fix: errantly adding AZHasRole edge to non-tenant scoped principals (#…

…625)
SpecterOps · May 30, 2024 · a18b364 · a18b364
1 parent b6e7d1a
commit a18b364
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 21 deletions.
diff --git a/packages/go/analysis/azure/azure.go b/packages/go/analysis/azure/azure.go
@@ -104,13 +104,3 @@ func AzureNonDescentKinds() graph.Kinds {
 		azure.RunsAs,
 	}
 }
-
-func AzureIgnoredKinds() graph.Kinds {
-	return []graph.Kind{
-		azure.ScopedTo,
-		azure.Contains,
-		azure.GlobalAdmin,
-		azure.PrivilegedRoleAdmin,
-		azure.PrivilegedAuthAdmin,
-	}
-}
diff --git a/packages/go/ein/azure.go b/packages/go/ein/azure.go
@@ -672,17 +672,6 @@ func ConvertAzureRoleAssignmentToRels(roleAssignment azure2.UnifiedRoleAssignmen
 		scope = strings.ToUpper(roleAssignment.DirectoryScopeId[1:])
 	}
 
-	relationships = append(relationships, IngestibleRelationship{
-		Source:     strings.ToUpper(roleAssignment.PrincipalId),
-		SourceType: azure.Entity,
-		TargetType: azure.Role,
-		Target:     roleObjectId,
-		RelProps: map[string]any{
-			azure.Scope.String(): scope,
-		},
-		RelType: azure.HasRole,
-	})
-
 	if CanAddSecret(roleAssignment.RoleDefinitionId) && roleAssignment.DirectoryScopeId != "/" {
 		if relType, err := GetAddSecretRoleKind(roleAssignment.RoleDefinitionId); err != nil {
 			log.Errorf("Error processing role assignment for role %s: %v", roleObjectId, err)
@@ -696,6 +685,17 @@ func ConvertAzureRoleAssignmentToRels(roleAssignment azure2.UnifiedRoleAssignmen
 				RelType:    relType,
 			})
 		}
+	} else {
+		relationships = append(relationships, IngestibleRelationship{
+			Source:     strings.ToUpper(roleAssignment.PrincipalId),
+			SourceType: azure.Entity,
+			TargetType: azure.Role,
+			Target:     roleObjectId,
+			RelProps: map[string]any{
+				azure.Scope.String(): scope,
+			},
+			RelType: azure.HasRole,
+		})
 	}
 
 	return relationships