grab_resource_policy attribute is missing to query the graph #73

Rackme · 2021-02-25T13:06:34Z

Describe the bug
I was not able to use an argquery or a query using the "v1.1.0-dev" version.

To Reproduce

Use any query on the graph previously fetched :

PMapper$ python3 ./pmapper.py --account 123456789 argquery --principal '*' --preset privesc 
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 151, in main
    return argquery_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/argquery_cli.py", line 121, in process_arguments
    if parsed_args.grab_resource_policy:
AttributeError: 'Namespace' object has no attribute 'grab_resource_policy'

PMapper$ python3 ./pmapper.py --account 123456789 query "preset privesc *"
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 149, in main
    return query_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/query_cli.py", line 90, in process_arguments
    if parsed_args.grab_resource_policy:
AttributeError: 'Namespace' object has no attribute 'grab_resource_policy'

I supposed this is normal because it's still in development ;).

The text was updated successfully, but these errors were encountered:

Rackme · 2021-02-25T13:31:46Z

It seems grab_resource_policy might be added to the argparse and parsed_args.resource settled to None by default (in argquery_cli.py and query_cli.py) or you would get :

"/PMapper/principalmapper/querying/query_actions.py", line 208, in argquery
raise ValueError('For the privesc preset query, the --resource parameter should not be set.')

I could do a PR if you want.

ncc-erik-steringer · 2021-02-25T17:57:59Z

I'll patch this tonight. I goofed and pushed a broken build, trying to change --grab-resource-policy to --with-resource-policy (which will automagically include resource policies for queries involving said resources).

ncc-erik-steringer · 2021-02-26T06:36:21Z

Took a shot at a fix in 629d47f .

Rackme · 2021-02-26T09:34:30Z

Nice, query works for any query and preset now !

I was also able to query with argquery, the only error I could got was on the privesc preset with the condition on the resource_param not Null.

principalmapper/querying/query_actions.py L207

PMapper sbu$ python3 ./pmapper.py --profile dev_keycloack argquery  --preset privesc
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 151, in main
    return argquery_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/argquery_cli.py", line 139, in process_arguments
    query_actions.argquery(graph, parsed_args.principal, parsed_args.action, parsed_args.resource, conditions,
  File "/PMapper/principalmapper/querying/query_actions.py", line 208, in argquery
    raise ValueError('For the privesc preset query, the --resource parameter should not be set.')
ValueError: For the privesc preset query, the --resource parameter should not be set.

ncc-erik-steringer · 2021-02-28T05:10:43Z

A little more work in 1a75f47

Rackme · 2021-03-01T09:11:44Z

It works perfectly, thanks 👍

* Address #42, version bump * Major work on resource policies, adding specific internal functions to grab action/resource matches, added tests * Code removal: unused resource policy evaluation function * initial implementation of resource policy eval with query_interface * fixed bug in iam trust doc evaluation, backed up with testing * progress on grabbing resource policy by ARN * full implementation of (arg)query with resource policy * pulling, storing permission boundaries * permissions boundaries: added support in local evaluation methods, test cases * permissions boundaries: fix eval error caught by unit test due to allow vs None confusion * bugfix: arg-ordering in query subcommand from __main__.py * starting visualization update, service-policy retrieval updates * full implementation of gathering data with get_account_authorization_details, grabbing permission boundaries and mfa data (modified Nodes, unit tests have to be re-written again), fixed bug in SSM edge identification * Edge update: handle 'short_reason' field. Visualization update: option to only draw priv-esc risks. * query updates: added (arg)query arg to output for unauthorized principals, resource-policy queries now correctly handle admin scenarios * add example visualization * adding support for gathering and caching s3 bucket policies * query_result update before incorporating pull request * "invalid break disallowing multiple group_memberships for nodes in graph" (#60) * Fixed analysis bug (EC2 role assumption). Added MFA/Tag support to Nodes. Updated tests. * formatting fix, added clusters preset * added cycle detection + ssm finding, need to resolve import cycle issue * tested cycle detection, fixed and tested clusters * added support for grabbing+caching kms/sqs/sns resource policies * implemented on-demand resource policy retrieval for sns/sqs/kms/s3 (lib only) * overhauled logging, removed invocations of dprint, still need to tackle output/debug params * broadly removed debug/output params, or created "print" alternative functions to existing "write" functions. * added partial region support for the gathering process, added lack of MFA device finding * more progress in region-specification support for gathering: edge-gathering classes have allow/deny lists built in * moved argument generation to cli/frontend modules, still need to move argument handling * Started the shift from __main__ for CLI-related code * finished shifting code from __main__ into cli modules * implemented graphml visualization, reorganized visualization code * implemented session policy + SCP handling in simulation functions, still need to add tests and interface via (arg)query cli * added session policy handling to CLI * set up proper logs for unit tests * laying groundwork for AWS Organizations work * first crack at gathering and organizing aws orgs data * more orgs data compilation, cross-account edges * moved orgs front-end into separate module * added sagemaker edges. bugfixes. * fixed cross account edges * added handling for SNS/SQS resource policies * added organizations support to query CLI * added minimal tests for SCPs, added SCPs support to argquery * added Dockerfile * untested attempt at implementing multi-accounts earch * hotfixed search_authorization_across_accounts, initial tests are good * added support for PMAPPER_STORAGE env var * added initial version of the changelog * fix for #71 * fix for #73, start implementation of infra-as-code example * remove extra script * another fix for #73, more infra-as-code example progress * big shift in edge-gathering code: separated online/offline operations to enable infra-as-code analysis, optimized several passrole-based edge-checks * calling it good on the examples before v1.1.0 * initial implementation of endgame preset query (#72) * enabled SCP support for the graphing process * updated examples and readme * massive performance improvement by eliminating redundant regex compilation using an LRU cache (functools) * fix image linking for README * final quick fixes before 1.1.0

…a_article Updated and expanded the user data page

ncc-erik-steringer added a commit that referenced this issue Feb 26, 2021

fix for #73, start implementation of infra-as-code example

629d47f

ncc-erik-steringer added a commit that referenced this issue Feb 28, 2021

another fix for #73, more infra-as-code example progress

1a75f47

Rackme closed this as completed Mar 1, 2021

wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this issue Sep 5, 2022

Merge pull request nccgroup#73 from Hacking-the-Cloud/update_user_dat…

68bf8cd

…a_article Updated and expanded the user data page

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

grab_resource_policy attribute is missing to query the graph #73

grab_resource_policy attribute is missing to query the graph #73

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

grab_resource_policy attribute is missing to query the graph #73

grab_resource_policy attribute is missing to query the graph #73

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!