Skip to content

feat+chore: refactor Azure UserRoleAssignments post-processing logic #2396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zinic wants to merge 1 commit into
base: main
Choose a base branch
from
+1,711 −1,071
Open

feat+chore: refactor Azure UserRoleAssignments post-processing logic #2396

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
117 changes: 59 additions & 58 deletions cmd/api/src/analysis/ad/adcs_integration_test.go
View file
Open in desktop

Large diffs are not rendered by default.

15 changes: 8 additions & 7 deletions cmd/api/src/analysis/ad/ntlm_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/specterops/bloodhound/cmd/api/src/test/integration"
"github.com/specterops/bloodhound/packages/go/analysis"
ad2 "github.com/specterops/bloodhound/packages/go/analysis/ad"
"github.com/specterops/bloodhound/packages/go/analysis/post"
"github.com/specterops/bloodhound/packages/go/graphschema"
"github.com/specterops/bloodhound/packages/go/graphschema/ad"
"github.com/specterops/bloodhound/packages/go/graphschema/common"
Expand Down Expand Up @@ -156,7 +157,7 @@ func TestPostNTLMRelaySMB(t *testing.T) {
ntlmCache, err := ad2.NewNTLMCache(context.Background(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, _ := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down Expand Up @@ -232,7 +233,7 @@ func TestPostNTLMRelaySMB(t *testing.T) {
ntlmCache, err := ad2.NewNTLMCache(context.Background(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer

Expand Down Expand Up @@ -284,7 +285,7 @@ func TestNTLMRelayToSMBComposition(t *testing.T) {
ntlmCache, err := ad2.NewNTLMCache(context.Background(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, _ := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down Expand Up @@ -360,7 +361,7 @@ func TestPostCoerceAndRelayNTLMToLDAP(t *testing.T) {
protectedUsersCache, err := ad2.FetchProtectedUsersMappedToDomains(testContext.Context(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, err := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down Expand Up @@ -440,7 +441,7 @@ func TestPostCoerceAndRelayNTLMToLDAP(t *testing.T) {
protectedUsersCache, err := ad2.FetchProtectedUsersMappedToDomains(testContext.Context(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, err := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down Expand Up @@ -516,7 +517,7 @@ func TestPostCoerceAndRelayNTLMToLDAP(t *testing.T) {
protectedUsersCache, err := ad2.FetchProtectedUsersMappedToDomains(testContext.Context(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, err := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down Expand Up @@ -571,7 +572,7 @@ func TestPostCoerceAndRelayNTLMToLDAP(t *testing.T) {
protectedUsersCache, err := ad2.FetchProtectedUsersMappedToDomains(testContext.Context(), db, grouplocalGroupData)
require.NoError(t, err)

err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error {
err = operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- post.EnsureRelationshipJob) error {
for _, computer := range computers {
innerComputer := computer
domainSid, err := innerComputer.Properties.Get(ad.DomainSID.String()).String()
Expand Down
22 changes: 19 additions & 3 deletions cmd/api/src/analysis/ad/post.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2023 Specter Ops, Inc.
// Copyright 2026 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.0
// you may not use this file except in compliance with the License.
Expand All @@ -13,6 +13,21 @@
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0
// Copyright 2post.CreatePostRelationshipJob23 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.post.CreatePostRelationshipJob
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.post.CreatePostRelationshipJob
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.post.CreatePostRelationshipJob
Comment on lines +16 to +30
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Corrupted duplicate license header — bad search-and-replace artifact.

Lines 16–30 contain a second, garbled license block where 0 was replaced with post.CreatePostRelationshipJob (e.g., "Copyright 2post.CreatePostRelationshipJob23", "Apache-2.post.CreatePostRelationshipJob"). This is clearly a find-and-replace accident during the refactor. Remove the entire duplicate block.

Proposed fix 
 // SPDX-License-Identifier: Apache-2.0
-// Copyright 2post.CreatePostRelationshipJob23 Specter Ops, Inc.
-//
-// Licensed under the Apache License, Version 2.post.CreatePostRelationshipJob
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.post.CreatePostRelationshipJob
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-// SPDX-License-Identifier: Apache-2.post.CreatePostRelationshipJob
 
 package ad
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Copyright 2post.CreatePostRelationshipJob23 Specter Ops, Inc.
//
// Licensed under the Apache License, Version 2.post.CreatePostRelationshipJob
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.post.CreatePostRelationshipJob
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.post.CreatePostRelationshipJob
package ad
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@cmd/api/src/analysis/ad/post.go` around lines 16 - 30, Remove the corrupted
duplicated license block that was introduced by the bad find-and-replace (the
block containing the garbled tokens like "post.CreatePostRelationshipJob", e.g.,
"Copyright 2post.CreatePostRelationshipJob23" and
"Apache-2.post.CreatePostRelationshipJob"); keep only the original correct
license header at the top of cmd/api/src/analysis/ad/post.go and delete the
entire garbled lines (the duplicate block containing
"post.CreatePostRelationshipJob") so the file contains a single valid Apache-2.0
license header.


package ad

Expand All @@ -22,14 +37,15 @@ import (

"github.com/specterops/bloodhound/packages/go/analysis"
adAnalysis "github.com/specterops/bloodhound/packages/go/analysis/ad"
"github.com/specterops/bloodhound/packages/go/analysis/post"
"github.com/specterops/bloodhound/packages/go/bhlog/attr"
"github.com/specterops/bloodhound/packages/go/bhlog/measure"
"github.com/specterops/bloodhound/packages/go/graphschema/ad"
"github.com/specterops/bloodhound/packages/go/graphschema/azure"
"github.com/specterops/dawgs/graph"
)

func Post(ctx context.Context, db graph.Database, adcsEnabled, citrixEnabled, ntlmEnabled bool, compositionCounter *analysis.CompositionCounter) (*analysis.AtomicPostProcessingStats, error) {
func Post(ctx context.Context, db graph.Database, adcsEnabled, citrixEnabled, ntlmEnabled bool, compositionCounter *analysis.CompositionCounter) (*post.AtomicPostProcessingStats, error) {
defer measure.ContextLogAndMeasure(
ctx,
slog.LevelInfo,
Expand All @@ -39,7 +55,7 @@ func Post(ctx context.Context, db graph.Database, adcsEnabled, citrixEnabled, nt
attr.Scope("step"),
)()

aggregateStats := analysis.NewAtomicPostProcessingStats()
aggregateStats := post.NewAtomicPostProcessingStats()

if err := adAnalysis.FixWellKnownNodeTypes(ctx, db); err != nil {
return &aggregateStats, err
Expand Down
5 changes: 3 additions & 2 deletions cmd/api/src/analysis/azure/post.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,14 +23,15 @@ import (
"github.com/specterops/bloodhound/packages/go/analysis"
azureAnalysis "github.com/specterops/bloodhound/packages/go/analysis/azure"
"github.com/specterops/bloodhound/packages/go/analysis/hybrid"
"github.com/specterops/bloodhound/packages/go/analysis/post"
"github.com/specterops/bloodhound/packages/go/bhlog/attr"
"github.com/specterops/bloodhound/packages/go/bhlog/measure"
"github.com/specterops/bloodhound/packages/go/graphschema/ad"
"github.com/specterops/bloodhound/packages/go/graphschema/azure"
"github.com/specterops/dawgs/graph"
)

func Post(ctx context.Context, db graph.Database) (*analysis.AtomicPostProcessingStats, error) {
func Post(ctx context.Context, db graph.Database) (*post.AtomicPostProcessingStats, error) {
defer measure.ContextLogAndMeasure(
ctx,
slog.LevelInfo,
Expand All @@ -40,7 +41,7 @@ func Post(ctx context.Context, db graph.Database) (*analysis.AtomicPostProcessin
attr.Scope("step"),
)()

aggregateStats := analysis.NewAtomicPostProcessingStats()
aggregateStats := post.NewAtomicPostProcessingStats()
if err := azureAnalysis.FixManagementGroupNames(ctx, db); err != nil {
slog.WarnContext(ctx, "Error fixing management group names", attr.Error(err))
}
Expand Down
5 changes: 0 additions & 5 deletions packages/cue/bh/azure/azure.cue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -952,11 +952,6 @@ PathfindingRelationships: list.Concat([InboundOutboundRelationshipKinds])
PostProcessedRelationships: [
AddSecret,
ExecuteCommand,
ResetPassword,
AddMembers,
GlobalAdmin,
PrivilegedRoleAdmin,
PrivilegedAuthAdmin,
AZMGAddMember,
AZMGAddOwner,
AZMGAddSecret,
Expand Down
Loading
Loading