Open andresriancho opened 6 years ago
arn:aws:iam::010337476630:saml-provider/DAA
was obscured and belongs to the organization I'm doing the security assessment for.
The way in which CloudMapper figures out SAML providers is a hack right now. This error forces you to modify the code to add in your SAML provider. I need a cleaner way of handling this and also a cleaner way of identifying the SAML provider. For now, you'll just want to add a line like this: https://github.com/duo-labs/cloudmapper/blob/d3127ffa7b03e99c860ea022cb97c0f5cf79aad0/commands/wot.py#L172
Then add an icon for the provider here: https://github.com/duo-labs/cloudmapper/blob/d3127ffa7b03e99c860ea022cb97c0f5cf79aad0/web/style.json#L292
Yeah, I kinda figured that out from the code, but the default should be a little bit friendlier. Maybe add a default logo and name, use those when the provider is not identified, and warn the user in stderr?
same for File "/opt/cloudmapper/commands/weboftrust.py", line 215, in get_iam_trusts "Unknown federation provider: {}".format(principal["Federated"]) Exception: Unknown federation provider: arn:aws:iam::111111111111:saml-provider/TLH-Azure_AD I'll make a PR Would you consider the type to be ADFS or Azure-ADFS?
I have a workaround that is sufficient for our team.
create config/custom_federation_providers.yaml { "federation_providers": [ "id": "x", "name": "y", "provider_type": "z" ] }
Then in weboftrust.py add this at the top
for role in pyjq.all(".RoleDetailList[]", iam):
principals = pyjq.all(".AssumeRolePolicyDocument.Statement[].Principal", role)
federation_providers = []
if path.exists('config/custom_federation_providers.yaml'):
with open('config/custom_federation_providers.yaml', 'r') as f:
federation_providers_data = yaml.safe_load(f)
federation_providers = federation_providers_data['federation_providers']
And this at the bottom. I'll create a PR for it so you can have a better look.
elif federation_providers:
found = False
for provider in federation_providers:
if provider['id'] in "saml_provider_arn.lower()":
provider_type = provider.get('type', "")
if provider['id'] in "saml_provider_arn.lower()":
node = Account(
json_blob={
"id": f"provider['id']",
"name": f"provider['name']",
"type": provider_type,
}
if found:
continue
else:
raise Exception(
"Unknown federation provider: {}".format(saml_provider_arn.lower())
)