search

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
5.97k stars 802 forks source link

Unknown federation provider: arn:aws:iam::010337476630:saml-provider/DAA #189

Open andresriancho opened 6 years ago

andresriancho commented 6 years ago 
[andres:~/tools/cloudmapper] [venv] master* ± python cloudmapper.py wot --account nyt-vpc
Traceback (most recent call last):
  File "cloudmapper.py", line 69, in <module>
    main()
  File "cloudmapper.py", line 64, in main
    commands[command].run(arguments)
  File "/home/eth/tools/cloudmapper/commands/wot.py", line 397, in run
    cytoscape_json = wot(args, accounts, config)
  File "/home/eth/tools/cloudmapper/commands/wot.py", line 299, in wot
    get_nodes_and_connections(account, nodes, connections, args)
  File "/home/eth/tools/cloudmapper/commands/wot.py", line 284, in get_nodes_and_connections
    get_iam_trusts(account, nodes, connections, connections_to_get)
  File "/home/eth/tools/cloudmapper/commands/wot.py", line 185, in get_iam_trusts
    raise Exception('Unknown federation provider: {}'.format(principal['Federated']))
Exception: Unknown federation provider: arn:aws:iam::010337476630:saml-provider/DAA
[andres:~/tools/cloudmapper] [venv] master* 3s 1 ±
andresriancho commented 6 years ago

arn:aws:iam::010337476630:saml-provider/DAA was obscured and belongs to the organization I'm doing the security assessment for.

0xdabbad00 commented 6 years ago

The way in which CloudMapper figures out SAML providers is a hack right now. This error forces you to modify the code to add in your SAML provider. I need a cleaner way of handling this and also a cleaner way of identifying the SAML provider. For now, you'll just want to add a line like this: https://github.com/duo-labs/cloudmapper/blob/d3127ffa7b03e99c860ea022cb97c0f5cf79aad0/commands/wot.py#L172

Then add an icon for the provider here: https://github.com/duo-labs/cloudmapper/blob/d3127ffa7b03e99c860ea022cb97c0f5cf79aad0/web/style.json#L292

andresriancho commented 6 years ago

Yeah, I kinda figured that out from the code, but the default should be a little bit friendlier. Maybe add a default logo and name, use those when the provider is not identified, and warn the user in stderr?

kbroughton commented 4 years ago

same for File "/opt/cloudmapper/commands/weboftrust.py", line 215, in get_iam_trusts "Unknown federation provider: {}".format(principal["Federated"]) Exception: Unknown federation provider: arn:aws:iam::111111111111:saml-provider/TLH-Azure_AD I'll make a PR Would you consider the type to be ADFS or Azure-ADFS?

kbroughton commented 3 years ago

I have a workaround that is sufficient for our team.

create config/custom_federation_providers.yaml { "federation_providers": [ "id": "x", "name": "y", "provider_type": "z" ] }

Then in weboftrust.py add this at the top

for role in pyjq.all(".RoleDetailList[]", iam):
    principals = pyjq.all(".AssumeRolePolicyDocument.Statement[].Principal", role)
    federation_providers = []
    if path.exists('config/custom_federation_providers.yaml'):
        with open('config/custom_federation_providers.yaml', 'r') as f:
            federation_providers_data = yaml.safe_load(f)
            federation_providers = federation_providers_data['federation_providers']

And this at the bottom. I'll create a PR for it so you can have a better look.

                    elif  federation_providers:
                            found = False
                            for provider in federation_providers:
                                if provider['id'] in "saml_provider_arn.lower()":
                                        provider_type = provider.get('type', "")
                                        if provider['id'] in "saml_provider_arn.lower()":
                                            node = Account(
                                                json_blob={
                                                    "id": f"provider['id']",
                                                    "name": f"provider['name']",
                                                    "type": provider_type,
                                            }
                            if found:
                                continue
                    else:
                         raise Exception(
                             "Unknown federation provider: {}".format(saml_provider_arn.lower())
                         )