v1.1.0 Release (#74)

* Address #42, version bump * Major work on resource policies, adding specific internal functions to grab action/resource matches, added tests * Code removal: unused resource policy evaluation function * initial implementation of resource policy eval with query_interface * fixed bug in iam trust doc evaluation, backed up with testing * progress on grabbing resource policy by ARN * full implementation of (arg)query with resource policy * pulling, storing permission boundaries * permissions boundaries: added support in local evaluation methods, test cases * permissions boundaries: fix eval error caught by unit test due to allow vs None confusion * bugfix: arg-ordering in query subcommand from __main__.py * starting visualization update, service-policy retrieval updates * full implementation of gathering data with get_account_authorization_details, grabbing permission boundaries and mfa data (modified Nodes, unit tests have to be re-written again), fixed bug in SSM edge identification * Edge update: handle 'short_reason' field. Visualization update: option to only draw priv-esc risks. * query updates: added (arg)query arg to output for unauthorized principals, resource-policy queries now correctly handle admin scenarios * add example visualization * adding support for gathering and caching s3 bucket policies * query_result update before incorporating pull request * "invalid break disallowing multiple group_memberships for nodes in graph" (#60) * Fixed analysis bug (EC2 role assumption). Added MFA/Tag support to Nodes. Updated tests. * formatting fix, added clusters preset * added cycle detection + ssm finding, need to resolve import cycle issue * tested cycle detection, fixed and tested clusters * added support for grabbing+caching kms/sqs/sns resource policies * implemented on-demand resource policy retrieval for sns/sqs/kms/s3 (lib only) * overhauled logging, removed invocations of dprint, still need to tackle output/debug params * broadly removed debug/output params, or created "print" alternative functions to existing "write" functions. * added partial region support for the gathering process, added lack of MFA device finding * more progress in region-specification support for gathering: edge-gathering classes have allow/deny lists built in * moved argument generation to cli/frontend modules, still need to move argument handling * Started the shift from __main__ for CLI-related code * finished shifting code from __main__ into cli modules * implemented graphml visualization, reorganized visualization code * implemented session policy + SCP handling in simulation functions, still need to add tests and interface via (arg)query cli * added session policy handling to CLI * set up proper logs for unit tests * laying groundwork for AWS Organizations work * first crack at gathering and organizing aws orgs data * more orgs data compilation, cross-account edges * moved orgs front-end into separate module * added sagemaker edges. bugfixes. * fixed cross account edges * added handling for SNS/SQS resource policies * added organizations support to query CLI * added minimal tests for SCPs, added SCPs support to argquery * added Dockerfile * untested attempt at implementing multi-accounts earch * hotfixed search_authorization_across_accounts, initial tests are good * added support for PMAPPER_STORAGE env var * added initial version of the changelog * fix for #71 * fix for #73, start implementation of infra-as-code example * remove extra script * another fix for #73, more infra-as-code example progress * big shift in edge-gathering code: separated online/offline operations to enable infra-as-code analysis, optimized several passrole-based edge-checks * calling it good on the examples before v1.1.0 * initial implementation of endgame preset query (#72) * enabled SCP support for the graphing process * updated examples and readme * massive performance improvement by eliminating redundant regex compilation using an LRU cache (functools) * fix image linking for README * final quick fixes before 1.1.0
nccgroup · Apr 1, 2021 · 25ddb89 · 25ddb89
1 parent 712fa14
commit 25ddb89
Show file tree

Hide file tree

Showing 68 changed files with 5,632 additions and 1,625 deletions.
diff --git a/.github/ISSUE_TEMPLATE/auth-report.md b/.github/ISSUE_TEMPLATE/auth-report.md
@@ -1,7 +1,7 @@
 ---
 name: Authorization Report
 about: Report issues where the PMapper simulator does not correctly replicate the authorization behavior of AWS IAM
-
+labels: bug
 ---
 
 **Brief Description**
@@ -11,7 +11,8 @@ A clear and concise description of what the bug is.
 The Action, Resource(s), and Condition(s) of the API call being authorized.
 
 **IAM Policies Attached to Principal**
-The IAM Policies attached to the principal making the API call being authorized.
+The IAM Policies attached to the principal making the API call being authorized. If possible, reduce the involved 
+policies to the bare minimum statement(s) that still reproduce the issue.
 
 **Expected Behavior**
 Whether or not the API call should be authorized.

diff --git a/.github/ISSUE_TEMPLATE/bug-report.md b/.github/ISSUE_TEMPLATE/bug-report.md
@@ -1,7 +1,7 @@
 ---
 name: Bug Report
 about: Report issues that causes the script to fail to execute
-
+labels: bug
 ---
 
 **Describe the bug**

diff --git a/.github/ISSUE_TEMPLATE/quick-q.md b/.github/ISSUE_TEMPLATE/quick-q.md
@@ -0,0 +1,14 @@
+---
+name: Quick Question
+about: Ask a question about PMapper or related concepts 
+labels: question
+assignees: ncc-erik-steringer
+---
+
+**Question**
+
+Place your question here.
+
+**Did the Wiki Have an Answer?**
+
+If https://github.com/nccgroup/PMapper/wiki does not have an answer, please suggest where to put one.
diff --git a/.gitignore b/.gitignore
@@ -15,4 +15,4 @@
 *.idea*
 
 # Ignore venv
-/venv/*
+/venv*
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,73 @@
+# Changelog
+
+All notable changes to the project shall be documented in this file.
+
+## 1.1.0
+
+### Added
+
+* Added support for SCPs, Session Policies, Permission Boundaries, and Resource Policies
+* Added caching for S3 bucket policies, KMS key policies, SNS topic policies, SQS queue policies
+* Added support for obtaining AWS Organizations data (OrganizationTree objects) and the `orgs` subcommand
+* Implemented logging with `logging` module for the library
+* Added new findings for `analysis` submodule/command
+* Added new output format for `visualization`: GraphML
+* Added support for the `PMAPPER_STORAGE` environment variable to set a custom location where Graph/OrganizationTree data is stored
+* Added a starter Dockerfile (should work with modifications to add creds via env vars or from an EC2 instance with an instance profile assigned)
+* Various bugfixes and improvements
+
+### Changed
+
+* Separated out `graph` subcommand into separate subsubcommands (`graph create` rather than `graph --create`)
+
+### Removed
+
+* (Library code) Most instances of `dprint`, `debug` params, `output` params except for `write_*` functions. Replaced `write_*` functions with `print_*` functions.
+* (Library code) Dropping support for certain code in `principalmapper.gathering`: `get_unfilled_*`, `get_policies_and_fill_out`. You should use `get_nodes_groups_and_policies` instead.
+
+### Special Thanks
+
+* @yehudacohen
+* @pr454nn4kum4r
+* @kmcquade
+* @danieladams456
+* All my colleagues at NCC Group
+* Rami McCarthy
+
+## 1.0.1
+
+### Added
+
+* Added support for OpenBSD standard storage location
+* Various bugfixes and improvements
+
+### Special Thanks
+
+* @ancwatson
+* @buzzdeee 
+
+## 1.0.0
+
+### Added
+
+* Implemented a new graph storage solution
+* Implemented full local policy simulation and replaced all calls to AWS IAM simulation APIs
+* Implemented a new querying interface: `argquery`
+* Implemented a REPL
+* Added the `analysis` module and command
+* Docstrings and type-hints
+* Full Python 3.5+ support
+
+### Changed
+
+* Library code is now under `principalmapper` and not `principalmap`
+
+### Removed
+
+* Support for Python 2.X completely dropped
+* Support for calling AWS IAM's simulation APIs completely dropped
+* Graph generated by previous versions are not compatible with v1.0.0
+
+### Special Thanks
+
+* All my colleagues at NCC Group for their support and suggestions
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,9 @@
+FROM python:3.8-slim-buster
+
+COPY . /app
+RUN apt-get update ; apt-get install -y graphviz
+RUN mkdir -p /storage
+RUN pip install /app
+ENV PMAPPER_STORAGE /storage
+
+CMD sh
-Original file line number
+Diff line change
@@ Expand Up / @@ -15,4 +15,4 @@ @@
     *.idea*
     # Ignore venv
-    /venv/*
+    /venv*