feat: schema definitions for new cert template properties and logic u…

…pdate to EnrollOnBehalfOfSelfControl (#308)

* feat: schema definitions for new cert template properties and logic update to EnrollOnBehalfOfSelfControl

* fix: remove redundant dcfor schema definition, run schemagen

* fix: remove isdc property definition

* fix: remove redundat canabuse definitions

examples/helm/templates/cmbh.yaml

@@ -1,3 +1,19 @@
+# Copyright 2023 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
 apiVersion: v1
 kind: ConfigMap
 metadata:

examples/helm/templates/ingressgraphdb.yaml

@@ -1,3 +1,19 @@
+# Copyright 2023 Specter Ops, Inc.
+#
+# Licensed under the Apache License, Version 2.0
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
 {{- if .Values.graphdb.ingress.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress

packages/cue/bh/ad/ad.cue

@@ -377,6 +377,41 @@ SubjectAltRequireUPN: types.#StringEnum & {
 	representation: "subjectaltrequireupn"
 }
 
+SubjectAltRequireDNS: types.#StringEnum & {
+	symbol: "SubjectAltRequireDNS"
+	schema: "ad"
+	name: "Subject Alternative Name Require DNS"
+	representation: "subjectaltrequiredns"
+}
+
+SubjectAltRequireDomainDNS: types.#StringEnum & {
+	symbol: "SubjectAltRequireDomainDNS"
+	schema: "ad"
+	name: "Subject Alternative Name Require Domain DNS"
+	representation: "subjectaltrequiredomaindns"
+}
+
+SubjectAltRequireEmail: types.#StringEnum & {
+	symbol: "SubjectAltRequireEmail"
+	schema: "ad"
+	name: "Subject Alternative Name Require Email"
+	representation: "subjectaltrequireemail"
+}
+
+SubjectAltRequireSPN: types.#StringEnum & {
+	symbol: "SubjectAltRequireSPN"
+	schema: "ad"
+	name: "Subject Alternative Name Require SPN"
+	representation: "subjectaltrequirespn"
+}
+
+SubjectRequireEmail: types.#StringEnum & {
+	symbol: "SubjectRequireEmail"
+	schema: "ad"
+	name: "Subject Require Email"
+	representation: "subjectrequireemail"
+}
+
 AuthorizedSignatures: types.#StringEnum & {
 	symbol: "AuthorizedSignatures"
 	schema: "ad"
@@ -539,6 +574,11 @@ Properties: [
 	StrongCertificateBindingEnforcement,
 	EKUs,
 	SubjectAltRequireUPN,
+	SubjectAltRequireDNS,
+	SubjectAltRequireDomainDNS,
+	SubjectAltRequireEmail,
+	SubjectAltRequireSPN,
+	SubjectRequireEmail,
 	AuthorizedSignatures,
 	ApplicationPolicies,
 	IssuancePolicies,
@@ -786,11 +826,6 @@ DCSync: types.#Kind & {
 	schema: "active_directory"
 }
 
-DCFor: types.#Kind & {
-	symbol: "DCFor"
-	schema: "active_directory"
-}
-
 ReadLAPSPassword: types.#Kind & {
 	symbol: "ReadLAPSPassword"
 	schema: "active_directory"
@@ -851,6 +886,11 @@ RootCAFor: types.#Kind & {
 	schema: "active_directory"
 }
 
+DCFor: types.#Kind & {
+	symbol: "DCFor"
+	schema: "active_directory"
+}
+
 PublishedTo: types.#Kind & {
 	symbol: "PublishedTo"
 	schema: "active_directory"
@@ -988,7 +1028,6 @@ RelationshipKinds: [
 	HasSIDHistory,
 	AddSelf,
 	DCSync,
-	DCFor,
 	ReadLAPSPassword,
 	ReadGMSAPassword,
 	DumpSMSAPassword,
@@ -1002,6 +1041,7 @@ RelationshipKinds: [
 	SyncLAPSPassword,
 	WriteAccountRestrictions,
 	RootCAFor,
+	DCFor,
 	PublishedTo,
 	ManageCertificates,
 	ManageCA,

packages/go/analysis/ad/esc3.go

@@ -18,6 +18,7 @@ package ad
 
 import (
 	"context"
+
 	"github.com/specterops/bloodhound/analysis"
 	"github.com/specterops/bloodhound/dawgs/graph"
 	"github.com/specterops/bloodhound/dawgs/util/channels"

packages/javascript/bh-shared-ui/src/graphSchema.ts

@@ -93,7 +93,6 @@ export enum ActiveDirectoryRelationshipKind {
     HasSIDHistory = 'HasSIDHistory',
     AddSelf = 'AddSelf',
     DCSync = 'DCSync',
-    DCFor = 'DCFor',
     ReadLAPSPassword = 'ReadLAPSPassword',
     ReadGMSAPassword = 'ReadGMSAPassword',
     DumpSMSAPassword = 'DumpSMSAPassword',
@@ -107,6 +106,7 @@ export enum ActiveDirectoryRelationshipKind {
     SyncLAPSPassword = 'SyncLAPSPassword',
     WriteAccountRestrictions = 'WriteAccountRestrictions',
     RootCAFor = 'RootCAFor',
+    DCFor = 'DCFor',
     PublishedTo = 'PublishedTo',
     ManageCertificates = 'ManageCertificates',
     ManageCA = 'ManageCA',
@@ -182,8 +182,6 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR
             return 'AddSelf';
         case ActiveDirectoryRelationshipKind.DCSync:
             return 'DCSync';
-        case ActiveDirectoryRelationshipKind.DCFor:
-            return 'DCFor';
         case ActiveDirectoryRelationshipKind.ReadLAPSPassword:
             return 'ReadLAPSPassword';
         case ActiveDirectoryRelationshipKind.ReadGMSAPassword:
@@ -210,6 +208,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR
             return 'WriteAccountRestrictions';
         case ActiveDirectoryRelationshipKind.RootCAFor:
             return 'RootCAFor';
+        case ActiveDirectoryRelationshipKind.DCFor:
+            return 'DCFor';
         case ActiveDirectoryRelationshipKind.PublishedTo:
             return 'PublishedTo';
         case ActiveDirectoryRelationshipKind.ManageCertificates:
@@ -309,6 +309,11 @@ export enum ActiveDirectoryKindProperties {
     StrongCertificateBindingEnforcement = 'strongcertificatebindingenforcement',
     EKUs = 'ekus',
     SubjectAltRequireUPN = 'subjectaltrequireupn',
+    SubjectAltRequireDNS = 'subjectaltrequiredns',
+    SubjectAltRequireDomainDNS = 'subjectaltrequiredomaindns',
+    SubjectAltRequireEmail = 'subjectaltrequireemail',
+    SubjectAltRequireSPN = 'subjectaltrequirespn',
+    SubjectRequireEmail = 'subjectrequireemail',
     AuthorizedSignatures = 'authorizedsignatures',
     ApplicationPolicies = 'applicationpolicies',
     IssuancePolicies = 'issuancepolicies',
@@ -427,6 +432,16 @@ export function ActiveDirectoryKindPropertiesToDisplay(value: ActiveDirectoryKin
             return 'Enhanced Key Usage';
         case ActiveDirectoryKindProperties.SubjectAltRequireUPN:
             return 'Subject Alternative Name Require UPN';
+        case ActiveDirectoryKindProperties.SubjectAltRequireDNS:
+            return 'Subject Alternative Name Require DNS';
+        case ActiveDirectoryKindProperties.SubjectAltRequireDomainDNS:
+            return 'Subject Alternative Name Require Domain DNS';
+        case ActiveDirectoryKindProperties.SubjectAltRequireEmail:
+            return 'Subject Alternative Name Require Email';
+        case ActiveDirectoryKindProperties.SubjectAltRequireSPN:
+            return 'Subject Alternative Name Require SPN';
+        case ActiveDirectoryKindProperties.SubjectRequireEmail:
+            return 'Subject Require Email';
         case ActiveDirectoryKindProperties.AuthorizedSignatures:
             return 'Authorized Signatures Required';
         case ActiveDirectoryKindProperties.ApplicationPolicies: