From 4a709641c4cb71572c70b6f3a305b40d6db94473 Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Mon, 22 Jan 2024 09:05:05 -0800 Subject: [PATCH 1/3] add ESC9A to ad.cue and run schemagen --- packages/cue/bh/ad/ad.cue | 9 +- packages/go/graphschema/ad/ad.go | 163 +++++++++--------- .../bh-shared-ui/src/graphSchema.ts | 4 + 3 files changed, 94 insertions(+), 82 deletions(-) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index aace277a96..f2be3e7c71 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1001,6 +1001,11 @@ ADCSESC7: types.#Kind & { schema: "active_directory" } +ADCSESC9a: types.#Kind & { + symbol: "ADCSESC9a" + schema: "active_directory" +} + // Relationship Kinds RelationshipKinds: [ Owns, @@ -1063,7 +1068,8 @@ RelationshipKinds: [ ADCSESC4, ADCSESC5, ADCSESC6, - ADCSESC7 + ADCSESC7, + ADCSESC9a, ] // ACL Relationships @@ -1135,5 +1141,6 @@ PathfindingRelationships: [ ADCSESC5, ADCSESC6, ADCSESC7, + ADCSESC9a, DCFor ] diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index ccfe7bffc8..18458ce56c 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -101,88 +101,89 @@ var ( ADCSESC5 = graph.StringKind("ADCSESC5") ADCSESC6 = graph.StringKind("ADCSESC6") ADCSESC7 = graph.StringKind("ADCSESC7") + ADCSESC9a = graph.StringKind("ADCSESC9a") ) -type Property string +type Item string const ( - AdminCount Property = "admincount" - CASecurityCollected Property = "casecuritycollected" - CAName Property = "caname" - CertChain Property = "certchain" - CertName Property = "certname" - CertThumbprint Property = "certthumbprint" - CertThumbprints Property = "certthumbprints" - HasEnrollmentAgentRestrictions Property = "hasenrollmentagentrestrictions" - EnrollmentAgentRestrictionsCollected Property = "enrollmentagentrestrictionscollected" - IsUserSpecifiesSanEnabled Property = "isuserspecifiessanenabled" - IsUserSpecifiesSanEnabledCollected Property = "isuserspecifiessanenabledcollected" - HasBasicConstraints Property = "hasbasicconstraints" - BasicConstraintPathLength Property = "basicconstraintpathlength" - DNSHostname Property = "dnshostname" - CrossCertificatePair Property = "crosscertificatepair" - DistinguishedName Property = "distinguishedname" - DomainFQDN Property = "domain" - DomainSID Property = "domainsid" - Sensitive Property = "sensitive" - HighValue Property = "highvalue" - BlocksInheritance Property = "blocksinheritance" - IsACL Property = "isacl" - IsACLProtected Property = "isaclprotected" - IsDeleted Property = "isdeleted" - Enforced Property = "enforced" - Department Property = "department" - HasCrossCertificatePair Property = "hascrosscertificatepair" - HasSPN Property = "hasspn" - UnconstrainedDelegation Property = "unconstraineddelegation" - LastLogon Property = "lastlogon" - LastLogonTimestamp Property = "lastlogontimestamp" - IsPrimaryGroup Property = "isprimarygroup" - HasLAPS Property = "haslaps" - DontRequirePreAuth Property = "dontreqpreauth" - LogonType Property = "logontype" - HasURA Property = "hasura" - PasswordNeverExpires Property = "pwdneverexpires" - PasswordNotRequired Property = "passwordnotreqd" - FunctionalLevel Property = "functionallevel" - TrustType Property = "trusttype" - SidFiltering Property = "sidfiltering" - TrustedToAuth Property = "trustedtoauth" - SamAccountName Property = "samaccountname" - CertificateMappingMethodsRaw Property = "certificatemappingmethodsraw" - CertificateMappingMethods Property = "certificatemappingmethods" - StrongCertificateBindingEnforcementRaw Property = "strongcertificatebindingenforcementraw" - StrongCertificateBindingEnforcement Property = "strongcertificatebindingenforcement" - EKUs Property = "ekus" - SubjectAltRequireUPN Property = "subjectaltrequireupn" - SubjectAltRequireDNS Property = "subjectaltrequiredns" - SubjectAltRequireDomainDNS Property = "subjectaltrequiredomaindns" - SubjectAltRequireEmail Property = "subjectaltrequireemail" - SubjectAltRequireSPN Property = "subjectaltrequirespn" - SubjectRequireEmail Property = "subjectrequireemail" - AuthorizedSignatures Property = "authorizedsignatures" - ApplicationPolicies Property = "applicationpolicies" - IssuancePolicies Property = "issuancepolicies" - SchemaVersion Property = "schemaversion" - RequiresManagerApproval Property = "requiresmanagerapproval" - AuthenticationEnabled Property = "authenticationenabled" - EnrolleeSuppliesSubject Property = "enrolleesuppliessubject" - CertificateApplicationPolicy Property = "certificateapplicationpolicy" - CertificateNameFlag Property = "certificatenameflag" - EffectiveEKUs Property = "effectiveekus" - EnrollmentFlag Property = "enrollmentflag" - Flags Property = "flags" - NoSecurityExtension Property = "nosecurityextension" - RenewalPeriod Property = "renewalperiod" - ValidityPeriod Property = "validityperiod" - OID Property = "oid" - HomeDirectory Property = "homedirectory" + AdminCount Item = "admincount" + CASecurityCollected Item = "casecuritycollected" + CAName Item = "caname" + CertChain Item = "certchain" + CertName Item = "certname" + CertThumbprint Item = "certthumbprint" + CertThumbprints Item = "certthumbprints" + HasEnrollmentAgentRestrictions Item = "hasenrollmentagentrestrictions" + EnrollmentAgentRestrictionsCollected Item = "enrollmentagentrestrictionscollected" + IsUserSpecifiesSanEnabled Item = "isuserspecifiessanenabled" + IsUserSpecifiesSanEnabledCollected Item = "isuserspecifiessanenabledcollected" + HasBasicConstraints Item = "hasbasicconstraints" + BasicConstraintPathLength Item = "basicconstraintpathlength" + DNSHostname Item = "dnshostname" + CrossCertificatePair Item = "crosscertificatepair" + DistinguishedName Item = "distinguishedname" + DomainFQDN Item = "domain" + DomainSID Item = "domainsid" + Sensitive Item = "sensitive" + HighValue Item = "highvalue" + BlocksInheritance Item = "blocksinheritance" + IsACL Item = "isacl" + IsACLProtected Item = "isaclprotected" + IsDeleted Item = "isdeleted" + Enforced Item = "enforced" + Department Item = "department" + HasCrossCertificatePair Item = "hascrosscertificatepair" + HasSPN Item = "hasspn" + UnconstrainedDelegation Item = "unconstraineddelegation" + LastLogon Item = "lastlogon" + LastLogonTimestamp Item = "lastlogontimestamp" + IsPrimaryGroup Item = "isprimarygroup" + HasLAPS Item = "haslaps" + DontRequirePreAuth Item = "dontreqpreauth" + LogonType Item = "logontype" + HasURA Item = "hasura" + PasswordNeverExpires Item = "pwdneverexpires" + PasswordNotRequired Item = "passwordnotreqd" + FunctionalLevel Item = "functionallevel" + TrustType Item = "trusttype" + SidFiltering Item = "sidfiltering" + TrustedToAuth Item = "trustedtoauth" + SamAccountName Item = "samaccountname" + CertificateMappingMethodsRaw Item = "certificatemappingmethodsraw" + CertificateMappingMethods Item = "certificatemappingmethods" + StrongCertificateBindingEnforcementRaw Item = "strongcertificatebindingenforcementraw" + StrongCertificateBindingEnforcement Item = "strongcertificatebindingenforcement" + EKUs Item = "ekus" + SubjectAltRequireUPN Item = "subjectaltrequireupn" + SubjectAltRequireDNS Item = "subjectaltrequiredns" + SubjectAltRequireDomainDNS Item = "subjectaltrequiredomaindns" + SubjectAltRequireEmail Item = "subjectaltrequireemail" + SubjectAltRequireSPN Item = "subjectaltrequirespn" + SubjectRequireEmail Item = "subjectrequireemail" + AuthorizedSignatures Item = "authorizedsignatures" + ApplicationPolicies Item = "applicationpolicies" + IssuancePolicies Item = "issuancepolicies" + SchemaVersion Item = "schemaversion" + RequiresManagerApproval Item = "requiresmanagerapproval" + AuthenticationEnabled Item = "authenticationenabled" + EnrolleeSuppliesSubject Item = "enrolleesuppliessubject" + CertificateApplicationPolicy Item = "certificateapplicationpolicy" + CertificateNameFlag Item = "certificatenameflag" + EffectiveEKUs Item = "effectiveekus" + EnrollmentFlag Item = "enrollmentflag" + Flags Item = "flags" + NoSecurityExtension Item = "nosecurityextension" + RenewalPeriod Item = "renewalperiod" + ValidityPeriod Item = "validityperiod" + OID Item = "oid" + HomeDirectory Item = "homedirectory" ) -func AllProperties() []Property { - return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory} +func AllProperties() []Item { + return []Item{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory} } -func ParseProperty(source string) (Property, error) { +func ParseItem(source string) (Item, error) { switch source { case "admincount": return AdminCount, nil @@ -330,7 +331,7 @@ func ParseProperty(source string) (Property, error) { return "", errors.New("Invalid enumeration value: " + source) } } -func (s Property) String() string { +func (s Item) String() string { switch s { case AdminCount: return string(AdminCount) @@ -478,7 +479,7 @@ func (s Property) String() string { return "Invalid enumeration case: " + string(s) } } -func (s Property) Name() string { +func (s Item) Name() string { switch s { case AdminCount: return "Admin Count" @@ -626,9 +627,9 @@ func (s Property) Name() string { return "Invalid enumeration case: " + string(s) } } -func (s Property) Is(others ...graph.Kind) bool { +func (s Item) Is(others ...graph.Kind) bool { for _, other := range others { - if value, err := ParseProperty(other.String()); err == nil && value == s { + if value, err := ParseItem(other.String()); err == nil && value == s { return true } } @@ -638,13 +639,13 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} } func PathfindingRelationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, DCFor} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a, DCFor} } func IsACLKind(s graph.Kind) bool { for _, acl := range ACLRelationships() { diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index 05ddc0b561..fbb1740c08 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -129,6 +129,7 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC5 = 'ADCSESC5', ADCSESC6 = 'ADCSESC6', ADCSESC7 = 'ADCSESC7', + ADCSESC9a = 'ADCSESC9a', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -254,6 +255,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC6'; case ActiveDirectoryRelationshipKind.ADCSESC7: return 'ADCSESC7'; + case ActiveDirectoryRelationshipKind.ADCSESC9a: + return 'ADCSESC9a'; default: return undefined; } @@ -520,6 +523,7 @@ export function ActiveDirectoryPathfindingEdges(): ActiveDirectoryRelationshipKi ActiveDirectoryRelationshipKind.ADCSESC5, ActiveDirectoryRelationshipKind.ADCSESC6, ActiveDirectoryRelationshipKind.ADCSESC7, + ActiveDirectoryRelationshipKind.ADCSESC9a, ActiveDirectoryRelationshipKind.DCFor, ]; } From d12c40438b369a611f1f90cf9f31c20659091f2e Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Mon, 22 Jan 2024 12:19:09 -0800 Subject: [PATCH 2/3] add 9b to ad.cue --- packages/cue/bh/ad/ad.cue | 7 + packages/go/graphschema/ad/ad.go | 163 +++++++++--------- .../bh-shared-ui/src/graphSchema.ts | 4 + 3 files changed, 93 insertions(+), 81 deletions(-) diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue index f2be3e7c71..d5a39f6188 100644 --- a/packages/cue/bh/ad/ad.cue +++ b/packages/cue/bh/ad/ad.cue @@ -1006,6 +1006,11 @@ ADCSESC9a: types.#Kind & { schema: "active_directory" } +ADCSESC9b: types.#Kind & { + symbol: "ADCSESC9b" + schema: "active_directory" +} + // Relationship Kinds RelationshipKinds: [ Owns, @@ -1070,6 +1075,7 @@ RelationshipKinds: [ ADCSESC6, ADCSESC7, ADCSESC9a, + ADCSESC9b, ] // ACL Relationships @@ -1142,5 +1148,6 @@ PathfindingRelationships: [ ADCSESC6, ADCSESC7, ADCSESC9a, + ADCSESC9b, DCFor ] diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go index 18458ce56c..1594ae3234 100644 --- a/packages/go/graphschema/ad/ad.go +++ b/packages/go/graphschema/ad/ad.go @@ -102,88 +102,89 @@ var ( ADCSESC6 = graph.StringKind("ADCSESC6") ADCSESC7 = graph.StringKind("ADCSESC7") ADCSESC9a = graph.StringKind("ADCSESC9a") + ADCSESC9b = graph.StringKind("ADCSESC9b") ) -type Item string +type Property string const ( - AdminCount Item = "admincount" - CASecurityCollected Item = "casecuritycollected" - CAName Item = "caname" - CertChain Item = "certchain" - CertName Item = "certname" - CertThumbprint Item = "certthumbprint" - CertThumbprints Item = "certthumbprints" - HasEnrollmentAgentRestrictions Item = "hasenrollmentagentrestrictions" - EnrollmentAgentRestrictionsCollected Item = "enrollmentagentrestrictionscollected" - IsUserSpecifiesSanEnabled Item = "isuserspecifiessanenabled" - IsUserSpecifiesSanEnabledCollected Item = "isuserspecifiessanenabledcollected" - HasBasicConstraints Item = "hasbasicconstraints" - BasicConstraintPathLength Item = "basicconstraintpathlength" - DNSHostname Item = "dnshostname" - CrossCertificatePair Item = "crosscertificatepair" - DistinguishedName Item = "distinguishedname" - DomainFQDN Item = "domain" - DomainSID Item = "domainsid" - Sensitive Item = "sensitive" - HighValue Item = "highvalue" - BlocksInheritance Item = "blocksinheritance" - IsACL Item = "isacl" - IsACLProtected Item = "isaclprotected" - IsDeleted Item = "isdeleted" - Enforced Item = "enforced" - Department Item = "department" - HasCrossCertificatePair Item = "hascrosscertificatepair" - HasSPN Item = "hasspn" - UnconstrainedDelegation Item = "unconstraineddelegation" - LastLogon Item = "lastlogon" - LastLogonTimestamp Item = "lastlogontimestamp" - IsPrimaryGroup Item = "isprimarygroup" - HasLAPS Item = "haslaps" - DontRequirePreAuth Item = "dontreqpreauth" - LogonType Item = "logontype" - HasURA Item = "hasura" - PasswordNeverExpires Item = "pwdneverexpires" - PasswordNotRequired Item = "passwordnotreqd" - FunctionalLevel Item = "functionallevel" - TrustType Item = "trusttype" - SidFiltering Item = "sidfiltering" - TrustedToAuth Item = "trustedtoauth" - SamAccountName Item = "samaccountname" - CertificateMappingMethodsRaw Item = "certificatemappingmethodsraw" - CertificateMappingMethods Item = "certificatemappingmethods" - StrongCertificateBindingEnforcementRaw Item = "strongcertificatebindingenforcementraw" - StrongCertificateBindingEnforcement Item = "strongcertificatebindingenforcement" - EKUs Item = "ekus" - SubjectAltRequireUPN Item = "subjectaltrequireupn" - SubjectAltRequireDNS Item = "subjectaltrequiredns" - SubjectAltRequireDomainDNS Item = "subjectaltrequiredomaindns" - SubjectAltRequireEmail Item = "subjectaltrequireemail" - SubjectAltRequireSPN Item = "subjectaltrequirespn" - SubjectRequireEmail Item = "subjectrequireemail" - AuthorizedSignatures Item = "authorizedsignatures" - ApplicationPolicies Item = "applicationpolicies" - IssuancePolicies Item = "issuancepolicies" - SchemaVersion Item = "schemaversion" - RequiresManagerApproval Item = "requiresmanagerapproval" - AuthenticationEnabled Item = "authenticationenabled" - EnrolleeSuppliesSubject Item = "enrolleesuppliessubject" - CertificateApplicationPolicy Item = "certificateapplicationpolicy" - CertificateNameFlag Item = "certificatenameflag" - EffectiveEKUs Item = "effectiveekus" - EnrollmentFlag Item = "enrollmentflag" - Flags Item = "flags" - NoSecurityExtension Item = "nosecurityextension" - RenewalPeriod Item = "renewalperiod" - ValidityPeriod Item = "validityperiod" - OID Item = "oid" - HomeDirectory Item = "homedirectory" + AdminCount Property = "admincount" + CASecurityCollected Property = "casecuritycollected" + CAName Property = "caname" + CertChain Property = "certchain" + CertName Property = "certname" + CertThumbprint Property = "certthumbprint" + CertThumbprints Property = "certthumbprints" + HasEnrollmentAgentRestrictions Property = "hasenrollmentagentrestrictions" + EnrollmentAgentRestrictionsCollected Property = "enrollmentagentrestrictionscollected" + IsUserSpecifiesSanEnabled Property = "isuserspecifiessanenabled" + IsUserSpecifiesSanEnabledCollected Property = "isuserspecifiessanenabledcollected" + HasBasicConstraints Property = "hasbasicconstraints" + BasicConstraintPathLength Property = "basicconstraintpathlength" + DNSHostname Property = "dnshostname" + CrossCertificatePair Property = "crosscertificatepair" + DistinguishedName Property = "distinguishedname" + DomainFQDN Property = "domain" + DomainSID Property = "domainsid" + Sensitive Property = "sensitive" + HighValue Property = "highvalue" + BlocksInheritance Property = "blocksinheritance" + IsACL Property = "isacl" + IsACLProtected Property = "isaclprotected" + IsDeleted Property = "isdeleted" + Enforced Property = "enforced" + Department Property = "department" + HasCrossCertificatePair Property = "hascrosscertificatepair" + HasSPN Property = "hasspn" + UnconstrainedDelegation Property = "unconstraineddelegation" + LastLogon Property = "lastlogon" + LastLogonTimestamp Property = "lastlogontimestamp" + IsPrimaryGroup Property = "isprimarygroup" + HasLAPS Property = "haslaps" + DontRequirePreAuth Property = "dontreqpreauth" + LogonType Property = "logontype" + HasURA Property = "hasura" + PasswordNeverExpires Property = "pwdneverexpires" + PasswordNotRequired Property = "passwordnotreqd" + FunctionalLevel Property = "functionallevel" + TrustType Property = "trusttype" + SidFiltering Property = "sidfiltering" + TrustedToAuth Property = "trustedtoauth" + SamAccountName Property = "samaccountname" + CertificateMappingMethodsRaw Property = "certificatemappingmethodsraw" + CertificateMappingMethods Property = "certificatemappingmethods" + StrongCertificateBindingEnforcementRaw Property = "strongcertificatebindingenforcementraw" + StrongCertificateBindingEnforcement Property = "strongcertificatebindingenforcement" + EKUs Property = "ekus" + SubjectAltRequireUPN Property = "subjectaltrequireupn" + SubjectAltRequireDNS Property = "subjectaltrequiredns" + SubjectAltRequireDomainDNS Property = "subjectaltrequiredomaindns" + SubjectAltRequireEmail Property = "subjectaltrequireemail" + SubjectAltRequireSPN Property = "subjectaltrequirespn" + SubjectRequireEmail Property = "subjectrequireemail" + AuthorizedSignatures Property = "authorizedsignatures" + ApplicationPolicies Property = "applicationpolicies" + IssuancePolicies Property = "issuancepolicies" + SchemaVersion Property = "schemaversion" + RequiresManagerApproval Property = "requiresmanagerapproval" + AuthenticationEnabled Property = "authenticationenabled" + EnrolleeSuppliesSubject Property = "enrolleesuppliessubject" + CertificateApplicationPolicy Property = "certificateapplicationpolicy" + CertificateNameFlag Property = "certificatenameflag" + EffectiveEKUs Property = "effectiveekus" + EnrollmentFlag Property = "enrollmentflag" + Flags Property = "flags" + NoSecurityExtension Property = "nosecurityextension" + RenewalPeriod Property = "renewalperiod" + ValidityPeriod Property = "validityperiod" + OID Property = "oid" + HomeDirectory Property = "homedirectory" ) -func AllProperties() []Item { - return []Item{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory} +func AllProperties() []Property { + return []Property{AdminCount, CASecurityCollected, CAName, CertChain, CertName, CertThumbprint, CertThumbprints, HasEnrollmentAgentRestrictions, EnrollmentAgentRestrictionsCollected, IsUserSpecifiesSanEnabled, IsUserSpecifiesSanEnabledCollected, HasBasicConstraints, BasicConstraintPathLength, DNSHostname, CrossCertificatePair, DistinguishedName, DomainFQDN, DomainSID, Sensitive, HighValue, BlocksInheritance, IsACL, IsACLProtected, IsDeleted, Enforced, Department, HasCrossCertificatePair, HasSPN, UnconstrainedDelegation, LastLogon, LastLogonTimestamp, IsPrimaryGroup, HasLAPS, DontRequirePreAuth, LogonType, HasURA, PasswordNeverExpires, PasswordNotRequired, FunctionalLevel, TrustType, SidFiltering, TrustedToAuth, SamAccountName, CertificateMappingMethodsRaw, CertificateMappingMethods, StrongCertificateBindingEnforcementRaw, StrongCertificateBindingEnforcement, EKUs, SubjectAltRequireUPN, SubjectAltRequireDNS, SubjectAltRequireDomainDNS, SubjectAltRequireEmail, SubjectAltRequireSPN, SubjectRequireEmail, AuthorizedSignatures, ApplicationPolicies, IssuancePolicies, SchemaVersion, RequiresManagerApproval, AuthenticationEnabled, EnrolleeSuppliesSubject, CertificateApplicationPolicy, CertificateNameFlag, EffectiveEKUs, EnrollmentFlag, Flags, NoSecurityExtension, RenewalPeriod, ValidityPeriod, OID, HomeDirectory} } -func ParseItem(source string) (Item, error) { +func ParseProperty(source string) (Property, error) { switch source { case "admincount": return AdminCount, nil @@ -331,7 +332,7 @@ func ParseItem(source string) (Item, error) { return "", errors.New("Invalid enumeration value: " + source) } } -func (s Item) String() string { +func (s Property) String() string { switch s { case AdminCount: return string(AdminCount) @@ -479,7 +480,7 @@ func (s Item) String() string { return "Invalid enumeration case: " + string(s) } } -func (s Item) Name() string { +func (s Property) Name() string { switch s { case AdminCount: return "Admin Count" @@ -627,9 +628,9 @@ func (s Item) Name() string { return "Invalid enumeration case: " + string(s) } } -func (s Item) Is(others ...graph.Kind) bool { +func (s Property) Is(others ...graph.Kind) bool { for _, other := range others { - if value, err := ParseItem(other.String()); err == nil && value == s { + if value, err := ParseProperty(other.String()); err == nil && value == s { return true } } @@ -639,13 +640,13 @@ func Nodes() []graph.Kind { return []graph.Kind{Entity, User, Computer, Group, GPO, OU, Container, Domain, LocalGroup, LocalUser, AIACA, RootCA, EnterpriseCA, NTAuthStore, CertTemplate} } func Relationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, GetChanges, GetChangesAll, GetChangesInFilteredSet, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, LocalToComputer, MemberOfLocalGroup, RemoteInteractiveLogonPrivilege, SyncLAPSPassword, WriteAccountRestrictions, RootCAFor, DCFor, PublishedTo, ManageCertificates, ManageCA, DelegatedEnrollmentAgent, Enroll, HostsCAService, WritePKIEnrollmentFlag, WritePKINameFlag, NTAuthStoreFor, TrustedForNTAuth, EnterpriseCAFor, CanAbuseUPNCertMapping, CanAbuseWeakCertBinding, IssuedSignedBy, GoldenCert, EnrollOnBehalfOf, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a, ADCSESC9b} } func ACLRelationships() []graph.Kind { return []graph.Kind{AllExtendedRights, ForceChangePassword, AddMember, AddAllowedToAct, GenericAll, WriteDACL, WriteOwner, GenericWrite, ReadLAPSPassword, ReadGMSAPassword, Owns, AddSelf, WriteSPN, AddKeyCredentialLink, GetChanges, GetChangesAll, GetChangesInFilteredSet, WriteAccountRestrictions, SyncLAPSPassword, DCSync, ManageCertificates, ManageCA, Enroll, WritePKIEnrollmentFlag, WritePKINameFlag} } func PathfindingRelationships() []graph.Kind { - return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a, DCFor} + return []graph.Kind{Owns, GenericAll, GenericWrite, WriteOwner, WriteDACL, MemberOf, ForceChangePassword, AllExtendedRights, AddMember, HasSession, Contains, GPLink, AllowedToDelegate, TrustedBy, AllowedToAct, AdminTo, CanPSRemote, CanRDP, ExecuteDCOM, HasSIDHistory, AddSelf, DCSync, ReadLAPSPassword, ReadGMSAPassword, DumpSMSAPassword, SQLAdmin, AddAllowedToAct, WriteSPN, AddKeyCredentialLink, SyncLAPSPassword, WriteAccountRestrictions, GoldenCert, ADCSESC1, ADCSESC3, ADCSESC4, ADCSESC5, ADCSESC6, ADCSESC7, ADCSESC9a, ADCSESC9b, DCFor} } func IsACLKind(s graph.Kind) bool { for _, acl := range ACLRelationships() { diff --git a/packages/javascript/bh-shared-ui/src/graphSchema.ts b/packages/javascript/bh-shared-ui/src/graphSchema.ts index fbb1740c08..118919b62c 100644 --- a/packages/javascript/bh-shared-ui/src/graphSchema.ts +++ b/packages/javascript/bh-shared-ui/src/graphSchema.ts @@ -130,6 +130,7 @@ export enum ActiveDirectoryRelationshipKind { ADCSESC6 = 'ADCSESC6', ADCSESC7 = 'ADCSESC7', ADCSESC9a = 'ADCSESC9a', + ADCSESC9b = 'ADCSESC9b', } export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryRelationshipKind): string | undefined { switch (value) { @@ -257,6 +258,8 @@ export function ActiveDirectoryRelationshipKindToDisplay(value: ActiveDirectoryR return 'ADCSESC7'; case ActiveDirectoryRelationshipKind.ADCSESC9a: return 'ADCSESC9a'; + case ActiveDirectoryRelationshipKind.ADCSESC9b: + return 'ADCSESC9b'; default: return undefined; } @@ -524,6 +527,7 @@ export function ActiveDirectoryPathfindingEdges(): ActiveDirectoryRelationshipKi ActiveDirectoryRelationshipKind.ADCSESC6, ActiveDirectoryRelationshipKind.ADCSESC7, ActiveDirectoryRelationshipKind.ADCSESC9a, + ActiveDirectoryRelationshipKind.ADCSESC9b, ActiveDirectoryRelationshipKind.DCFor, ]; } From 246de1ed4a772b7067d471f0cdf93b057d7fa3a3 Mon Sep 17 00:00:00 2001 From: Brandon Shearin Date: Wed, 24 Jan 2024 08:00:29 -0800 Subject: [PATCH 3/3] add 9a to edge types --- .../bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx b/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx index c1c57a0702..0a56aa9395 100644 --- a/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx +++ b/packages/javascript/bh-shared-ui/src/views/Explore/ExploreSearch/edgeTypes.tsx @@ -92,6 +92,7 @@ export const AllEdgeTypes: Category[] = [ ActiveDirectoryRelationshipKind.GoldenCert, ActiveDirectoryRelationshipKind.ADCSESC1, ActiveDirectoryRelationshipKind.ADCSESC3, + ActiveDirectoryRelationshipKind.ADCSESC9a, ], }, ],