Merge branch 'main' into stage/v5.5.0

SpecterOps · Jan 23, 2024 · a619c3e · a619c3e
2 parents e01a54a + cc00ea0
commit a619c3e
Show file tree

Hide file tree

Showing 314 changed files with 18,423 additions and 4,741 deletions.
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -43,7 +43,7 @@ jobs:
     - name: Install Go
       uses: actions/setup-go@v4
       with:
-        go-version: '^1.20.0'
+        go-version: '^1.21.0'
 
     - name: Install Python
       uses: actions/setup-python@v4

diff --git a/.golangci.json b/.golangci.json
@@ -5,7 +5,8 @@
       "unused"
     ],
     "enable": [
-      "gosimple"
+      "gosimple",
+      "stylecheck"
     ]
   },
   "issues": {
@@ -49,11 +50,21 @@
       "serial_integration"
     ]
   },
+  "severity": {
+    "default-severity": "error",
+    "rules": [
+      {
+        "text": "(ST\\d{4}|S\\d{4})",
+        "severity": "warning"
+      }
+    ]
+  },
   "linters-settings": {
     "stylecheck": {
       "checks": [
         "all",
-        "-ST1000"
+        "-ST1000",
+        "-ST1003"
       ]
     }
   }

diff --git a/DEVREADME.md b/DEVREADME.md
@@ -9,7 +9,7 @@ More detailed information regarding [contributing](https://github.com/SpecterOps
 
 -   [Just](https://github.com/casey/just)
 -   [Python 3.10](https://www.python.org/downloads/)
--   [Go 1.20](https://go.dev/dl/)
+-   [Go 1.21](https://go.dev/dl/)
 -   [Node 18](https://nodejs.dev/en/download/)
 -   [Yarn 3.6](https://yarnpkg.com/getting-started/install)
 -   [Docker Desktop](https://www.docker.com/products/docker-desktop/) (or Docker/Docker Compose compatible runtime)

diff --git a/cmd/api/src/analysis/ad/ad_integration_test.go b/cmd/api/src/analysis/ad/ad_integration_test.go
diff --git a/cmd/api/src/analysis/ad/adcs_integration_test.go b/cmd/api/src/analysis/ad/adcs_integration_test.go
@@ -21,7 +21,9 @@ package ad_test
 
 import (
 	"context"
+
 	"github.com/specterops/bloodhound/analysis"
+	"github.com/specterops/bloodhound/graphschema"
 
 	ad2 "github.com/specterops/bloodhound/analysis/ad"
 
@@ -39,11 +41,12 @@ import (
 )
 
 func TestADCSESC1(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
 
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.ADCSESC1Harness.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC1")
 
 		groupExpansions, err := ad2.ExpandAllRDPLocalGroups(context.Background(), db)
@@ -53,6 +56,7 @@ func TestADCSESC1(t *testing.T) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
 		require.Nil(t, err)
 		domains, err := ad2.FetchNodesByKind(context.Background(), db, ad.Domain)
+		require.Nil(t, err)
 
 		cache := ad2.NewADCSCache()
 		cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates)
@@ -106,17 +110,16 @@ func TestADCSESC1(t *testing.T) {
 			}
 			return nil
 		})
-		return nil
 	})
-
 }
 
 func TestGoldenCert(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
 
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.ADCSGoldenCertHarness.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - Golden Cert")
 
 		domains, err := ad2.FetchNodesByKind(context.Background(), db, ad.Domain)
@@ -170,16 +173,17 @@ func TestGoldenCert(t *testing.T) {
 			}
 			return nil
 		})
-		return nil
 	})
 
 }
 
 func TestCanAbuseUPNCertMapping(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.WeakCertBindingAndUPNCertMappingHarness.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - CanAbuseUPNCertMapping")
 
 		if enterpriseCertAuthorities, err := ad2.FetchNodesByKind(context.Background(), db, ad.EnterpriseCA); err != nil {
@@ -188,6 +192,7 @@ func TestCanAbuseUPNCertMapping(t *testing.T) {
 			t.Logf("failed post processing for %s: %v", ad.CanAbuseUPNCertMapping.String(), err)
 		}
 
+		// TODO: We're throwing away the collected errors from the operation and should assert on them
 		operation.Done()
 
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
@@ -214,15 +219,15 @@ func TestCanAbuseUPNCertMapping(t *testing.T) {
 			}
 			return nil
 		})
-		return nil
 	})
 }
 
 func TestCanAbuseWeakCertBinding(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.WeakCertBindingAndUPNCertMappingHarness.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - CanAbuseWeakCertBinding")
 
 		if enterpriseCertAuthorities, err := ad2.FetchNodesByKind(context.Background(), db, ad.EnterpriseCA); err != nil {
@@ -231,6 +236,7 @@ func TestCanAbuseWeakCertBinding(t *testing.T) {
 			t.Logf("failed post processing for %s: %v", ad.CanAbuseWeakCertBinding.String(), err)
 		}
 
+		// TODO: We're throwing away the collected errors from the operation and should assert on them
 		operation.Done()
 
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
@@ -255,17 +261,18 @@ func TestCanAbuseWeakCertBinding(t *testing.T) {
 				assert.False(t, results.Contains(harness.WeakCertBindingAndUPNCertMappingHarness.Domain2))
 				assert.False(t, results.Contains(harness.WeakCertBindingAndUPNCertMappingHarness.Domain3))
 			}
+
 			return nil
 		})
-		return nil
 	})
 }
 
 func TestIssuedSignedBy(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.IssuedSignedByHarness.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - IssuedSignedBy")
 
 		if rootCertAuthorities, err := ad2.FetchNodesByKind(context.Background(), db, ad.RootCA); err != nil {
@@ -322,20 +329,21 @@ func TestIssuedSignedBy(t *testing.T) {
 				assert.False(t, results2.Contains(harness.IssuedSignedByHarness.EnterpriseCA3))
 				assert.False(t, results3.Contains(harness.IssuedSignedByHarness.EnterpriseCA3))
 			}
+
 			return nil
 		})
-		return nil
 	})
 }
 
 func TestTrustedForNTAuth(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
 
 	testContext.DatabaseTestWithSetup(
-		func(harness *integration.HarnessDetails) {
+		func(harness *integration.HarnessDetails) error {
 			harness.TrustedForNTAuthHarness.Setup(testContext)
+			return nil
 		},
-		func(harness integration.HarnessDetails, db graph.Database) error {
+		func(harness integration.HarnessDetails, db graph.Database) {
 			// post `TrustedForNTAuth` edges
 			operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - TrustedForNTAuth")
 
@@ -364,16 +372,15 @@ func TestTrustedForNTAuth(t *testing.T) {
 				}
 				return nil
 			})
-
-			return nil
 		})
 }
 
 func TestEnrollOnBehalfOf(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.EnrollOnBehalfOfHarnessOne.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
 		v1Templates := make([]*graph.Node, 0)
 		v2Templates := make([]*graph.Node, 0)
@@ -386,7 +393,9 @@ func TestEnrollOnBehalfOf(t *testing.T) {
 				v2Templates = append(v2Templates, template)
 			}
 		}
+
 		require.Nil(t, err)
+
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
 			results, err := ad2.EnrollOnBehalfOfVersionOne(tx, v1Templates, certTemplates)
 			require.Nil(t, err)
@@ -413,26 +422,30 @@ func TestEnrollOnBehalfOf(t *testing.T) {
 
 			return nil
 		})
-
-		return nil
 	})
 
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.EnrollOnBehalfOfHarnessTwo.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
-		v1Templates := make([]*graph.Node, 0)
+		// TODO: v1Templates are never used in any assertions and should either have assertions added or be removed from the test entirely
+		//v1Templates := make([]*graph.Node, 0)
 		v2Templates := make([]*graph.Node, 0)
+
 		for _, template := range certTemplates {
 			if version, err := template.Properties.Get(ad.SchemaVersion.String()).Float64(); err != nil {
 				continue
 			} else if version == 1 {
-				v1Templates = append(v1Templates, template)
+				continue
+				//v1Templates = append(v1Templates, template)
 			} else if version >= 2 {
 				v2Templates = append(v2Templates, template)
 			}
 		}
+
 		require.Nil(t, err)
+
 		db.ReadTransaction(context.Background(), func(tx graph.Transaction) error {
 			results, err := ad2.EnrollOnBehalfOfVersionTwo(tx, v2Templates, certTemplates)
 			require.Nil(t, err)
@@ -446,16 +459,15 @@ func TestEnrollOnBehalfOf(t *testing.T) {
 
 			return nil
 		})
-
-		return nil
 	})
 }
 
 func TestADCSESC3(t *testing.T) {
-	testContext := integration.NewGraphTestContext(t)
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema())
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.ESC3Harness1.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC3")
 
 		groupExpansions, err := ad2.ExpandAllRDPLocalGroups(context.Background(), db)
@@ -465,6 +477,7 @@ func TestADCSESC3(t *testing.T) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
 		require.Nil(t, err)
 		domains, err := ad2.FetchNodesByKind(context.Background(), db, ad.Domain)
+		require.Nil(t, err)
 
 		cache := ad2.NewADCSCache()
 		cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates)
@@ -506,12 +519,12 @@ func TestADCSESC3(t *testing.T) {
 			}
 			return nil
 		})
-		return nil
 	})
 
-	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) {
+	testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error {
 		harness.ESC3Harness2.Setup(testContext)
-	}, func(harness integration.HarnessDetails, db graph.Database) error {
+		return nil
+	}, func(harness integration.HarnessDetails, db graph.Database) {
 		operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC3")
 
 		groupExpansions, err := ad2.ExpandAllRDPLocalGroups(context.Background(), db)
@@ -521,6 +534,7 @@ func TestADCSESC3(t *testing.T) {
 		certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate)
 		require.Nil(t, err)
 		domains, err := ad2.FetchNodesByKind(context.Background(), db, ad.Domain)
+		require.Nil(t, err)
 
 		cache := ad2.NewADCSCache()
 		cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates)
@@ -570,6 +584,5 @@ func TestADCSESC3(t *testing.T) {
 			}
 			return nil
 		})
-		return nil
 	})
 }