Merge pull request #154 from PaloAltoNetworks/feature/azure-indentifi…

…ed-guest-users-with-admin-permissions List Azure guest users with wildcard permissions
PaloAltoNetworks · Dec 21, 2023 · cc0bbf7 · cc0bbf7
2 parents 5e052ec + 9762f1c
commit cc0bbf7
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 5 deletions.
diff --git a/prismacloud/cli/cspm/cmd_alert.py b/prismacloud/cli/cspm/cmd_alert.py
@@ -58,7 +58,7 @@ def list_alerts(compliance_standard, cloud_account, account_group, amount, unit,
 
     for alert in alerts:
         try:
-            alert_id = alert['id']
+            alert_id = alert["id"]
             # Correctly using double braces for literal curly braces in f-string
             filters = (
                 f'{{"timeRange":{{"type":"to_now","value":"epoch"}},'
@@ -69,7 +69,7 @@ def list_alerts(compliance_standard, cloud_account, account_group, amount, unit,
             encoded_filters = quote(filters)
 
             # Constructing the full URL
-            alert_url = f'{base_url}&filters={encoded_filters}'
+            alert_url = f"{base_url}&filters={encoded_filters}"
             alert["alert.resource.url"] = alert_url
         except Exception:  # pylint:disable=broad-except
             pass

diff --git a/prismacloud/cli/cspm/cmd_iam.py b/prismacloud/cli/cspm/cmd_iam.py
@@ -0,0 +1,68 @@
+import logging
+
+import click
+
+from prismacloud.cli import cli_output, pass_environment
+from prismacloud.cli.api import pc_api
+
+
+@click.group("iam", short_help="[IAM] Investiguate on the IAM Permissions.")
+@pass_environment
+def cli(ctx):
+    """IAM"""
+
+
+@click.option("--details", is_flag=True, help="Include the Azure Services in the output")
+@click.option("--amount", default="1", help="Number of units selected with --unit")
+@click.option(
+    "--unit", default="week", type=click.Choice(["minute", "hour", "day", "week", "month", "year"], case_sensitive=False)
+)
+@click.command(name="azure-guest")
+def azure_guest(details, amount, unit):
+    """List Azure guest accounts with wildcard permissions"""
+    data = []
+
+    query = "config from cloud.resource where cloud.type = 'azure' AND api.name = 'azure-active-directory-user' AND json.rule = userType equals \"Guest\""  # noqa: E501
+    search_params = {}
+    search_params["limit"] = 1000
+    search_params["timeRange"] = {}
+    search_params["timeRange"]["type"] = "relative"
+    search_params["timeRange"]["relativeTimeType"] = "BACKWARD"
+    search_params["timeRange"]["value"] = {}
+    search_params["timeRange"]["value"]["unit"] = unit
+    search_params["timeRange"]["value"]["amount"] = amount
+    search_params["withResourceJson"] = False
+    search_params["heuristicSearch"] = True
+    search_params["query"] = query
+
+    config_result_list = pc_api.search_config_read(search_params=search_params)
+
+    for result in config_result_list:
+        asset_id = result["assetId"]
+        query = f"config from iam where source.cloud.resource.uai = '{asset_id}'"
+        logging.debug(f"API - IAM RQL: {query}")
+        search_params = {}
+        search_params["limit"] = 1000
+        search_params["searchType"] = "iam"
+        search_params["query"] = query
+        user_permissions = pc_api.search_iam_granter_to_dest(search_params=search_params)
+        for permission in user_permissions:
+            if permission["destCloudResourceName"] == "*":
+                data_entry = {
+                    "name": result["name"],
+                    "accountId": result["accountId"],
+                    "accountName": result["accountName"],
+                    "service": result["service"],
+                    "grantedByEntityType": permission["grantedByEntityType"],
+                    "grantedByEntityName": permission["grantedByEntityName"],
+                    "destCloudResourceName": permission["destCloudResourceName"],
+                }
+                if details:
+                    data_entry["destCloudServiceName"] = permission.get("destCloudServiceName")
+
+                data += [data_entry]
+
+    cli_output(data)
+
+
+cli.add_command(azure_guest)
diff --git a/prismacloud/cli/version.py b/prismacloud/cli/version.py
@@ -1 +1 @@
-version = "0.7.8"
+version = "0.7.9"
diff --git a/requirements.txt b/requirements.txt
@@ -7,7 +7,7 @@ coloredlogs
 datetime
 jsondiff
 pandas
-prismacloud-api==5.2.8
+prismacloud-api==5.2.9
 pydantic~=1.10.0
 requests
 tabulate

diff --git a/setup.py b/setup.py
@@ -37,7 +37,7 @@ def read(fname):
         "pydantic==1.10.11",
         "datetime",
         "pyyaml",
-        "prismacloud-api==5.2.8",
+        "prismacloud-api==5.2.9",
         "pytest",
         "pytest-benchmark",
     ],