fix: failure to close operations leads to connection exhaustion (BED-…

…4041) (#305)
SpecterOps · Jan 10, 2024 · 42f393d · 42f393d
1 parent 9130ac6
commit 42f393d
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/packages/go/analysis/ad/adcs.go b/packages/go/analysis/ad/adcs.go
@@ -382,16 +382,22 @@ func PostADCS(ctx context.Context, db graph.Database, groupExpansions impact.Pat
 		operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing")
 
 		if enterpriseCertAuthorities, err := FetchNodesByKind(ctx, db, ad.EnterpriseCA); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed fetching enterpriseCA nodes: %w", err)
 		} else if rootCertAuthorities, err := FetchNodesByKind(ctx, db, ad.RootCA); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed fetching rootCA nodes: %w", err)
 		} else if certTemplates, err := FetchNodesByKind(ctx, db, ad.CertTemplate); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed fetching cert template nodes: %w", err)
 		} else if domains, err := FetchNodesByKind(ctx, db, ad.Domain); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed fetching domain nodes: %w", err)
 		} else if step1Stats, err := postADCSPreProcessStep1(ctx, db, enterpriseCertAuthorities, rootCertAuthorities); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed adcs pre-processing step 1: %w", err)
 		} else if step2Stats, err := postADCSPreProcessStep2(ctx, db, certTemplates); err != nil {
+			operation.Done()
 			return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed adcs pre-processing step 2: %w", err)
 		} else {
 			operation.Stats.Merge(step1Stats)
@@ -433,10 +439,13 @@ func postADCSPreProcessStep1(ctx context.Context, db graph.Database, enterpriseC
 	operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing Step 1")
 
 	if err := PostTrustedForNTAuth(ctx, db, operation); err != nil {
+		operation.Done()
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed post processing for %s: %w", ad.TrustedForNTAuth.String(), err)
 	} else if err := PostIssuedSignedBy(ctx, db, operation, enterpriseCertAuthorities, rootCertAuthorities); err != nil {
+		operation.Done()
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed post processing for %s: %w", ad.IssuedSignedBy.String(), err)
 	} else if err := PostEnterpriseCAFor(ctx, db, operation, enterpriseCertAuthorities); err != nil {
+		operation.Done()
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed post processing for %s: %w", ad.EnterpriseCAFor.String(), err)
 	} else {
 		return &operation.Stats, operation.Done()
@@ -447,6 +456,7 @@ func postADCSPreProcessStep2(ctx context.Context, db graph.Database, certTemplat
 	operation := analysis.NewPostRelationshipOperation(ctx, db, "ADCS Post Processing Step 2")
 
 	if err := PostEnrollOnBehalfOf(certTemplates, operation); err != nil {
+		operation.Done()
 		return &analysis.AtomicPostProcessingStats{}, fmt.Errorf("failed post processing for %s: %w", ad.EnrollOnBehalfOf.String(), err)
 	} else {
 		return &operation.Stats, operation.Done()