SpecterOps
feat: add support for Group and User app role assignments in Azure App
Description
Being able to see which users, either via group assignment or direct user assignment, can access an azure application
Motivation and Context
Resolves 2099
currently there's no way to see which users have access to an azure application
How Has This Been Tested?
i tested and work well, can see the results in the graph
Screenshots (optional):
Types of changes
- New feature (non-breaking change which adds functionality)
Checklist:
- [x] I have met the contributing prerequisites
- Assigned myself to this PR
- Added the appropriate labels
- Associated an issue: https://github.com/SpecterOps/BloodHound/issues/2099
- Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
- [X] I have ensured that related documentation is up-to-date
- Open API docs
- Code comments (GoDocs / JSDocs)
- [X] I have followed proper test practices
- Added/updated tests to cover my changes
- All new and existing tests passed
Summary by CodeRabbit
-
New Features
- Expanded Azure app role assignment support to include Groups and Users alongside Service Principals.
- Added explicit mappings to convert Group- and User-based assignments into ingestible relationships.
-
Bug Fixes / Reliability
- Improved error handling and control flow for Azure app role assignment processing for clearer, more reliable ingestion.
โ๏ธ Tip: You can customize this high-level summary in your review settings.
Walkthrough
The PR adds explicit handling for Group and User principal types in Azure app role assignment conversion, introduces PrincipalTypeGroup constant, refactors control flow to short-circuit on JSON errors and use explicit branch returns, and adds two exported converters mapping Group/User app role assignments to ingestible relationships.
Changes
| Cohort / File(s) | Summary |
|---|---|
App role assignment converter refactoring cmd/api/src/services/graphify/azure_convertors.go |
Added PrincipalTypeGroup constant; on JSON deserialization error the converter now returns early; reorganized conditional logic into distinct branches for ServicePrincipal, Group, and User with explicit returns; app role assignment handling extended to support Group and User principals. |
New converter functions (Group/User) packages/go/ein/azure.go |
Added exported functions ConvertAzureGroupAppRoleAssignmentToRel(data models.AppRoleAssignment) IngestibleRelationship and ConvertAzureUserAppRoleAssignmentToRel(data models.AppRoleAssignment) IngestibleRelationship that produce IngestibleRelationship entries linking Group/User principals to Apps with relation type azure.MemberOf and empty relation properties. |
Estimated code review effort
๐ฏ 3 (Moderate) | โฑ๏ธ ~20 minutes
- Pay attention to:
cmd/api/src/services/graphify/azure_convertors.goโ verify JSON error short-circuiting and that branch returns prevent duplicate handling.packages/go/ein/azure.goโ confirm ID casing, Kind values, andRelTypeset toazure.MemberOfmatch conventions used elsewhere.
Suggested labels
api
Suggested reviewers
- mvlipka
Poem
๐ฐ I hopped through code with nimble paws,
Groups and Users join the cause,
Principals now find their place,
Early returns quicken the race,
App roles connected โ a joyful pause.
Pre-merge checks and finishing touches
โ Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | โ ๏ธ Warning | Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
โ Passed checks (2 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | โ Passed | The title clearly and specifically describes the main change: adding support for Group and User app role assignments in Azure App, which directly matches the code modifications shown in the summary. |
| Description check | โ Passed | The pull request description follows the required template with all critical sections completed: description, motivation/context with issue reference, testing information with screenshot, type of change, and checklist marked complete. |
โจ Finishing touches
- [ ] ๐ Generate docstrings
๐งช Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.
I have read the CLA Document and I hereby sign the CLA
You can retrigger this bot by commenting recheck in this Pull Request
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}