ad" + name: "Lockout Observation Window" representation: "lockoutobservationwindow" } MaxPwdAge: types.#StringEnum & { - symbol: "MaxPwdAge" - schema: "ad" - name: "Maximum Password Age" + symbol: "MaxPwdAge" + schema: "ad" + name: "Maximum Password Age" representation: "maxpwdage" } MinPwdAge: types.#StringEnum & { - symbol: "MinPwdAge" - schema: "ad" - name: "Minimum Password Age" + symbol: "MinPwdAge" + schema: "ad" + name: "Minimum Password Age" representation: "minpwdage" } LockoutThreshold: types.#StringEnum & { - symbol: "LockoutThreshold" - schema: "ad" - name: "Lockout Threshold" + symbol: "LockoutThreshold" + schema: "ad" + name: "Lockout Threshold" representation: "lockoutthreshold" } PwdHistoryLength: types.#StringEnum & { - symbol: "PwdHistoryLength" - schema: "ad" - name: "Password History Length" + symbol: "PwdHistoryLength" + schema: "ad" + name: "Password History Length" representation: "pwdhistorylength" } PwdProperties: types.#StringEnum & { - symbol: "PwdProperties" - schema: "ad" - name: "Password Properties" + symbol: "PwdProperties" + schema: "ad" + name: "Password Properties" representation: "pwdproperties" } MinPwdLength: types.#StringEnum & { - symbol: "MinPwdLength" - schema: "ad" - name: "Minimum password length" + symbol: "MinPwdLength" + schema: "ad" + name: "Minimum password length" representation: "minpwdlength" } @@ -836,7 +836,7 @@ Properties: [ MinPwdAge, MaxPwdAge, LockoutDuration, - LockoutObservationWindow + LockoutObservationWindow, ] // Kinds @@ -939,7 +939,7 @@ NodeKinds: [ EnterpriseCA, NTAuthStore, CertTemplate, - IssuancePolicy + IssuancePolicy, ] Owns: types.#Kind & { @@ -1248,11 +1248,6 @@ ADCSESC4: types.#Kind & { schema: "active_directory" } -ADCSESC5: types.#Kind & { - symbol: "ADCSESC5" - schema: "active_directory" -} - ADCSESC6a: types.#Kind & { symbol: "ADCSESC6a" schema: "active_directory" @@ -1263,11 +1258,6 @@ ADCSESC6b: types.#Kind & { schema: "active_directory" } -ADCSESC7: types.#Kind & { - symbol: "ADCSESC7" - schema: "active_directory" -} - ADCSESC9a: types.#Kind & { symbol: "ADCSESC9a" schema: "active_directory" @@ -1360,10 +1350,8 @@ RelationshipKinds: [ ADCSESC1, ADCSESC3, ADCSESC4, - ADCSESC5, ADCSESC6a, ADCSESC6b, - ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, @@ -1399,7 +1387,7 @@ ACLRelationships: [ ManageCA, Enroll, WritePKIEnrollmentFlag, - WritePKINameFlag + WritePKINameFlag, ] // Edges that are used in pathfinding @@ -1441,10 +1429,8 @@ PathfindingRelationships: [ ADCSESC1, ADCSESC3, ADCSESC4, - ADCSESC5, ADCSESC6a, ADCSESC6b, - ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, @@ -1465,5 +1451,5 @@ EdgeCompositionRelationships: [ ADCSESC9b, ADCSESC10a, ADCSESC10b, - ADCSESC13 + ADCSESC13, ] diff --git a/packages/go/analysis/ad/post.go b/packages/go/analysis/ad/post.go index 06e15820f0..23d4e50c72 100644 --- a/packages/go/analysis/ad/post.go +++ b/packages/go/analysis/ad/post.go @@ -49,10 +49,8 @@ func PostProcessedRelationships() []graph.Kind { ad.ADCSESC1, ad.ADCSESC3, ad.ADCSESC4, - ad.ADCSESC5, ad.ADCSESC6a, ad.ADCSESC6b, - ad.ADCSESC7, ad.ADCSESC10a, ad.ADCSESC10b, ad.ADCSESC9a, diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 5dad6bea8d..4acf12c18e 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -102,10 +102,8 @@ var ( ADCSESC1 = graph.StringKind("ADCSESC1") ADCSESC3 = graph.StringKind("ADCSESC3") ADCSESC4 = graph.StringKind("ADCSESC4") - ADCSESC5 = graph.StringKind("ADCSESC5") ADCSESC6a = graph.StringKind("ADCSESC6a") ADCSESC6b = graph.StringKind("ADCSESC6b") - ADCSESC7 = graph.StringKind("ADCSESC7") ADCSESC9a = graph.StringKind("ADCSESC9a") ADCSESC9b = graph.StringKind("ADCSESC9b") ADCSESC10a = graph.StringKind("ADCSESC10a") @@ -859,13 +857,13 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate, IssuancePolicy} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} } func PathfindingRelationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, DCFor, SyncedToEntraUser} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC6a, ADCSESC6b, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, DCFor, SyncedToEntraUser} } func IsACLKind(s graph.Kind) bool { for _, acl := range ACLRelationships() { diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 9789f621a6..642cef13c0 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -131,10 +131,8 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC1 = 'ADCSESC1', ADCSESC3 = 'ADCSESC3', ADCSESC4 = 'ADCSESC4', - ADCSESC5 = 'ADCSESC5', ADCSESC6a = 'ADCSESC6a', ADCSESC6b = 'ADCSESC6b', - ADCSESC7 = 'ADCSESC7', ADCSESC9a = 'ADCSESC9a', ADCSESC9b = 'ADCSESC9b', ADCSESC10a = 'ADCSESC10a', @@ -264,14 +262,10 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC3'; case ActiveDirectoryRelationshipKind.ADCSESC4: return 'ADCSESC4'; - case ActiveDirectoryRelationshipKind.ADCSESC5: - return 'ADCSESC5'; case ActiveDirectoryRelationshipKind.ADCSESC6a: return 'ADCSESC6a'; case ActiveDirectoryRelationshipKind.ADCSESC6b: return 'ADCSESC6b'; - case ActiveDirectoryRelationshipKind.ADCSESC7: - return 'ADCSESC7'; case ActiveDirectoryRelationshipKind.ADCSESC9a: return 'ADCSESC9a'; case ActiveDirectoryRelationshipKind.ADCSESC9b: @@ -652,10 +646,8 @@ export function ActiveDirectoryPathfindingEdges(): ActiveDirectoryRelationshipKi ActiveDirectoryRelationshipKind.ADCSESC1, ActiveDirectoryRelationshipKind.ADCSESC3, ActiveDirectoryRelationshipKind.ADCSESC4, - ActiveDirectoryRelationshipKind.ADCSESC5, ActiveDirectoryRelationshipKind.ADCSESC6a, ActiveDirectoryRelationshipKind.ADCSESC6b, - ActiveDirectoryRelationshipKind.ADCSESC7, ActiveDirectoryRelationshipKind.ADCSESC9a, ActiveDirectoryRelationshipKind.ADCSESC9b, ActiveDirectoryRelationshipKind.ADCSESC10a,