search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.41k stars 169 forks source link

grab_resource_policy attribute is missing to query the graph #73

Closed Rackme closed 3 years ago

Rackme commented 3 years ago

Describe the bug I was not able to use an argquery or a query using the "v1.1.0-dev" version.

To Reproduce

Use any query on the graph previously fetched :

PMapper$ python3 ./pmapper.py --account 123456789 argquery --principal '*' --preset privesc 
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 151, in main
    return argquery_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/argquery_cli.py", line 121, in process_arguments
    if parsed_args.grab_resource_policy:
AttributeError: 'Namespace' object has no attribute 'grab_resource_policy'

PMapper$ python3 ./pmapper.py --account 123456789 query "preset privesc *"
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 149, in main
    return query_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/query_cli.py", line 90, in process_arguments
    if parsed_args.grab_resource_policy:
AttributeError: 'Namespace' object has no attribute 'grab_resource_policy'

I supposed this is normal because it's still in development ;).

Rackme commented 3 years ago

It seems grab_resource_policy might be added to the argparse and parsed_args.resource settled to None by default (in _argquerycli.py and _querycli.py) or you would get :

"/PMapper/principalmapper/querying/query_actions.py", line 208, in argquery
raise ValueError('For the privesc preset query, the --resource parameter should not be set.')

I could do a PR if you want.

ncc-erik-steringer commented 3 years ago

I'll patch this tonight. I goofed and pushed a broken build, trying to change --grab-resource-policy to --with-resource-policy (which will automagically include resource policies for queries involving said resources).

ncc-erik-steringer commented 3 years ago

Took a shot at a fix in 629d47f .

Rackme commented 3 years ago

Nice, query works for any query and preset now !

I was also able to query with argquery, the only error I could got was on the privesc preset with the condition on the resource_param not Null.

principalmapper/querying/query_actions.py L207

PMapper sbu$ python3 ./pmapper.py --profile dev_keycloack argquery  --preset privesc
Traceback (most recent call last):
  File "/PMapper/./pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/PMapper/principalmapper/__main__.py", line 151, in main
    return argquery_cli.process_arguments(parsed_args)
  File "/PMapper/principalmapper/querying/argquery_cli.py", line 139, in process_arguments
    query_actions.argquery(graph, parsed_args.principal, parsed_args.action, parsed_args.resource, conditions,
  File "/PMapper/principalmapper/querying/query_actions.py", line 208, in argquery
    raise ValueError('For the privesc preset query, the --resource parameter should not be set.')
ValueError: For the privesc preset query, the --resource parameter should not be set.
ncc-erik-steringer commented 3 years ago

A little more work in 1a75f47

Rackme commented 3 years ago

It works perfectly, thanks 👍