[Maintenance] Refactored scopes and auth

elastic / SWAT

Simple Workspace Attack Tool (SWAT) is a tool for simulating malicious behavior against Google Workspace in reference to the MITRE ATT&CK framework.

Apache License 2.0

160 stars 7 forks source link

[Maintenance] Refactored scopes and auth #66

Open brokensound77 opened 1 year ago

brokensound77 commented 1 year ago

The commands for scopes and auth have been removed.

Scopes should be configured in the etc/config.yaml, etc/custom_config.yaml, or emulation configs
auth should be called by each emulating command as needed. The mechanism to do so is now within the Cred, simply by using Cred.session() with scopes as an optional parameter
custom global configs support

brokensound77 commented 1 year ago

SWAT> emulate admin_add_roles_to_users --username test --roles test

gets error

2023-08-11 20:42:10 ERROR Error: Authorized user info was not in the expected format, missing fields client_id, refresh_token, client_secret. (default:shell.py:195)

Looks like refresh_token is missing from creds??

terrancedejesus commented 1 year ago

class OAuthCreds(BaseCreds):
    """Data class for OAuth2.0 application credentials."""

    auth_provider_x509_cert_url: str
    auth_uri: str
    client_id: str
    client_secret: str
    project_id: str
    redirect_uris: list[str]
    token_uri: str
    refresh_token: str = None

terrancedejesus commented 1 year ago

Some additional thoughts here:

Service accounts will require scopes to be defined based on the IAM role assigned to the service account. Scopes cannot be adjusted after statically defined during authN/authZ accounts. Therefore, dynamically adjusting scopes is only compatible with OAuth workflow. Domain-wide delegation has to also be established for the service account by adding the ID of the service account to Google Workspace via the admin console.
If we can, let's add API credentials to this as well to cover all GCP-based credentials for API interaction.