ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 06:45:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(browser auth): fix browser auth in Azure to include tenant id (#2415)

Browse Source 
Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com>
Co-authored-by: Pepe Fagoaga <pepe@verica.io>
This commit is contained in:
Nacho Rivera
2023-06-02 13:22:43 +02:00
committed by GitHub
parent 714d0d4092
commit 15a7de7b24
5 changed files with 45 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
prowler/lib/cli/parser.py
View File

@@ -430,7 +430,7 @@ Detailed documentation at https://docs.prowler.cloud
azure_auth_modes_group.add_argument(
"--browser-auth",
action="store_true",
help="Use browser authentication to log in against azure ",
help="Use browser authentication to log in against Azure, --tenant-id is required for this option",
)
azure_auth_modes_group.add_argument(
"--managed-identity-auth",
@@ -445,6 +445,12 @@ Detailed documentation at https://docs.prowler.cloud
default=[],
help="Azure subscription ids to be scanned by prowler",
)
azure_parser.add_argument(
"--tenant-id",
nargs="?",
default=None,
help="Azure Tenant ID to be used with --browser-auth option",
)
def __init_gcp_parser__(self):
"""Init the GCP Provider CLI parser"""

10
prowler/lib/outputs/html.py
View File

@@ -408,6 +408,14 @@ def get_azure_html_assessment_summary(audit_info):
for key, value in audit_info.identity.subscriptions.items():
intermediate = key + " : " + value
printed_subscriptions.append(intermediate)
# check if identity is str(coming from SP) or dict(coming from browser or)
if isinstance(audit_info.identity.identity_id, dict):
html_identity = audit_info.identity.identity_id.get(
"userPrincipalName", "Identity not found"
)
else:
html_identity = audit_info.identity.identity_id
return (
"""
<div class="col-md-2">
@@ -447,7 +455,7 @@ def get_azure_html_assessment_summary(audit_info):
</li>
<li class="list-group-item">
<b>Azure Identity ID:</b> """
+ audit_info.identity.identity_id
+ html_identity
+ """
</li>
</ul>

20
prowler/providers/azure/azure_provider.py
View File

@@ -17,10 +17,11 @@ class Azure_Provider:
browser_auth: bool,
managed_entity_auth: bool,
subscription_ids: list,
tenant_id: str,
):
logger.info("Instantiating Azure Provider ...")
self.credentials = self.__set_credentials__(
az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth
az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth, tenant_id
)
self.identity = self.__set_identity_info__(
self.credentials,
@@ -32,7 +33,7 @@ class Azure_Provider:
)
def __set_credentials__(
self, az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth
self, az_cli_auth, sp_env_auth, browser_auth, managed_entity_auth, tenant_id
):
# Browser auth creds cannot be set with DefaultAzureCredentials()
if not browser_auth:
@@ -59,7 +60,15 @@ class Azure_Provider:
)
sys.exit(1)
else:
credentials = InteractiveBrowserCredential()
try:
print(tenant_id)
credentials = InteractiveBrowserCredential(tenant_id=tenant_id)
except Exception as error:
logger.critical("Failed to retrieve azure credentials")
logger.critical(
f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}] -- {error}"
)
sys.exit(1)
return credentials
@@ -122,8 +131,9 @@ class Azure_Provider:
"Trying to retrieve user information from AAD to populate identity structure ..."
)
client = GraphClient(credential=credentials)
user_name = client.get("/me").json()["userPrincipalName"]
identity.identity_id = user_name
user_name = client.get("/me").json()
if "userPrincipalName" in user_name:
identity.identity_id = user_name
except Exception as error:
logger.error(

6
prowler/providers/common/audit_info.py
View File

@@ -265,6 +265,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
sp_env_auth = arguments.get("sp_env_auth")
browser_auth = arguments.get("browser_auth")
managed_entity_auth = arguments.get("managed_entity_auth")
tenant_id = arguments.get("tenant_id")
if (
not az_cli_auth
and not sp_env_auth
@@ -274,6 +275,10 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
raise Exception(
"Azure provider requires at least one authentication method set: [--az-cli-auth | --sp-env-auth | --browser-auth | --managed-identity-auth]"
)
if (not browser_auth and tenant_id) or (browser_auth and not tenant_id):
raise Exception(
"Azure Tenant ID is required only for browser authentication mode"
)
azure_provider = Azure_Provider(
az_cli_auth,
@@ -281,6 +286,7 @@ Azure Identity Type: {Fore.YELLOW}[{audit_info.identity.identity_type}]{Style.RE
browser_auth,
managed_entity_auth,
subscription_ids,
tenant_id,
)
azure_audit_info.credentials = azure_provider.get_credentials()
azure_audit_info.identity = azure_provider.get_identity()

8
tests/lib/cli/parser_test.py
View File

@@ -924,6 +924,14 @@ class Test_Parser:
assert parsed.provider == "azure"
assert parsed.browser_auth
def test_parser_azure_tenant_id(self):
argument = "--tenant-id"
tenant_id = "test-tenant-id"
command = [prowler_command, "azure", argument, tenant_id]
parsed = self.parser.parse(command)
assert parsed.provider == "azure"
assert parsed.tenant_id == tenant_id
def test_parser_azure_auth_az_cli(self):
argument = "--az-cli-auth"
command = [prowler_command, "azure", argument]