Got rid of the ForeignSecurityPrincipal type entirely

lkarlslund · Nov 30, 2023 · 8f9f1be · 8f9f1be
1 parent e8cd715
commit 8f9f1be
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 32 deletions.
diff --git a/modules/engine/objecttype.go b/modules/engine/objecttype.go
@@ -23,7 +23,6 @@ var (
 	ObjectTypeDNSZone                    = NewObjectType("DNSZone", "Dns-Zone").SetDefault(Last, false)
 	ObjectTypeUser                       = NewObjectType("User", "Person")
 	ObjectTypeGroup                      = NewObjectType("Group", "Group")
-	ObjectTypeForeignSecurityPrincipal   = NewObjectType("ForeignSecurityPrincipal", "Foreign-Security-Principal")
 	ObjectTypeGroupManagedServiceAccount = NewObjectType("GroupManagedServiceAccount", "ms-DS-Group-Managed-Service-Account")
 	ObjectTypeManagedServiceAccount      = NewObjectType("ManagedServiceAccount", "ms-DS-Managed-Service-Account")
 	ObjectTypeOrganizationalUnit         = NewObjectType("OrganizationalUnit", "Organizational-Unit").SetDefault(Last, false)

diff --git a/modules/integrations/activedirectory/analyze/analyze-ad.go b/modules/integrations/activedirectory/analyze/analyze-ad.go
@@ -218,10 +218,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -237,10 +233,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -256,10 +248,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -275,10 +263,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -295,10 +279,6 @@ func init() {
 	// https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/c79a383c-2b3f-4655-abe7-dcbb7ce0cfbe IMPORTANT
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -314,10 +294,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -668,10 +644,6 @@ func init() {
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
 		ao.Iterate(func(o *engine.Object) bool {
-			if o.Type() == engine.ObjectTypeForeignSecurityPrincipal {
-				return true
-			}
-
 			sd, err := o.SecurityDescriptor()
 			if err != nil {
 				return true
@@ -1098,6 +1070,8 @@ func init() {
 			ui.Fatal().Msgf("Could not locate Authenticated Users, aborting - this should at least have been added during earlier preprocessing")
 		}
 
+		authenticatedusers.EdgeTo(everyone, activedirectory.EdgeMemberOfGroup)
+
 		ncname, netbiosname, dnsroot, domainsid, err := FindDomain(ao)
 		if err != nil {
 			ui.Fatal().Msgf("Could not get needed domain information (%v), aborting", err)
@@ -1127,7 +1101,6 @@ func init() {
 				// if object.Type() == engine.ObjectTypeUser || object.Type() == engine.ObjectTypeComputer || object.Type() == engine.ObjectTypeManagedServiceAccount || object.Type() == engine.ObjectTypeGroupManagedServiceAccount {
 				object.EdgeTo(authenticatedusers, activedirectory.EdgeMemberOfGroup)
 			}
-			authenticatedusers.EdgeTo(everyone, activedirectory.EdgeMemberOfGroup)
 
 			if lastlogon, ok := object.AttrTime(activedirectory.LastLogonTimestamp); ok {
 				object.SetValues(engine.MetaLastLoginAge, engine.AttributeValueInt(int(time.Since(lastlogon)/time.Hour)))
@@ -1628,15 +1601,16 @@ func init() {
 	}, "Permissions that lets someone modify userAccountControl", engine.BeforeMergeFinal)
 
 	Loader.AddProcessor(func(ao *engine.Objects) {
+		edgematch := engine.EdgeBitmap{}.Set(activedirectory.EdgeMemberOfGroup).Set(activedirectory.EdgeForeignIdentity)
 		ao.IterateParallel(func(o *engine.Object) bool {
 			// Object that is member of something
 			if o.Type() != engine.ObjectTypeGroup {
 				return true
 			}
 
 			// Search from all groups towards incoming memberships
-			o.EdgeIteratorRecursive(engine.In, engine.EdgeBitmap{}.Set(activedirectory.EdgeMemberOfGroup).Set(activedirectory.EdgeForeignIdentity), true, func(source, member *engine.Object, edge engine.EdgeBitmap, depth int) bool {
-				if depth > 1 && member.Type() != engine.ObjectTypeGroup && member.Type() != engine.ObjectTypeForeignSecurityPrincipal {
+			o.EdgeIteratorRecursive(engine.In, edgematch, true, func(source, member *engine.Object, edge engine.EdgeBitmap, depth int) bool {
+				if depth > 1 && member.Type() != engine.ObjectTypeGroup {
 					member.EdgeTo(o, activedirectory.EdgeMemberOfGroupIndirect)
 				}
 				return true