From 2b464aa8093328c5b095868100eba41292625867 Mon Sep 17 00:00:00 2001 From: Mayyhem Date: Thu, 12 Dec 2024 10:34:33 -0500 Subject: [PATCH] Return/log errors, fix comments, remove raw edges from ACLRelationships to address PR comments --- packages/cue/bh/ad/ad.cue | 4 +--- packages/go/analysis/ad/owns.go | 9 ++++++--- packages/go/graphschema/ad/ad.go | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index 2e91c42d9..40dbbab8c 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1465,9 +1465,7 @@ ACLRelationships: [ WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, - OwnsLimitedRights, - OwnsRaw, - WriteOwnerRaw + OwnsLimitedRights ] // Edges that are used in pathfinding diff --git a/packages/go/analysis/ad/owns.go b/packages/go/analysis/ad/owns.go index a54e62a4c..e4ac07b8c 100644 --- a/packages/go/analysis/ad/owns.go +++ b/packages/go/analysis/ad/owns.go @@ -38,6 +38,7 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio dsHeuristicsCache, anyEnforced, err := GetDsHeuristicsCache(ctx, db) if err != nil { log.Errorf("failed fetching dsheuristics values for postownsandwriteowner: %w", err) + return nil, err } adminGroupIds, err := FetchAdminGroupIds(ctx, db, groupExpansions) @@ -61,10 +62,11 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio // Get the target node of the OwnsRaw relationship if targetNode, err := ops.FetchNode(tx, rel.EndID); err != nil { + log.Errorf("failed fetching OwnsRaw target node postownsandwriteowner: %w", err) continue } else if domainSid, err := targetNode.Properties.GetOrDefault(ad.DomainSID.String(), "").String(); err != nil { - // Get the dSHeuristics value for the domain of the target node + // Get the domain SID of the target node continue } else { enforced, ok := dsHeuristicsCache[domainSid] @@ -135,12 +137,13 @@ func PostOwnsAndWriteOwner(ctx context.Context, db graph.Database, groupExpansio // Check if ANY domain enforces BlockOwnerImplicitRights (dSHeuristics[28] == 1) if anyEnforced { - // Get the target node of the WriteOwner relationship + // Get the target node of the WriteOwnerRaw relationship if targetNode, err := ops.FetchNode(tx, rel.EndID); err != nil { + log.Errorf("failed fetching WriteOwnerRaw target node postownsandwriteowner: %w", err) continue } else if domainSid, err := targetNode.Properties.GetOrDefault(ad.DomainSID.String(), "").String(); err != nil { - // Get the dSHeuristics value for the domain of the target node + // Get the domain SID of the target node continue } else { enforced, ok := dsHeuristicsCache[domainSid] diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index e0f58574d..5376fe4f4 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -900,7 +900,7 @@ func Relationships() []graph.Kind { return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonRight, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, OIDGroupLink, ExtendedByPolicy, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, SyncedToEntraUser, WriteOwnerLimitedRights, WriteOwnerRaw, OwnsLimitedRights, OwnsRaw} } func ACLRelationships() []graph.Kind { - return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights, OwnsRaw, WriteOwnerRaw} + return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, WriteGPLink, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag, WriteOwnerLimitedRights, OwnsLimitedRights} } func PathfindingRelationships() []graph.Kind { return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, CoerceToTGT, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, WriteGPLink, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6a, ADCSESC6b, ADCSESC7, ADCSESC9a, ADCSESC9b, ADCSESC10a, ADCSESC10b, ADCSESC13, DCFor, SyncedToEntraUser, WriteOwnerLimitedRights, OwnsLimitedRights}