Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allowed Azure checks on AAD to run when no subscriptions are found #1386

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Allowed Azure checks on AAD to run when no subscriptions are found #1386

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0d47bba
Allowed Azure checks on AAD to run when no subscriptions are found
MaxNad Dec 10, 2021
65caec7
Added a comment to clarify the check
MaxNad Dec 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 47 additions & 46 deletions ScoutSuite/providers/azure/facade/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,52 +84,53 @@ def _set_subscriptions(self):
accessible_subscriptions_list = list(subscription_client.subscriptions.list())

if not accessible_subscriptions_list:
raise AuthenticationException('The provided credentials do not have access to any subscriptions')

# Final list, start empty
subscriptions_list = []

# No subscription provided, infer
if not (self.subscription_ids or self.all_subscriptions):
try:
# Tries to read the subscription list
print_info('No subscription set, inferring')
s = next(subscription_client.subscriptions.list())
except StopIteration:
print_info('Unable to infer a subscription')
# If the user cannot read subscription list, ask Subscription ID:
if not self.programmatic_execution:
s = input('Subscription ID: ')
else:
print_exception('Unable to infer a Subscription ID')
# raise
finally:
subscriptions_list.append(s)

# All subscriptions
elif self.all_subscriptions:
subscriptions_list = accessible_subscriptions_list

# A specific set of subscriptions
elif self.subscription_ids:
# Only include accessible subscriptions
subscriptions_list = [s for s in accessible_subscriptions_list if
s.subscription_id in self.subscription_ids]
# Verbose skip
for s in self.subscription_ids:
if not any(subs.subscription_id == s for subs in accessible_subscriptions_list):
raise AuthenticationException('Subscription {} does not exist or is not accessible '
'with the provided credentials'.format(s))

# Other == error
print_info('The provided credentials do not have access to any subscriptions. Script will only run on AAD')
self.subscription_list = []
else:
raise AuthenticationException('Unknown Azure subscription option')
# Final list, start empty
subscriptions_list = []

# No subscription provided, infer
if not (self.subscription_ids or self.all_subscriptions):
try:
# Tries to read the subscription list
print_info('No subscription set, inferring')
s = next(subscription_client.subscriptions.list())
except StopIteration:
print_info('Unable to infer a subscription')
# If the user cannot read subscription list, ask Subscription ID:
if not self.programmatic_execution:
s = input('Subscription ID: ')
else:
print_exception('Unable to infer a Subscription ID')
# raise
finally:
subscriptions_list.append(s)

# All subscriptions
elif self.all_subscriptions:
subscriptions_list = accessible_subscriptions_list

# A specific set of subscriptions
elif self.subscription_ids:
# Only include accessible subscriptions
subscriptions_list = [s for s in accessible_subscriptions_list if
s.subscription_id in self.subscription_ids]
# Verbose skip
for s in self.subscription_ids:
if not any(subs.subscription_id == s for subs in accessible_subscriptions_list):
raise AuthenticationException('Subscription {} does not exist or is not accessible '
'with the provided credentials'.format(s))

# Other == error
else:
raise AuthenticationException('Unknown Azure subscription option')

if subscriptions_list and len(subscriptions_list) > 0:
self.subscription_list = subscriptions_list
if len(subscriptions_list) == 1:
print_info('Running against subscription {}'.format(subscriptions_list[0].subscription_id))
if subscriptions_list and len(subscriptions_list) > 0:
self.subscription_list = subscriptions_list
if len(subscriptions_list) == 1:
print_info('Running against subscription {}'.format(subscriptions_list[0].subscription_id))
else:
print_info('Running against {} subscriptions'.format(len(subscriptions_list)))
else:
print_info('Running against {} subscriptions'.format(len(subscriptions_list)))
else:
raise AuthenticationException('No subscriptions to scan')
raise AuthenticationException('No subscriptions to scan')
45 changes: 24 additions & 21 deletions ScoutSuite/providers/azure/services.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,28 +41,31 @@ def __init__(self,
programmatic_execution)

self.aad = AAD(facade)
self.rbac = RBAC(facade)
self.securitycenter = SecurityCenter(facade)
self.sqldatabase = Servers(facade)
self.storageaccounts = StorageAccounts(facade)
self.keyvault = KeyVaults(facade)
self.network = Networks(facade)
self.virtualmachines = VirtualMachines(facade)
self.appservice = AppServices(facade)

# Instantiate proprietary services
try:
self.appgateway = ApplicationGateways(facade)
except NameError as _:
pass
try:
self.loadbalancer = LoadBalancers(facade)
except NameError as _:
pass
try:
self.rediscache = RedisCaches(facade)
except NameError as _:
pass
# Currently, only AAD can be used without any subscriptions
if len(subscription_ids) > 0:
self.rbac = RBAC(facade)
self.securitycenter = SecurityCenter(facade)
self.sqldatabase = Servers(facade)
self.storageaccounts = StorageAccounts(facade)
self.keyvault = KeyVaults(facade)
self.network = Networks(facade)
self.virtualmachines = VirtualMachines(facade)
self.appservice = AppServices(facade)

# Instantiate proprietary services
try:
self.appgateway = ApplicationGateways(facade)
except NameError as _:
pass
try:
self.loadbalancer = LoadBalancers(facade)
except NameError as _:
pass
try:
self.rediscache = RedisCaches(facade)
except NameError as _:
pass

def _is_provider(self, provider_name):
return provider_name == 'azure'
Expand Down