8000 Feature/145 Azure switches for credentials by zer0x64 · Pull Request #147 · nccgroup/ScoutSuite · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Feature/145 Azure switches for credentials #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 4, 2019
Merged

Feature/145 Azure switches for credentials #147

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
48910a1
Azure switches for credentials
zer0x64 Feb 4, 2019
4122d58
Merge remote-tracking branch 'origin/develop' into feature/145-azure-…
zer0x64 Feb 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion ScoutSuite/__main__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,14 @@ def main(passed_args=None):
azure_msi=args.azure_msi,
azure_service_principal=args.azure_service_principal,
azure_file_auth=args.azure_file_auth,
azure_user_credentials=args.azure_user_credentials)
azure_user_credentials=args.azure_user_credentials,
azure_tenant_id=args.tenant_id,
azure_subscription_id=args.subscription_id,
azure_client_id=args.client_id,
azure_client_secret=args.client_secret,
azure_username=args.azure_username,
azure_password=args.azure_password
)

if not authenticated:
return 42
Expand Down
36 changes: 35 additions & 1 deletion ScoutSuite/cli_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# -*- coding: utf-8 -*-

import sys
import argparse

from opinel.utils.cli_parser import OpinelArgumentParser

Expand Down Expand Up @@ -204,7 +205,10 @@ def __init__(self, default_args=None):
action='store',
help='ID of the GCP Organization to analyze')

azure_auth_modes = self.parser.add_mutually_exclusive_group(required="azure" in sys.argv)
azure_parser = self.parser.add_argument_group('Azure authentication modes')
azure_auth_params = self.parser.add_argument_group('Azure authentication parameters')

azure_auth_modes = azure_parser.add_mutually_exclusive_group(required="azure" in sys.argv)

azure_auth_modes.add_argument('--azure-cli',
action='store_true',
Expand All @@ -217,11 +221,41 @@ def __init__(self, default_args=None):
help='Run Scout Suite with an Azure Service Principal')
azure_auth_modes.add_argument('--azure-file-auth',
action='store',
type=argparse.FileType('r'),
metavar="FILE",
help='Run Scout Suite with the specif 8000 ied credential file')
azure_auth_modes.add_argument('--azure-user-credentials',
action='store_true',
help='Run Scout Suite with user credentials')

azure_auth_params.add_argument('--tenant',
action='store',
dest='tenant_id',
help='Tenant ID of the Azure service principal')
azure_auth_params.add_argument('--subscription',
action='store',
dest='subscription_id',
help='Subscription ID of the Azure service principal')
azure_auth_params.add_argument('--client-id',
action='store',
dest='client_id',
help='Client ID of the Azure service principal')
azure_auth_params.add_argument('--client-secret',
action='store',
dest='client_secret',
help='Client secret of the Azure service principal')

azure_auth_params.add_argument('--azure-username',
action='store',
default=None,
dest='azure_username',
help='Username of the Azure account')
azure_auth_params.add_argument('--azure-password',
action='store',
default=None,
dest='azure_password',
help='Password of the Azure account')

def parse_args(self, args=None):
args = self.parser.parse_args(args)
# If local analysis, overwrite results
Expand Down
70 changes: 42 additions & 28 deletions ScoutSuite/providers/azure/provider.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,9 @@ def __init__(self, project_id=None, organization_id=None,
super(AzureProvider, self).__init__(report_dir, timestamp, services, skipped_services, thread_config)

def authenticate(self, key_file=None, user_account=None, service_account=None, azure_cli=None, azure_msi=None,
azure_service_principal=None, azure_file_auth=None, azure_user_credentials=None, **kargs):
azure_service_principal=None, azure_file_auth=None, azure_user_credentials=None,
azure_tenant_id=None, azure_subscription_id=None, azure_client_id=None, azure_client_secret=None,
azure_username=None, azure_password=None, **kargs):
"""
Implements authentication for the Azure provider using azure-cli.
Refer to https://docs.microsoft.com/en-us/python/azure/python-sdk-azure-authenticate?view=azure-python.
Expand Down Expand Up @@ -73,29 +75,11 @@ def authenticate(self, key_file=None, user_account=None, service_account=None, a
self.credentials = AzureCredentials(credentials, self.aws_account_id)
return True
elif azure_file_auth:
with open(azure_file_auth) as f:
data = json.loads(f.read())
subscription_id = data.get('subscriptionId')
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')

self.aws_account_id = tenant_id # TODO this is for AWS

credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)

self.credentials = AzureCredentials(credentials, subscription_id)

return True
elif azure_service_principal:
subscription_id = input("Subscription ID: ")
tenant_id = input("Tenant ID: ")
client_id = input("Client ID: ")
client_secret = getpass("Client secret: ")
data = json.loads(azure_file_auth.read())
subscription_id = data.get('subscriptionId')
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')

self.aws_account_id = tenant_id # TODO this is for AWS

Expand All @@ -107,13 +91,43 @@ def authenticate(self, key_file=None, user_account=None, service_account=None, a

self.credentials = AzureCredentials(credentials, subscription_id)

return True
elif azure_service_principal:
azure_subscription_id = azure_subscription_id if azure_subscription_id else input("Subscription ID: ")
azure_tenant_id = azure_tenant_id if azure_tenant_id else input("Tenant ID: ")
azure_client_id = azure_client_id if azure_client_id else input("Client ID: ")
azure_client_secret = azure_client_secret if azure_client_secret else getpass("Client secret: ")

self.aws_account_id = azure_subscription_id # TODO this is for AWS

credentials = ServicePrincipalCredentials(
client_id=azure_client_id,
secret=azure_client_secret,
tenant=azure_tenant_id
)

self.credentials = AzureCredentials(credentials, azure_subscription_id)

return True
elif azure_user_credentials:
username = input("Username: ")
password = getpass("Password: ")
azure_username = azure_username if azure_username else input("Username: ")
azure_password = azure_password if azure_password else getpass("Password: ")

credentials = UserPassCredentials(azure_username, azure_password)

if azure_subscription_id:
self.aws_account_id = azure_subscription_id
else:
# Get the subscription ID
subscription_client = SubscriptionClient(credentials)
try:
# Tries to read the subscription list
subscription = next(subscription_client.subscriptions.list())
self.aws_account_id = subscription.subscription_id
except StopIteration:
# If the user cannot read subscription list, ask Subscription ID:
self.aws_account_id = input('Subscription ID: ')

credentials = UserPassCredentials(username, password)
self.aws_account_id = "" # TODO this is for AWS
self.credentials = AzureCredentials(credentials, self.aws_account_id)
return True
except Exception as e:
Expand Down
0