11package aws
22
33import (
4+ "bufio"
45 "fmt"
6+ "os"
57 "path/filepath"
68 "strings"
79
@@ -200,7 +202,12 @@ func (m *CapeCommand) findPathsToThisDestination(allGlobalNodes map[string]map[s
200202 s , sourceVertexWithProperties , _ := m .GlobalGraph .VertexWithProperties (source )
201203 //for the source vertex, we only want to deal with the ones that are NOT in this account
202204 if sourceVertexWithProperties .Attributes ["AccountID" ] != aws .ToString (m .Caller .Account ) {
205+ // skip if the source Name contains AWSSSO-
206+ if strings .Contains (sourceVertexWithProperties .Attributes ["Name" ], "AWSSSO-" ) {
207+ continue
208+ }
203209 // now let's see if there is a path from this source to our destination
210+
204211 path , _ := graph .ShortestPath (m .GlobalGraph , s , d )
205212 // if we have a path, then lets document this source as having a path to our destination
206213 if path != nil {
@@ -235,7 +242,7 @@ func (m *CapeCommand) findPathsToThisDestination(allGlobalNodes map[string]map[s
235242 privescPathsBody = append (privescPathsBody , []string {
236243 aws .ToString (m .Caller .Account ),
237244 s ,
238- magenta ( d ) ,
245+ d ,
239246 magenta (destinationVertexWithProperties .Attributes ["IsAdminString" ]),
240247 paths })
241248 } else {
@@ -289,7 +296,7 @@ func ConvertIAMRoleToNode(role types.Role, vendors *knownawsaccountslookup.Vendo
289296
290297 TrustedPrincipals = append (TrustedPrincipals , TrustedPrincipal {
291298 TrustedPrincipal : principal ,
292- ExternalID : statement .Condition .StringEquals .StsExternalID ,
299+ ExternalID : strings . Join ( statement .Condition .StringEquals .StsExternalID , " \n " ) ,
293300 VendorName : vendorName ,
294301 //IsAdmin: false,
295302 //CanPrivEscToAdmin: false,
@@ -650,6 +657,48 @@ func (a *Node) MakeRoleEdges(GlobalGraph graph.Graph[string, string]) {
650657 }
651658 }
652659
660+ // if the role trusts a principal in another account explicitly, then the principal can assume the role
661+ if thisAccount != trustedPrincipalAccount {
662+ // make a CAN_ASSUME relationship between the trusted principal and this role
663+
664+ err := GlobalGraph .AddEdge (
665+ TrustedPrincipal .TrustedPrincipal ,
666+ a .Arn ,
667+ //graph.EdgeAttribute("AssumeRole", "Cross account explicit trust"),
668+ graph .EdgeAttribute ("AssumeRole" , "can assume (because of an explicit cross account trust) " ),
669+ )
670+ if err != nil {
671+ //fmt.Println(err)
672+ //fmt.Println(TrustedPrincipal.TrustedPrincipal + a.Arn + "Cross account explicit trust")
673+ if err == graph .ErrEdgeAlreadyExists {
674+ // update the edge by copying the existing graph.Edge with attributes and add the new attributes
675+ //fmt.Println("Edge already exists")
676+
677+ // get the existing edge
678+ existingEdge , _ := GlobalGraph .Edge (TrustedPrincipal .TrustedPrincipal , a .Arn )
679+ // get the map of attributes
680+ existingProperties := existingEdge .Properties
681+ // add the new attributes to attributes map within the properties struct
682+ // Check if the Attributes map is initialized, if not, initialize it
683+ if existingProperties .Attributes == nil {
684+ existingProperties .Attributes = make (map [string ]string )
685+ }
686+
687+ // Add or update the attribute
688+ existingProperties .Attributes ["AssumeRole" ] = "can assume (because of an explicit cross account trust) "
689+ err = GlobalGraph .UpdateEdge (
690+ TrustedPrincipal .TrustedPrincipal ,
691+ a .Arn ,
692+ graph .EdgeAttributes (existingProperties .Attributes ),
693+ )
694+ if err != nil {
695+ fmt .Println (err )
696+ }
697+ }
698+
699+ }
700+ }
701+
653702 // If the role trusts a principal in this account or another account using the :root notation, then we need to iterate over all of the rows in AllPermissionsRows to find the principals that have sts:AssumeRole permissions on this role
654703 // if the role we are looking at trusts root in it's own account
655704
@@ -667,6 +716,7 @@ func (a *Node) MakeRoleEdges(GlobalGraph graph.Graph[string, string]) {
667716 if PermissionsRowAccount == thisAccount {
668717 // lets only look for rows that have sts:AssumeRole permissions
669718 if policy .MatchesAfterExpansion (PermissionsRow .Action , "sts:AssumeRole" ) {
719+
670720 // lets only focus on rows that have an effect of Allow
671721 if strings .EqualFold (PermissionsRow .Effect , "Allow" ) {
672722 // if the resource is * or the resource is this role arn, then this principal can assume this role
@@ -820,10 +870,10 @@ func (a *Node) MakeRoleEdges(GlobalGraph graph.Graph[string, string]) {
820870 fmt .Sprintf ("Could not get account number from this PermissionsRow%s" , PermissionsRow .Arn )
821871 }
822872 if PermissionsRowAccount == trustedPrincipalAccount {
823- // lets only look for rows that have sts:AssumeRole permissions
824- if policy .MatchesAfterExpansion (PermissionsRow . Action , "sts:AssumeRole" ) {
873+ // lets only look for rows that have sts:AssumeRole permis sions
874+ if policy .MatchesAfterExpansion ("sts:AssumeRole" , PermissionsRow . Action ) {
825875 // if strings.EqualFold(PermissionsRow.Action, "sts:AssumeRole") ||
826- // strings.EqualFold(PermissionsRow.Action, "*") ||
876+ // strings.EqualFold(PermissionsRow.Action, "*") {
827877 // strings.EqualFold(PermissionsRow.Action, "sts:Assume*") ||
828878 // strings.EqualFold(PermissionsRow.Action, "sts:*") {
829879 // lets only focus on rows that have an effect of Allow
@@ -979,3 +1029,21 @@ func (a *Node) MakeRoleEdges(GlobalGraph graph.Graph[string, string]) {
9791029 }
9801030
9811031}
1032+
1033+ // function to read file specified in CapeArnIgnoreList which is separated by newlines, and convert it to a slice of strings with each line as an entry in the slice.
1034+ // the function accepts a string with the filename
1035+
1036+ func ReadArnIgnoreListFile (filename string ) ([]string , error ) {
1037+ var arnIgnoreList []string
1038+ file , err := os .Open (filename )
1039+ if err != nil {
1040+ return arnIgnoreList , err
1041+ }
1042+ defer file .Close ()
1043+
1044+ scanner := bufio .NewScanner (file )
1045+ for scanner .Scan () {
1046+ arnIgnoreList = append (arnIgnoreList , scanner .Text ())
1047+ }
1048+ return arnIgnoreList , scanner .Err ()
1049+ }
0 commit comments