def authenticate(self, user_account=None, service_account=None, **kargs):
"""
Implements authentication for the GCP provider
Refer to https://google-auth.readthedocs.io/en/stable/reference/google.auth.html.
"""
try:
if user_account:
# disable GCP warning about using User Accounts
warnings.filterwarnings("ignore", "Your application has authenticated using end user credentials")
pass # Nothing more to do
elif service_account:
client_secrets_path = os.path.abspath(service_account)
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = client_secrets_path
else:
raise AuthenticationException('Failed to authenticate to GCP - no supported account type')
credentials, default_project_id = google.auth.default()
if not credentials:
raise AuthenticationException('No credentials')
credentials.is_service_account = service_account is not None
credentials.default_project_id = default_project_id
return credentials
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, user_account=None, service_account=None, **kwargs):
"""
Implements authentication for the GCP provider
Refer to https://google-auth.readthedocs.io/en/stable/reference/google.auth.html.
"""
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('googleapiclient').setLevel(logging.ERROR)
logging.getLogger('google.auth').setLevel(logging.ERROR)
logging.getLogger('google_auth_httplib2').setLevel(logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
if user_account:
# disable GCP warning about using User Accounts
warnings.filterwarnings("ignore", "Your application has authenticated using end user credentials")
elif service_account:
client_secrets_path = os.path.abspath(service_account)
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = client_secrets_path
else:
raise AuthenticationException('Failed to authenticate to GCP - no supported account type')
credentials, default_project_id = auth.default()
if not credentials:
raise AuthenticationException('No credentials')
credentials.is_service_account = service_account is not None
credentials.default_project_id = default_project_id
return credentials
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
profile=None,
aws_access_key_id=None,
aws_secret_access_key=None,
role_arn=None,
session_name=None,
**kwargs):
"""
This function will return Session instead of credentials for AWS.
This will help in case of refreshing credentials implemented from boto3 as the Refreshing Credentials works
only for session and not credentials.
"""
self.profile = profile
self.aws_access_key_id = aws_access_key_id
self.aws_secret_access_key = aws_secret_access_key
self.role_arn = role_arn
self.session_name = session_name
try:
if profile:
session = boto3.Session(profile_name=profile)
# Test querying for current user
sts_client = session.client('sts')
sts_client.get_caller_identity()
return session
elif aws_access_key_id and aws_secret_access_key:
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
)
return session
elif role_arn and session_name:
session = self._get_refreshable_session()
return session
else:
raise AuthenticationException("Invalid session arguments")
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, profile=None, **kwargs):
session = boto3.Session(profile_name=profile)
credentials = session.get_credentials().__dict__
if credentials.get('access_key') is None:
raise AuthenticationException()
return credentials
def get_credentials(self, resource):
if resource == 'arm':
self.arm_credentials = self.get_fresh_credentials(self.arm_credentials)
return self.arm_credentials
elif resource == 'aad_graph':
self.aad_graph_credentials = self.get_fresh_credentials(self.aad_graph_credentials)
return self.aad_graph_credentials
else:
raise AuthenticationException('Invalid credentials resource type')
def authenticate(self, profile=None, access=None, **kwargs):
if profile:
try:
session = Gateway(**{"profile": profile})
session.ReadAccounts()
except Exception as e:
raise AuthenticationException(e)
elif access:
session = Gateway({
"custom": {
"access_key": access[0],
"secret_key": access[1],
"region": "eu-west-2"
}
})
else:
try:
session = Gateway()
except Exception as e:
raise AuthenticationException(e)
return session
def authenticate(self, profile=None, **kwargs):
try:
config = from_file(profile_name=profile)
compartment_id = config["tenancy"]
# Get the current user
identity = IdentityClient(config)
identity.get_user(config["user"]).data
return OracleCredentials(config, compartment_id)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, profile=None, **kwargs):
try:
session = boto3.Session(profile_name=profile)
credentials = session.get_credentials().__dict__
# Test querying for current user
sts_client = session.client('sts')
sts_client.get_caller_identity()
return credentials
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, profile=None, **kwargs):
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('oci').setLevel(logging.ERROR)
config = from_file(profile_name=profile)
# Get the current user
identity = IdentityClient(config)
identity.get_user(config["user"]).data
return OracleCredentials(config)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
profile=None,
aws_access_key_id=None,
aws_secret_access_key=None,
aws_session_token=None,
**kwargs):
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('botocore').setLevel(logging.ERROR)
logging.getLogger('botocore.auth').setLevel(logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
if profile:
session = boto3.Session(profile_name=profile)
elif aws_access_key_id and aws_secret_access_key:
if aws_session_token:
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
aws_session_token=aws_session_token,
)
else:
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
)
else:
session = boto3.Session()
# Test querying for current user
get_caller_identity(session)
# Set custom user agent
session._session.user_agent_name = 'Scout Suite'
session._session.user_agent_extra = 'Scout Suite/{} (https://github.com/nccgroup/ScoutSuite)'.format(
__version__)
session._session.user_agent_version = __version__
return AWSCredentials(session=session)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, access_key_id=None, access_key_secret=None, **kwargs):
try:
access_key_id = access_key_id if access_key_id else input('Access Key ID:')
access_key_secret = access_key_secret if access_key_secret else getpass('Secret Access Key:')
credentials = AccessKeyCredential(access_key_id=access_key_id, access_key_secret=access_key_secret)
# get caller details
client = AcsClient(credential=credentials)
response = client.do_action_with_exception(
GetCallerIdentityRequest.GetCallerIdentityRequest())
response_decoded = json.loads(response)
return AliyunCredentials(credentials, response_decoded)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
profile=None,
aws_access_key_id=None,
aws_secret_access_key=None,
aws_session_token=None,
**kwargs):
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('botocore').setLevel(logging.ERROR)
logging.getLogger('botocore.auth').setLevel(logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
if profile:
session = boto3.Session(profile_name=profile)
elif aws_access_key_id and aws_secret_access_key:
if aws_session_token:
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
aws_session_token=aws_session_token,
)
else:
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
)
else:
session = boto3.Session()
# Test querying for current user
identity = get_caller_identity(session)
return AWSCredentials(session=session)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
cli=None,
user_account=None,
user_account_browser=None,
service_principal=None,
file_auth=None,
msi=None,
tenant_id=None,
subscription_id=None,
client_id=None,
client_secret=None,
username=None,
password=None,
programmatic_execution=False,
**kargs):
"""
Implements authentication for the Azure provider
"""
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('adal-python').setLevel(logging.ERROR)
logging.getLogger('msrest').setLevel(logging.ERROR)
logging.getLogger('msrestazure.azure_active_directory').setLevel(
logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
logging.getLogger('cli.azure.cli.core').setLevel(logging.ERROR)
context = None
if cli:
arm_credentials, subscription_id, tenant_id = \
get_azure_cli_credentials(with_tenant=True)
aad_graph_credentials, placeholder_1, placeholder_2 = \
get_azure_cli_credentials(with_tenant=True, resource='https://graph.windows.net')
elif user_account:
if not (username and password):
if not programmatic_execution:
username = username if username else input(
"Username: "******"Password: "******"Tenant ID: ")
else:
raise AuthenticationException('No Tenant ID set')
if not client_id:
if not programmatic_execution:
client_id = input("Client ID: ")
else:
raise AuthenticationException('No Client ID set')
if not client_secret:
if not programmatic_execution:
client_secret = getpass("Client secret: ")
else:
raise AuthenticationException('No Client Secret set')
arm_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id)
aad_graph_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net')
elif file_auth:
data = json.loads(file_auth.read())
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')
arm_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id)
aad_graph_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net')
elif msi:
arm_credentials = MSIAuthentication()
aad_graph_credentials = MSIAuthentication(
resource='https://graph.windows.net')
else:
raise AuthenticationException('Unknown authentication method')
return AzureCredentials(arm_credentials, aad_graph_credentials,
tenant_id, subscription_id, context)
except Exception as e:
if ', AdalError: Unsupported wstrust endpoint version. ' \
'Current support version is wstrust2005 or wstrust13.' in e.args:
raise AuthenticationException(
'You are likely authenticating with a Microsoft Account. '
'This authentication mode only support Azure Active Directory principal authentication.'
)
raise AuthenticationException(e)
def authenticate(self,
cli=None,
msi=None,
service_principal=None,
file_auth=None,
user_account=None,
tenant_id=None,
subscription_id=None,
client_id=None,
client_secret=None,
username=None,
password=None,
programmatic_execution=False,
**kargs):
"""
Implements authentication for the Azure provider
"""
try:
if cli:
credentials, subscription_id = get_azure_cli_credentials()
elif msi:
credentials = MSIAuthentication()
# Get the subscription ID
subscription_client = SubscriptionClient(credentials)
try:
print_info('No subscription set, inferring ID')
# Tries to read the subscription list
subscription = next(
subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id
print_info('Running against the {} subscription'.format(
subscription_id))
except StopIteration:
# If the VM cannot read subscription list, ask Subscription ID:
if not programmatic_execution:
subscription_id = input('Subscription ID: ')
else:
AuthenticationException(
'Unable to infer a Subscription ID')
elif file_auth:
data = json.loads(file_auth.read())
subscription_id = data.get('subscriptionId')
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=client_secret,
tenant=tenant_id)
elif service_principal:
if not subscription_id:
if not programmatic_execution:
subscription_id = input('Subscription ID: ')
else:
AuthenticationException('No Subscription ID set')
if not tenant_id:
if not programmatic_execution:
tenant_id = input("Tenant ID: ")
else:
AuthenticationException('No Tenant ID set')
if not client_id:
if not programmatic_execution:
client_id = input("Client ID: ")
else:
AuthenticationException('No Client ID set')
if not client_secret:
if not programmatic_execution:
client_secret = getpass("Client secret: ")
else:
AuthenticationException('No Client Secret set')
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=client_secret,
tenant=tenant_id)
elif user_account:
if not username and password:
if not programmatic_execution:
username = username if username else input(
"Username: "******"Password: ")
else:
AuthenticationException(
'Username and/or password not set')
credentials = UserPassCredentials(username, password)
if not subscription_id:
# Get the subscription ID
subscription_client = SubscriptionClient(credentials)
try:
# Tries to read the subscription list
print_info('No subscription set, inferring ID')
subscription = next(
subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id
print_info(
'Running against the {} subscription'.format(
subscription_id))
except StopIteration:
print_info('Unable to infer a subscription')
# If the user cannot read subscription list, ask Subscription ID:
if not programmatic_execution:
subscription_id = input('Subscription ID: ')
else:
AuthenticationException(
'Unable to infer a Subscription ID')
return AzureCredentials(credentials, subscription_id, tenant_id)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
cli=None,
user_account=None,
service_principal=None,
file_auth=None,
msi=None,
tenant_id=None,
subscription_id=None,
client_id=None,
client_secret=None,
username=None,
password=None,
programmatic_execution=False,
**kargs):
"""
Implements authentication for the Azure provider
"""
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('adal-python').setLevel(logging.ERROR)
logging.getLogger('msrest').setLevel(logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
if cli:
credentials, subscription_id, tenant_id = get_azure_cli_credentials(
with_tenant=True)
graphrbac_credentials, placeholder_1, placeholder_2 = \
get_azure_cli_credentials(with_tenant=True, resource='https://graph.windows.net')
elif user_account:
if not (username and password):
if not programmatic_execution:
username = username if username else input(
"Username: "******"Password: "******"Tenant ID: ")
else:
raise AuthenticationException('No Tenant ID set')
if not client_id:
if not programmatic_execution:
client_id = input("Client ID: ")
else:
raise AuthenticationException('No Client ID set')
if not client_secret:
if not programmatic_execution:
client_secret = getpass("Client secret: ")
else:
raise AuthenticationException('No Client Secret set')
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=client_secret,
tenant=tenant_id)
graphrbac_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net')
elif file_auth:
data = json.loads(file_auth.read())
subscription_id = data.get('subscriptionId')
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')
credentials = ServicePrincipalCredentials(client_id=client_id,
secret=client_secret,
tenant=tenant_id)
graphrbac_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net')
elif msi:
credentials = MSIAuthentication()
graphrbac_credentials = MSIAuthentication(
resource='https://graph.windows.net')
if not subscription_id:
try:
# Get the subscription ID
subscription_client = SubscriptionClient(credentials)
print_info('No subscription set, inferring ID')
# Tries to read the subscription list
subscription = next(
subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id
tenant_id = subscription.tenant_id
print_info(
'Running against the {} subscription'.format(
subscription_id))
except StopIteration:
# If the VM cannot read subscription list, ask Subscription ID:
if not programmatic_execution:
subscription_id = input('Subscription ID: ')
else:
raise AuthenticationException(
'Unable to infer a Subscription ID')
return AzureCredentials(credentials, graphrbac_credentials,
subscription_id, tenant_id)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self, cli=None, msi=None, service_principal=None, file_auth=None, user_account=None,
tenant_id=None, subscription_id=None, client_id=None, client_secret=None, username=None,
password=None, **kargs):
"""
Implements authentication for the Azure provider
"""
try:
if cli:
cli_credentials, subscription_id = get_azure_cli_credentials()
return AzureCredentials(cli_credentials, subscription_id)
elif msi:
msi_auth_credentials = MSIAuthentication()
# Get the subscription ID
subscription_client = SubscriptionClient(msi_auth_credentials)
try:
# Tries to read the subscription list
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id
except StopIteration:
# If the VM cannot read subscription list, ask Subscription ID:
subscription_id = input('Subscription ID: ')
return AzureCredentials(msi_auth_credentials, subscription_id)
elif file_auth:
data = json.loads(file_auth.read())
subscription_id = data.get('subscriptionId')
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
return AzureCredentials(credentials, subscription_id)
elif service_principal:
subscription_id = subscription_id if subscription_id else input(
"Subscription ID: ")
tenant_id = tenant_id if tenant_id else input("Tenant ID: ")
client_id = client_id if client_id else input("Client ID: ")
client_secret = client_secret if client_secret else getpass(
"Client secret: ")
credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
return AzureCredentials(credentials, subscription_id, tenant_id)
elif user_account:
username = username if username else input("Username: "******"Password: ")
credentials = UserPassCredentials(username, password)
if not subscription_id:
# Get the subscription ID
subscription_client = SubscriptionClient(credentials)
try:
# Tries to read the subscription list
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id
except StopIteration:
# If the user cannot read subscription list, ask Subscription ID:
subscription_id = input('Subscription ID: ')
return AzureCredentials(credentials, subscription_id)
except Exception as e:
raise AuthenticationException(e)
def authenticate(self,
cli=None, user_account=None, user_account_browser=None,
service_principal=None, file_auth=None, msi=None,
tenant_id=None,
subscription_id=None,
client_id=None, client_secret=None,
username=None, password=None,
programmatic_execution=False,
**kargs):
"""
Implements authentication for the Azure provider
"""
try:
# Set logging level to error for libraries as otherwise generates a lot of warnings
logging.getLogger('adal-python').setLevel(logging.ERROR)
logging.getLogger('msrest').setLevel(logging.ERROR)
logging.getLogger('urllib3').setLevel(logging.ERROR)
if cli:
arm_credentials, subscription_id, tenant_id = get_azure_cli_credentials(with_tenant=True)
aad_graph_credentials, placeholder_1, placeholder_2 = \
get_azure_cli_credentials(with_tenant=True, resource='https://graph.windows.net')
elif user_account:
if not (username and password):
if not programmatic_execution:
username = username if username else input("Username: "******"Password: "******"Tenant ID: ")
else:
raise AuthenticationException('No Tenant ID set')
if not client_id:
if not programmatic_execution:
client_id = input("Client ID: ")
else:
raise AuthenticationException('No Client ID set')
if not client_secret:
if not programmatic_execution:
client_secret = getpass("Client secret: ")
else:
raise AuthenticationException('No Client Secret set')
arm_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
aad_graph_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net'
)
elif file_auth:
data = json.loads(file_auth.read())
tenant_id = data.get('tenantId')
client_id = data.get('clientId')
client_secret = data.get('clientSecret')
arm_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id
)
aad_graph_credentials = ServicePrincipalCredentials(
client_id=client_id,
secret=client_secret,
tenant=tenant_id,
resource='https://graph.windows.net'
)
elif msi:
arm_credentials = MSIAuthentication()
aad_graph_credentials = MSIAuthentication(resource='https://graph.windows.net')
else:
raise AuthenticationException('Unknown authentication method')
return AzureCredentials(arm_credentials, aad_graph_credentials,
tenant_id, subscription_id)
except Exception as e:
raise AuthenticationException(e)
def _set_subscriptions(self):
# Create the client
subscription_client = SubscriptionClient(
self.credentials.arm_credentials)
# Get all the accessible subscriptions
accessible_subscriptions_list = list(
subscription_client.subscriptions.list())
if not accessible_subscriptions_list:
raise AuthenticationException(
'The provided credentials do not have access to any subscriptions'
)
# Final list, start empty
subscriptions_list = []
# No subscription provided, infer
if not (self.subscription_ids or self.all_subscriptions):
try:
# Tries to read the subscription list
print_info('No subscription set, inferring')
s = next(subscription_client.subscriptions.list())
except StopIteration:
print_info('Unable to infer a subscription')
# If the user cannot read subscription list, ask Subscription ID:
if not self.programmatic_execution:
s = input('Subscription ID: ')
else:
print_exception('Unable to infer a Subscription ID')
# raise
finally:
subscriptions_list.append(s)
# All subscriptions
elif self.all_subscriptions:
subscriptions_list = accessible_subscriptions_list
# A specific set of subscriptions
elif self.subscription_ids:
# Only include accessible subscriptions
subscriptions_list = [
s for s in accessible_subscriptions_list
if s.subscription_id in self.subscription_ids
]
# Verbose skip
for s in self.subscription_ids:
if not any(subs.subscription_id == s
for subs in accessible_subscriptions_list):
raise AuthenticationException(
'Subscription {} does not exist or is not accessible '
'with the provided credentials'.format(s))
# Other == error
else:
raise AuthenticationException('Unknown Azure subscription option')
if subscriptions_list and len(subscriptions_list) > 0:
self.subscription_list = subscriptions_list
if len(subscriptions_list) == 1:
print_info('Running against subscription {}'.format(
subscriptions_list[0].subscription_id))
else:
print_info('Running against {} subscriptions'.format(
len(subscriptions_list)))
else:
raise AuthenticationException('No subscriptions to scan')