8000 Improve ADCSESC6 post-processing by JonasBK · Pull Request #1655 · SpecterOps/BloodHound · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Improve ADCSESC6 post-processing #1655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Improve ADCSESC6 post-processing #1655

wants to merge 1 commit into from
+119 −152

Conversation

JonasBK
Copy link
Contributor
@JonasBK JonasBK commented Jul 7, 2025
edited by coderabbitai bot
Loading

Description

Add IsUserSpecifiesSanEnabledCollected check in post-processing function for ADCSESC6

Refactor post-processing of ADCSESC6 to improve readability and performance

Motivation and Context

Resolves BED-6144

How Has This Been Tested?

By running tests

Types of changes

  • Chore (a change that does not modify the application functionality)

Checklist:

Summary by CodeRabbit

  • New Features

    • Added a new property for EnterpriseCA nodes in test harnesses and integration data to reflect an additional configuration state.

  • Bug Fixes

    • Updated logic to check for the new property before proceeding with further processing in relevant analysis functions.

  • Refactor

    • Simplified and streamlined certificate template processing by removing intermediate filtering steps and redundant helper functions.

@JonasBK JonasBK self-assigned this Jul 7, 2025
@JonasBK JonasBK added enhancement New feature or request external This pull request is from an external contributor labels Jul 7, 2025
@coderabbitai coderabbitai
Copy link
Contributor
coderabbitai bot commented Jul 7, 2025
edited
Loading

Walkthrough

The changes introduce a new property, IsUserSpecifiesSanEnabledCollected, to EnterpriseCA nodes in both Go test harness setup code and related JSON test data. In the analysis logic, functions now require this property to be true before proceeding, and the control flow for processing certificate templates is streamlined, removing some intermediate filtering steps.

Changes

File(s) Change Summary
cmd/api/src/test/integration/harnesses.go Sets IsUserSpecifiesSanEnabledCollected = true on EnterpriseCA nodes in various harness setups.
cmd/api/src/test/integration/harnesses/esc6a-eca.json
cmd/api/src/test/integration/harnesses/esc6a-template1.json
cmd/api/src/test/integration/harnesses/esc6a-template2.json		 Adds "IsUserSpecifiesSanEnabledCollected" property to EnterpriseCA nodes in test harness JSON files.
packages/go/analysis/ad/esc6.go Adds early return if IsUserSpecifiesSanEnabledCollected is false/missing; streamlines cert template processing; removes helper functions.

Sequence Diagram(s)

sequenceDiagram
    participant Caller
    participant esc6.go (PostADCSESC6a/b)
    participant EnterpriseCA Node
    participant CertTemplate
    participant Enroller
    participant JobQueue

    Caller->>esc6.go (PostADCSESC6a/b): Call with EnterpriseCA node
    esc6.go (PostADCSESC6a/b)->>EnterpriseCA Node: Check IsUserSpecifiesSanEnabledCollected
    alt Property missing or false
        esc6.go (PostADCSESC6a/b)-->>Caller: Return early
    else Property true
        esc6.go (PostADCSESC6a/b)->>CertTemplate: For each published template
        esc6.go (PostADCSESC6a/b)->>Enroller: For each enroller of template and CA
        esc6.go (PostADCSESC6a/b)->>Enroller: Filter via filterUserDNSResults
        esc6.go (PostADCSESC6a/b)->>JobQueue: Submit post relationship job per enroller and domain
    end
Loading

Poem

In the warren of code, a new flag appears,
"IsUserSpecifiesSanEnabledCollected" hops in with cheers.
Harnesses and templates now know what to do,
The logic is streamlined, the pathways are new.
With early returns and simpler flows,
This bunny approves—onward it goes! 🐇✨

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Jul 7, 2025
View reviewed changes
Copy link
Contributor
@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (7)
cmd/api/src/test/integration/harnesses/esc6a-template1.json (1)

112-114: Prefer JSON boolean over string literal for new flag

All existing boolean-style properties in these harness files are already stored as strings, so the addition is internally consistent.
However, JSON supports the native literals true / false; adopting them for any new flags avoids one more layer of string/boolean conversion in future test utilities and makes hand-inspection less error-prone.

Consider:

-        "IsUserSpecifiesSanEnabledCollected": "True",
+        "IsUserSpecifiesSanEnabledCollected": true,
cmd/api/src/test/integration/harnesses/esc6a-template2.json (1)

112-114: Same boolean-literal suggestion as in template 1

For the newly introduced flag, using raw JSON booleans (true / false) will make future parsing simpler and more idiomatic.

No action needed if string encoding is required for legacy reasons.

cmd/api/src/test/integration/harnesses/esc6a-eca.json (1)

130-134: Consistent flag encoding across all EnterpriseCA nodes

The new IsUserSpecifiesSanEnabledCollected property is added uniformly (with one intentional False case).
If backward-compatibility doesn’t force string values, prefer the JSON boolean literal form (true / false) for all instances to avoid confusion later.

Otherwise, looks good.

Also applies to: 228-232, 329-333, 429-433, 529-533

cmd/api/src/test/integration/harnesses.go (4)

5355-5356: Consider maintaining consistent property ordering.

The properties are set in a different order compared to earlier hunks. For consistency, consider setting IsUserSpecifiesSanEnabled before IsUserSpecifiesSanEnabledCollected to match the pattern used in hunks 1-3.

The logic is correct and functional - this is purely a style consistency suggestion:

-	s.EnterpriseCA0.Properties.Set(ad.IsUserSpecifiesSanEnabledCollected.String(), true)
-	s.EnterpriseCA0.Properties.Set(ad.IsUserSpecifiesSanEnabled.String(), true)
+	s.EnterpriseCA0.Properties.Set(ad.IsUserSpecifiesSanEnabled.String(), true)
+	s.EnterpriseCA0.Properties.Set(ad.IsUserSpecifiesSanEnabledCollected.String(), true)

Apply similar reordering to the other EnterpriseCA nodes in this section.

Also applies to: 5361-5362, 5366-5367, 5371-5372, 5376-5377

5482-5483: Consider maintaining consistent property ordering.

Same inconsistency as noted in the previous section - consider setting IsUserSpecifiesSanEnabled before IsUserSpecifiesSanEnabledCollected for consistency.

7228-7233: Consider maintaining consistent property ordering.

Same inconsistency as noted in previous sections - consider setting IsUserSpecifiesSanEnabled before IsUserSpecifiesSanEnabledCollected for consistency.

7351-7354: Consider maintaining consistent property ordering.

Same inconsistency as noted in previous sections - consider setting IsUserSpecifiesSanEnabled before IsUserSpecifiesSanEnabledCollected for consistency.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f82b648 and ee36f52.

⛔ Files ignored due to path filters (3)
  • cmd/api/src/test/integration/harnesses/esc6a-eca.svg is excluded by !**/*.svg
  • cmd/api/src/test/integration/harnesses/esc6a-template1.svg is excluded by !**/*.svg
  • cmd/api/src/test/integration/harnesses/esc6a-template2.svg is excluded by !**/*.svg
📒 Files selected for processing (5)
  • cmd/api/src/test/integration/harnesses.go (7 hunks)
  • cmd/api/src/test/integration/harnesses/esc6a-eca.json (5 hunks)
  • cmd/api/src/test/integration/harnesses/esc6a-template1.json (1 hunks)
  • cmd/api/src/test/integration/harnesses/esc6a-template2.json (1 hunks)
  • packages/go/analysis/ad/esc6.go (1 hunks)
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings 
Learnt from: mvlipka
PR: SpecterOps/BloodHound#1615
File: cmd/api/src/test/integration/harnesses/AZPIMRolesHarness.json:190-194
Timestamp: 2025-06-26T20:50:03.695Z
Learning: The JSON files in cmd/api/src/test/integration/harnesses/ directory (like AZPIMRolesHarness.json) are used as reference documents for writing Go test harnesses, not as actual data files that get parsed by the application code. Minor formatting issues like trailing spaces in these reference files don't affect functionality.
cmd/api/src/test/integration/harnesses/esc6a-eca.json (1) 
Learnt from: mvlipka
PR: SpecterOps/BloodHound#1615
File: cmd/api/src/test/integration/harnesses/AZPIMRolesHarness.json:190-194
Timestamp: 2025-06-26T20:50:03.695Z
Learning: The JSON files in cmd/api/src/test/integration/harnesses/ directory (like AZPIMRolesHarness.json) are used as reference documents for writing Go test harnesses, not as actual data files that get parsed by the application code. Minor formatting issues like trailing spaces in these reference files don't affect functionality.
cmd/api/src/test/integration/harnesses.go (1)

undefined

<retrieved_learning>
Learnt from: mvlipka
PR: #1615
File: cmd/api/src/test/integration/harnesses/AZPIMRolesHarness.json:190-194
Timestamp: 2025-06-26T20:50:03.695Z
Learn 8000 ing: The JSON files in cmd/api/src/test/integration/harnesses/ directory (like AZPIMRolesHarness.json) are used as reference documents for writing Go test harnesses, not as actual data files that get parsed by the application code. Minor formatting issues like trailing spaces in these reference files don't affect functionality.
</retrieved_learning>

packages/go/analysis/ad/esc6.go (1) 
Learnt from: elikmiller
PR: SpecterOps/BloodHound#1563
File: packages/go/graphschema/azure/azure.go:24-24
Timestamp: 2025-06-06T23:12:14.181Z
Learning: In BloodHound, files in packages/go/graphschema/*/`*.go` are generated from CUE schemas. When `just prepare-for-codereview` is run, it triggers code generation that may automatically add import aliases or other formatting changes. These changes are legitimate outputs of the generation process, not manual edits that would be overwritten.
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Build BloodHound Container Image / Build and Package Container
  • GitHub Check: run-tests
  • GitHub Check: run-analysis
  • GitHub Check: build-ui
🔇 Additional comments (8)
cmd/api/src/test/integration/harnesses.go (3)

3615-3616: LGTM! Property setting is correct.

The addition of IsUserSpecifiesSanEnabledCollected property aligns with the updated analysis logic requirements.

5069-5070: LGTM! Property setting is correct.

The addition of IsUserSpecifiesSanEnabledCollected property aligns with the updated analysis logic requirements.

5187-5188: LGTM! Property setting is correct.

The addition of IsUserSpecifiesSanEnabledCollected property aligns with the updated analysis logic requirements.

packages/go/analysis/ad/esc6.go (5)

39-43: Good addition of data collection check.

The new check for IsUserSpecifiesSanEnabledCollected ensures that post-processing only runs when the necessary data has been collected. The error handling and early return pattern are implemented correctly.

50-51: Good performance optimization.

Moving the enterpriseCAEnrollers cache lookup outside the loop avoids redundant lookups for each certificate template, improving performance when processing multiple templates.

60-76: Excellent refactoring for clarity and resilience.

The simplified logic directly processes enrollers without intermediate result accumulation, making the code more readable and maintainable. The error handling pattern with slog.WarnContext and continue ensures that processing continues for other certificate templates even if one encounters an error, improving overall resilience.

84-88: Consistent implementation with PostADCSESC6a.

The data collection check is implemented consistently across both ESC6 variants, maintaining code uniformity.

105-123: Consistent refactoring with ESC6b-specific logic preserved.

The simplified processing logic matches the pattern in PostADCSESC6a while correctly maintaining the ESC6b-specific check for HasUPNCertMappingInForest. This ensures consistent code structure across both variants while preserving their unique behaviors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@JonasBK JonasBK

Labels
enhancement New feature or request external This pull request is from an external contributor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@JonasBK
0