diff --git a/cmd/api/src/analysis/ad/adcs_integration_test.go b/cmd/api/src/analysis/ad/adcs_integration_test.go index 2ae76f17d..5396dab75 100644 --- a/cmd/api/src/analysis/ad/adcs_integration_test.go +++ b/cmd/api/src/analysis/ad/adcs_integration_test.go @@ -587,23 +587,208 @@ func TestADCSESC3(t *testing.T) { func TestADCSESC9a(t *testing.T) { testContext := integration.NewGraphTestContext(t, graphschema.DefaultGraphSchema()) + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { - harness.ESC9AHarness.Setup(testContext) + harness.ESC9aPrincipalHarness.Setup(testContext) return nil }, func(harness integration.HarnessDetails, db graph.Database) { operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") - groupExpansions, err := ad2.ExpandAllRDPLocalGroups(context.Background(), db) + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) require.Nil(t, err) - enterpriseCertAuthorities, err := ad2.FetchNodesByKind(context.Background(), db, ad.EnterpriseCA) + + for _, domain := range domains { + innerDomain := domain + + operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error { + if enterpriseCAs, err := ad2.FetchEnterpriseCAsTrustedForNTAuthToDomain(tx, innerDomain); err != nil { + return err + } else { + for _, enterpriseCA := range enterpriseCAs { + if cache.DoesCAChainProperlyToDomain(enterpriseCA, innerDomain) { + if err := ad2.PostADCSESC9a(ctx, tx, outC, groupExpansions, enterpriseCA, innerDomain, cache); err != nil { + t.Logf("failed post processing for %s: %v", ad.ADCSESC9a.String(), err) + } else { + return nil + } + } + } + } + return nil + }) + } + operation.Done() + + db.ReadTransaction(context.Background(), func(tx graph.Transaction) error { + if results, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria { + return query.Kind(query.Relationship(), ad.ADCSESC9a) + })); err != nil { + t.Fatalf("error fetching esc9a edges in integration test; %v", err) + } else { + assert.Equal(t, 6, len(results)) + + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group1)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group2)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group3)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group4)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.Group5)) + assert.True(t, results.Contains(harness.ESC9aPrincipalHarness.User2)) + } + return nil + }) + }) + + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { + harness.ESC9aHarness1.Setup(testContext) + return nil + }, func(harness integration.HarnessDetails, db graph.Database) { + operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") + + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) require.Nil(t, err) - certTemplates, err := ad2.FetchNodesByKind(context.Background(), db, ad.CertTemplate) + + for _, domain := range domains { + innerDomain := domain + + operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error { + if enterpriseCAs, err := ad2.FetchEnterpriseCAsTrustedForNTAuthToDomain(tx, innerDomain); err != nil { + return err + } else { + for _, enterpriseCA := range enterpriseCAs { + if cache.DoesCAChainProperlyToDomain(enterpriseCA, innerDomain) { + if err := ad2.PostADCSESC9a(ctx, tx, outC, groupExpansions, enterpriseCA, innerDomain, cache); err != nil { + t.Logf("failed post processing for %s: %v", ad.ADCSESC9a.String(), err) + } else { + return nil + } + } + } + } + return nil + }) + } + operation.Done() + + db.ReadTransaction(context.Background(), func(tx graph.Transaction) error { + if results, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria { + return query.Kind(query.Relationship(), ad.ADCSESC9a) + })); err != nil { + t.Fatalf("error fetching esc9a edges in integration test; %v", err) + } else { + assert.Equal(t, 3, len(results)) + + assert.True(t, results.Contains(harness.ESC9aHarness1.Group1)) + assert.True(t, results.Contains(harness.ESC9aHarness1.Group2)) + assert.True(t, results.Contains(harness.ESC9aHarness1.Group3)) + } + return nil + }) + }) + + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { + harness.ESC9aHarness2.Setup(testContext) + return nil + }, func(harness integration.HarnessDetails, db graph.Database) { + operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") + + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) require.Nil(t, err) - domains, err := ad2.FetchNodesByKind(context.Background(), db, ad.Domain) + + for _, domain := range domains { + innerDomain := domain + + operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error { + if enterpriseCAs, err := ad2.FetchEnterpriseCAsTrustedForNTAuthToDomain(tx, innerDomain); err != nil { + return err + } else { + for _, enterpriseCA := range enterpriseCAs { + if cache.DoesCAChainProperlyToDomain(enterpriseCA, innerDomain) { + if err := ad2.PostADCSESC9a(ctx, tx, outC, groupExpansions, enterpriseCA, innerDomain, cache); err != nil { + t.Logf("failed post processing for %s: %v", ad.ADCSESC9a.String(), err) + } else { + return nil + } + } + } + } + return nil + }) + } + operation.Done() + + db.ReadTransaction(context.Background(), func(tx graph.Transaction) error { + if results, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria { + return query.Kind(query.Relationship(), ad.ADCSESC9a) + })); err != nil { + t.Fatalf("error fetching esc9a edges in integration test; %v", err) + } else { + assert.Equal(t, 4, len(results)) + + assert.True(t, results.Contains(harness.ESC9aHarness2.User5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Computer5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Group5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Group6)) + } + return nil + }) + }) + + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { + harness.ESC9aHarness2.Setup(testContext) + return nil + }, func(harness integration.HarnessDetails, db graph.Database) { + operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") + + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) require.Nil(t, err) - cache := ad2.NewADCSCache() - cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates) + for _, domain := range domains { + innerDomain := domain + + operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error { + if enterpriseCAs, err := ad2.FetchEnterpriseCAsTrustedForNTAuthToDomain(tx, innerDomain); err != nil { + return err + } else { + for _, enterpriseCA := range enterpriseCAs { + if cache.DoesCAChainProperlyToDomain(enterpriseCA, innerDomain) { + if err := ad2.PostADCSESC9a(ctx, tx, outC, groupExpansions, enterpriseCA, innerDomain, cache); err != nil { + t.Logf("failed post processing for %s: %v", ad.ADCSESC9a.String(), err) + } else { + return nil + } + } + } + } + return nil + }) + } + operation.Done() + + db.ReadTransaction(context.Background(), func(tx graph.Transaction) error { + if results, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria { + return query.Kind(query.Relationship(), ad.ADCSESC9a) + })); err != nil { + t.Fatalf("error fetching esc9a edges in integration test; %v", err) + } else { + assert.Equal(t, 4, len(results)) + + assert.True(t, results.Contains(harness.ESC9aHarness2.User5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Computer5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Group5)) + assert.True(t, results.Contains(harness.ESC9aHarness2.Group6)) + } + return nil + }) + }) + + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { + harness.ESC9aHarnessVictim.Setup(testContext) + return nil + }, func(harness integration.HarnessDetails, db graph.Database) { + operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") + + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) + require.Nil(t, err) for _, domain := range domains { innerDomain := domain @@ -633,10 +818,55 @@ func TestADCSESC9a(t *testing.T) { })); err != nil { t.Fatalf("error fetching esc9a edges in integration test; %v", err) } else { - assert.Equal(t, 1, len(results)) + assert.Equal(t, 2, len(results)) + + assert.True(t, results.Contains(harness.ESC9aHarnessVictim.Group1)) + assert.True(t, results.Contains(harness.ESC9aHarnessVictim.Group2)) + } + return nil + }) + }) + + testContext.DatabaseTestWithSetup(func(harness *integration.HarnessDetails) error { + harness.ESC9aHarnessECA.Setup(testContext) + return nil + }, func(harness integration.HarnessDetails, db graph.Database) { + operation := analysis.NewPostRelationshipOperation(context.Background(), db, "ADCS Post Process Test - ESC9a") + + groupExpansions, _, _, domains, cache, err := FetchADCSPrereqs(db) + require.Nil(t, err) + + for _, domain := range domains { + innerDomain := domain - require.True(t, results.Contains(harness.ESC9AHarness.Attacker)) + operation.Operation.SubmitReader(func(ctx context.Context, tx graph.Transaction, outC chan<- analysis.CreatePostRelationshipJob) error { + if enterpriseCAs, err := ad2.FetchEnterpriseCAsTrustedForNTAuthToDomain(tx, innerDomain); err != nil { + return err + } else { + for _, enterpriseCA := range enterpriseCAs { + if cache.DoesCAChainProperlyToDomain(enterpriseCA, innerDomain) { + if err := ad2.PostADCSESC9a(ctx, tx, outC, groupExpansions, enterpriseCA, innerDomain, cache); err != nil { + t.Logf("failed post processing for %s: %v", ad.ADCSESC9a.String(), err) + } else { + return nil + } + } + } + } + return nil + }) + } + operation.Done() + + db.ReadTransaction(context.Background(), func(tx graph.Transaction) error { + if results, err := ops.FetchStartNodes(tx.Relationships().Filterf(func() graph.Criteria { + return query.Kind(query.Relationship(), ad.ADCSESC9a) + })); err != nil { + t.Fatalf("error fetching esc9a edges in integration test; %v", err) + } else { + assert.Equal(t, 1, len(results)) + assert.True(t, results.Contains(harness.ESC9aHarnessECA.Group1)) } return nil }) @@ -654,14 +884,14 @@ func TestADCSESC9a(t *testing.T) { t.Fatalf("error getting edge composition for esc9: %v", err) } else { nodes := edgeComp.AllNodes().Slice() - assert.Contains(t, nodes, harness.ESC9AHarness.Attacker) - assert.Contains(t, nodes, harness.ESC9AHarness.Victim) - assert.Contains(t, nodes, harness.ESC9AHarness.Domain) - assert.Contains(t, nodes, harness.ESC9AHarness.NTAuthStore) - assert.Contains(t, nodes, harness.ESC9AHarness.RootCA) - assert.Contains(t, nodes, harness.ESC9AHarness.DC) - assert.Contains(t, nodes, harness.ESC9AHarness.EnterpriseCA) - assert.Contains(t, nodes, harness.ESC9AHarness.CertTemplate) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.Group1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.Domain1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.User1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.CertTemplate1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.EnterpriseCA1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.DC1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.NTAuthStore1) + assert.Contains(t, nodes, harness.ESC9aHarnessECA.RootCA1) } } diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go index 001a65655..e8c9667ef 100644 --- a/cmd/api/src/test/integration/harnesses.go +++ b/cmd/api/src/test/integration/harnesses.go @@ -1924,51 +1924,694 @@ func (s *ESC3Harness2) Setup(c *GraphTestContext) { c.UpdateNode(s.EnterpriseCA1) } -type ESC9AHarness struct { +type ESC9aPrincipalHarness struct { + CertTemplate *graph.Node + DC *graph.Node Domain *graph.Node + EnterpriseCA *graph.Node + Group0 *graph.Node + Group1 *graph.Node + Group2 *graph.Node + Group3 *graph.Node + Group4 *graph.Node + Group5 *graph.Node + Group6 *graph.Node NTAuthStore *graph.Node RootCA *graph.Node - DC *graph.Node - EnterpriseCA *graph.Node - CertTemplate *graph.Node - Victim *graph.Node - Attacker *graph.Node + User1 *graph.Node + User2 *graph.Node } -func (s *ESC9AHarness) Setup(c *GraphTestContext) { - sid := RandomDomainSID() - emptyEkus := make([]string, 0) - s.Domain = c.NewActiveDirectoryDomain("ESC9aDomain", sid, false, true) - s.NTAuthStore = c.NewActiveDirectoryNTAuthStore("NTAuthStore", sid) - s.RootCA = c.NewActiveDirectoryRootCA("RootCA", sid) - s.DC = c.NewActiveDirectoryComputer("DC", sid) - s.EnterpriseCA = c.NewActiveDirectoryEnterpriseCA("eca", sid) - s.CertTemplate = c.NewActiveDirectoryCertTemplate("certtemplate", sid, CertTemplateData{ +func (s *ESC9aPrincipalHarness) Setup(graphTestContext *GraphTestContext) { + domainSid := RandomDomainSID() + s.CertTemplate = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.DC = graphTestContext.NewActiveDirectoryComputer("DC", domainSid) + s.Domain = graphTestContext.NewActiveDirectoryDomain("Domain", domainSid, false, true) + s.EnterpriseCA = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA", domainSid) + s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) + s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid) + s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid) + s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid) + s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) + s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) + s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) + s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid) + s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid) + s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) + s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) + graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.RootCA, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.NTAuthStore, s.Domain, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.NTAuthStore, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.EnterpriseCA, s.DC, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.DC, s.Domain, ad.DCFor) + graphTestContext.NewRelationship(s.CertTemplate, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.Group1, s.User1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group1, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group2, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group2, s.User1, ad.GenericWrite) + graphTestContext.NewRelationship(s.Group6, s.User1, ad.AllExtendedRights) + graphTestContext.NewRelationship(s.Group3, s.User1, ad.WriteDACL) + graphTestContext.NewRelationship(s.Group3, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group4, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group4, s.User1, ad.WriteOwner) + graphTestContext.NewRelationship(s.Group5, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group5, s.User1, ad.WriteOwner) + graphTestContext.NewRelationship(s.User2, s.User2, ad.GenericAll) + graphTestContext.NewRelationship(s.User2, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Group0, s.CertTemplate, ad.Enroll) + graphTestContext.NewRelationship(s.Group0, s.EnterpriseCA, ad.Enroll) +} + +type ESC9aHarness1 struct { + CertTemplate1 *graph.Node + CertTemplate2 *graph.Node + CertTemplate3 *graph.Node + CertTemplate4 *graph.Node + CertTemplate5 *graph.Node + CertTemplate6 *graph.Node + CertTemplate7 *graph.Node + CertTemplate8 *graph.Node + DC *graph.Node + Domain *graph.Node + EnterpriseCA *graph.Node + Group0 *graph.Node + Group1 *graph.Node + Group2 *graph.Node + Group3 *graph.Node + Group4 *graph.Node + Group5 *graph.Node + Group6 *graph.Node + Group7 *graph.Node + Group8 *graph.Node + NTAuthStore *graph.Node + RootCA *graph.Node + User1 *graph.Node + User2 *graph.Node + User3 *graph.Node + User4 *graph.Node + User5 *graph.Node + User6 *graph.Node + User7 *graph.Node + User8 *graph.Node +} + +func (s *ESC9aHarness1) Setup(graphTestContext *GraphTestContext) { + domainSid := RandomDomainSID() + s.CertTemplate1 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate1", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, RequiresManagerApproval: false, + SchemaVersion: 2, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate2 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate2", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, SubjectAltRequireUPN: true, + }) + s.CertTemplate3 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate3", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, SubjectAltRequireSPN: true, - SubjectAltRequireDNS: false, + SubjectAltRequireUPN: false, + }) + s.CertTemplate4 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate4", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, NoSecurityExtension: true, + RequiresManagerApproval: true, SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate5 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate5", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: false, AuthorizedSignatures: 0, - EKUS: emptyEkus, - ApplicationPolicies: emptyEkus, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate6 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate6", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 1, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 2, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate7 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate7", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: false, + }) + s.CertTemplate8 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate8", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: false, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, }) - s.Victim = c.NewActiveDirectoryUser("victim", sid, false) - s.Attacker = c.NewActiveDirectoryUser("attacker", sid, false) + s.DC = graphTestContext.NewActiveDirectoryComputer("DC", domainSid) + s.Domain = graphTestContext.NewActiveDirectoryDomain("Domain", domainSid, false, true) + s.EnterpriseCA = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA", domainSid) + s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) + s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid) + s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid) + s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid) + s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) + s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) + s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) + s.Group7 = graphTestContext.NewActiveDirectoryGroup("Group7", domainSid) + s.Group8 = graphTestContext.NewActiveDirectoryGroup("Group8", domainSid) + s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid) + s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid) + s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) + s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) + s.User3 = graphTestContext.NewActiveDirectoryUser("User3", domainSid) + s.User4 = graphTestContext.NewActiveDirectoryUser("User4", domainSid) + s.User5 = graphTestContext.NewActiveDirectoryUser("User5", domainSid) + s.User6 = graphTestContext.NewActiveDirectoryUser("User6", domainSid) + s.User7 = graphTestContext.NewActiveDirectoryUser("User7", domainSid) + s.User8 = graphTestContext.NewActiveDirectoryUser("User8", domainSid) + graphTestContext.NewRelationship(s.CertTemplate2, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.RootCA, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.NTAuthStore, s.Domain, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.NTAuthStore, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.EnterpriseCA, s.DC, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.DC, s.Domain, ad.DCFor) + graphTestContext.NewRelationship(s.User3, s.CertTemplate3, ad.Enroll) + graphTestContext.NewRelationship(s.CertTemplate3, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.CertTemplate4, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User4, s.CertTemplate4, ad.Enroll) + graphTestContext.NewRelationship(s.User2, s.CertTemplate2, ad.Enroll) + graphTestContext.NewRelationship(s.Group0, s.EnterpriseCA, ad.Enroll) + graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User3, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User4, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.CertTemplate5, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User5, s.CertTemplate5, ad.Enroll) + graphTestContext.NewRelationship(s.User5, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User6, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User6, s.CertTemplate6, ad.Enroll) + graphTestContext.NewRelationship(s.CertTemplate6, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.CertTemplate1, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User1, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.CertTemplate7, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User7, s.CertTemplate7, ad.Enroll) + graphTestContext.NewRelationship(s.User7, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.CertTemplate8, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User8, s.CertTemplate8, ad.Enroll) + graphTestContext.NewRelationship(s.User8, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Group8, s.User8, ad.GenericAll) + graphTestContext.NewRelationship(s.Group7, s.User7, ad.GenericAll) + graphTestContext.NewRelationship(s.Group6, s.User6, ad.GenericAll) + graphTestContext.NewRelationship(s.Group5, s.User5, ad.GenericAll) + graphTestContext.NewRelationship(s.Group4, s.User4, ad.GenericAll) + graphTestContext.NewRelationship(s.Group3, s.User3, ad.GenericAll) + graphTestContext.NewRelationship(s.Group2, s.User2, ad.GenericAll) + graphTestContext.NewRelationship(s.Group1, s.User1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group3, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group2, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group1, s.Domain, ad.ADCSESC9a) +} - c.NewRelationship(s.DC, s.Domain, ad.DCFor) - c.NewRelationship(s.NTAuthStore, s.Domain, ad.NTAuthStoreFor) - c.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) - c.NewRelationship(s.EnterpriseCA, s.DC, ad.CanAbuseWeakCertBinding) - c.NewRelationship(s.EnterpriseCA, s.NTAuthStore, ad.TrustedForNTAuth) - c.NewRelationship(s.EnterpriseCA, s.RootCA, ad.IssuedSignedBy) - c.NewRelationship(s.CertTemplate, s.EnterpriseCA, ad.PublishedTo) - c.NewRelationship(s.Victim, s.EnterpriseCA, ad.Enroll) - c.NewRelationship(s.Victim, s.CertTemplate, ad.Enroll) - c.NewRelationship(s.Attacker, s.Victim, ad.GenericWrite) +type ESC9aHarness2 struct { + CertTemplate1 *graph.Node + CertTemplate2 *graph.Node + CertTemplate3 *graph.Node + Computer1 *graph.Node + Computer2 *graph.Node + Computer3 *graph.Node + Computer4 *graph.Node + Computer5 *graph.Node + Computer6 *graph.Node + DC *graph.Node + Domain *graph.Node + EnterpriseCA *graph.Node + Group0 *graph.Node + Group1 *graph.Node + Group2 *graph.Node + Group3 *graph.Node + Group4 *graph.Node + Group5 *graph.Node + Group6 *graph.Node + NTAuthStore *graph.Node + RootCA *graph.Node + User1 *graph.Node + User2 *graph.Node + User3 *graph.Node + User4 *graph.Node + User5 *graph.Node + User6 *graph.Node +} + +func (s *ESC9aHarness2) Setup(graphTestContext *GraphTestContext) { + domainSid := RandomDomainSID() + s.CertTemplate1 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate1", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 2, + SubjectAltRequireDNS: false, + SubjectAltRequireDomainDNS: false, + SubjectAltRequireEmail: true, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate2 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate2", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 2, + SubjectAltRequireDNS: true, + SubjectAltRequireDomainDNS: false, + SubjectAltRequireEmail: true, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate3 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate3", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 2, + SubjectAltRequireDNS: false, + SubjectAltRequireDomainDNS: true, + SubjectAltRequireEmail: true, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.Computer1 = graphTestContext.NewActiveDirectoryComputer("Computer1", domainSid) + s.Computer2 = graphTestContext.NewActiveDirectoryComputer("Computer2", domainSid) + s.Computer3 = graphTestContext.NewActiveDirectoryComputer("Computer3", domainSid) + s.Computer4 = graphTestContext.NewActiveDirectoryComputer("Computer4", domainSid) + s.Computer5 = graphTestContext.NewActiveDirectoryComputer("Computer5", domainSid) + s.Computer6 = graphTestContext.NewActiveDirectoryComputer("Computer6", domainSid) + s.DC = graphTestContext.NewActiveDirectoryComputer("DC", domainSid) + s.Domain = graphTestContext.NewActiveDirectoryDomain("Domain", domainSid, false, true) + s.EnterpriseCA = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA", domainSid) + s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) + s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid) + s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid) + s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid) + s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) + s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid) + s.Group6 = graphTestContext.NewActiveDirectoryGroup("Group6", domainSid) + s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid) + s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid) + s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) + s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) + s.User3 = graphTestContext.NewActiveDirectoryUser("User3", domainSid) + s.User4 = graphTestContext.NewActiveDirectoryUser("User4", domainSid) + s.User5 = graphTestContext.NewActiveDirectoryUser("User5", domainSid) + s.User6 = graphTestContext.NewActiveDirectoryUser("User6", domainSid) + graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.RootCA, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.NTAuthStore, s.Domain, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.NTAuthStore, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.EnterpriseCA, s.DC, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.DC, s.Domain, ad.DCFor) + graphTestContext.NewRelationship(s.Group0, s.EnterpriseCA, ad.Enroll) + graphTestContext.NewRelationship(s.CertTemplate1, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.Group1, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.Group1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.CertTemplate2, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.CertTemplate3, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.Computer1, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.Computer1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User1, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Group2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Computer2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User2, s.CertTemplate2, ad.Enroll) + graphTestContext.NewRelationship(s.Computer2, s.CertTemplate2, ad.Enroll) + graphTestContext.NewRelationship(s.Group2, s.CertTemplate2, ad.Enroll) + graphTestContext.NewRelationship(s.Group3, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Computer3, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User3, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.Group3, s.CertTemplate3, ad.Enroll) + graphTestContext.NewRelationship(s.Computer3, s.CertTemplate3, ad.Enroll) + graphTestContext.NewRelationship(s.User3, s.CertTemplate3, ad.Enroll) + graphTestContext.NewRelationship(s.User6, s.User3, ad.GenericAll) + graphTestContext.NewRelationship(s.User5, s.Computer3, ad.GenericAll) + graphTestContext.NewRelationship(s.User4, s.Group3, ad.GenericAll) + graphTestContext.NewRelationship(s.Computer6, s.User2, ad.GenericAll) + graphTestContext.NewRelationship(s.Computer5, s.Computer2, ad.GenericAll) + graphTestContext.NewRelationship(s.Computer4, s.Group2, ad.GenericAll) + graphTestContext.NewRelationship(s.Group6, s.User1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group5, s.Computer1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group4, s.Group1, ad.GenericAll) + graphTestContext.NewRelationship(s.User5, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Computer5, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group6, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group5, s.Domain, ad.ADCSESC9a) +} + +type ESC9aHarnessVictim struct { + CertTemplate1 *graph.Node + DC *graph.Node + Domain *graph.Node + EnterpriseCA *graph.Node + Group0 *graph.Node + Group1 *graph.Node + Group2 *graph.Node + Group3 *graph.Node + Group4 *graph.Node + NTAuthStore *graph.Node + RootCA *graph.Node + User1 *graph.Node + User2 *graph.Node + User3 *graph.Node + User4 *graph.Node +} + +func (s *ESC9aHarnessVictim) Setup(graphTestContext *GraphTestContext) { + domainSid := RandomDomainSID() + s.CertTemplate1 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate1", domainSid, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.DC = graphTestContext.NewActiveDirectoryComputer("DC", domainSid) + s.Domain = graphTestContext.NewActiveDirectoryDomain("Domain", domainSid, false, true) + s.EnterpriseCA = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA", domainSid) + s.Group0 = graphTestContext.NewActiveDirectoryGroup("Group0", domainSid) + s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid) + s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid) + s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid) + s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid) + s.NTAuthStore = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore", domainSid) + s.RootCA = graphTestContext.NewActiveDirectoryRootCA("RootCA", domainSid) + s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid) + s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid) + s.User3 = graphTestContext.NewActiveDirectoryUser("User3", domainSid) + s.User4 = graphTestContext.NewActiveDirectoryUser("User4", domainSid) + graphTestContext.NewRelationship(s.RootCA, s.Domain, ad.RootCAFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.RootCA, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.NTAuthStore, s.Domain, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.EnterpriseCA, s.NTAuthStore, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.EnterpriseCA, s.DC, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.DC, s.Domain, ad.DCFor) + graphTestContext.NewRelationship(s.Group0, s.EnterpriseCA, ad.Enroll) + graphTestContext.NewRelationship(s.CertTemplate1, s.EnterpriseCA, ad.PublishedTo) + graphTestContext.NewRelationship(s.User1, s.CertTemplate1, ad.GenericAll) + graphTestContext.NewRelationship(s.User1, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User2, s.CertTemplate1, ad.AllExtendedRights) + graphTestContext.NewRelationship(s.User2, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User3, s.CertTemplate1, ad.GenericWrite) + graphTestContext.NewRelationship(s.User3, s.Group0, ad.MemberOf) + graphTestContext.NewRelationship(s.User4, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.Group1, s.User1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group1, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group2, s.User2, ad.GenericAll) + graphTestContext.NewRelationship(s.Group2, s.Domain, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group3, s.User3, ad.GenericAll) + graphTestContext.NewRelationship(s.Group4, s.User4, ad.GenericAll) +} + +type ESC9aHarnessECA struct { + CertTemplate1 *graph.Node + CertTemplate2 *graph.Node + CertTemplate3 *graph.Node + CertTemplate4 *graph.Node + CertTemplate5 *graph.Node + DC1 *graph.Node + DC2 *graph.Node + DC3 *graph.Node + DC4 *graph.Node + DC5 *graph.Node + Domain1 *graph.Node + Domain2 *graph.Node + Domain3 *graph.Node + Domain4 *graph.Node + Domain5 *graph.Node + EnterpriseCA1 *graph.Node + EnterpriseCA2 *graph.Node + EnterpriseCA3 *graph.Node + EnterpriseCA4 *graph.Node + EnterpriseCA5 *graph.Node + Group1 *graph.Node + Group2 *graph.Node + Group3 *graph.Node + Group4 *graph.Node + Group5 *graph.Node + NTAuthStore1 *graph.Node + NTAuthStore2 *graph.Node + NTAuthStore3 *graph.Node + NTAuthStore4 *graph.Node + NTAuthStore5 *graph.Node + RootCA1 *graph.Node + RootCA2 *graph.Node + RootCA3 *graph.Node + RootCA4 *graph.Node + RootCA5 *graph.Node + User1 *graph.Node + User2 *graph.Node + User3 *graph.Node + User4 *graph.Node + User5 *graph.Node +} + +func (s *ESC9aHarnessECA) Setup(graphTestContext *GraphTestContext) { + domainSid1 := RandomDomainSID() + domainSid2 := RandomDomainSID() + domainSid3 := RandomDomainSID() + domainSid4 := RandomDomainSID() + domainSid5 := RandomDomainSID() + s.CertTemplate1 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate1", domainSid1, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate2 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate2", domainSid2, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate3 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate3", domainSid3, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate4 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate4", domainSid4, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.CertTemplate5 = graphTestContext.NewActiveDirectoryCertTemplate("CertTemplate5", domainSid5, CertTemplateData{ + ApplicationPolicies: []string{}, + AuthenticationEnabled: true, + AuthorizedSignatures: 0, + EKUS: []string{}, + EnrolleeSuppliesSubject: false, + NoSecurityExtension: true, + RequiresManagerApproval: false, + SchemaVersion: 1, + SubjectAltRequireEmail: false, + SubjectAltRequireSPN: false, + SubjectAltRequireUPN: true, + }) + s.DC1 = graphTestContext.NewActiveDirectoryComputer("DC1", domainSid1) + s.DC2 = graphTestContext.NewActiveDirectoryComputer("DC2", domainSid2) + s.DC3 = graphTestContext.NewActiveDirectoryComputer("DC3", domainSid3) + s.DC4 = graphTestContext.NewActiveDirectoryComputer("DC4", domainSid4) + s.DC5 = graphTestContext.NewActiveDirectoryComputer("DC5", domainSid5) + s.Domain1 = graphTestContext.NewActiveDirectoryDomain("Domain1", domainSid1, false, true) + s.Domain2 = graphTestContext.NewActiveDirectoryDomain("Domain2", domainSid2, false, true) + s.Domain3 = graphTestContext.NewActiveDirectoryDomain("Domain3", domainSid3, false, true) + s.Domain4 = graphTestContext.NewActiveDirectoryDomain("Domain4", domainSid4, false, true) + s.Domain5 = graphTestContext.NewActiveDirectoryDomain("Domain5", domainSid5, false, true) + s.EnterpriseCA1 = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA1", domainSid1) + s.EnterpriseCA2 = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA2", domainSid2) + s.EnterpriseCA3 = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA3", domainSid3) + s.EnterpriseCA4 = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA4", domainSid4) + s.EnterpriseCA5 = graphTestContext.NewActiveDirectoryEnterpriseCA("EnterpriseCA5", domainSid5) + s.Group1 = graphTestContext.NewActiveDirectoryGroup("Group1", domainSid1) + s.Group2 = graphTestContext.NewActiveDirectoryGroup("Group2", domainSid2) + s.Group3 = graphTestContext.NewActiveDirectoryGroup("Group3", domainSid3) + s.Group4 = graphTestContext.NewActiveDirectoryGroup("Group4", domainSid4) + s.Group5 = graphTestContext.NewActiveDirectoryGroup("Group5", domainSid5) + s.NTAuthStore1 = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore1", domainSid1) + s.NTAuthStore2 = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore2", domainSid2) + s.NTAuthStore3 = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore3", domainSid3) + s.NTAuthStore4 = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore4", domainSid4) + s.NTAuthStore5 = graphTestContext.NewActiveDirectoryNTAuthStore("NTAuthStore5", domainSid5) + s.RootCA1 = graphTestContext.NewActiveDirectoryRootCA("RootCA1", domainSid1) + s.RootCA2 = graphTestContext.NewActiveDirectoryRootCA("RootCA2", domainSid2) + s.RootCA3 = graphTestContext.NewActiveDirectoryRootCA("RootCA3", domainSid3) + s.RootCA4 = graphTestContext.NewActiveDirectoryRootCA("RootCA4", domainSid4) + s.RootCA5 = graphTestContext.NewActiveDirectoryRootCA("RootCA5", domainSid5) + s.User1 = graphTestContext.NewActiveDirectoryUser("User1", domainSid1) + s.User2 = graphTestContext.NewActiveDirectoryUser("User2", domainSid2) + s.User3 = graphTestContext.NewActiveDirectoryUser("User3", domainSid3) + s.User4 = graphTestContext.NewActiveDirectoryUser("User4", domainSid4) + s.User5 = graphTestContext.NewActiveDirectoryUser("User5", domainSid5) + graphTestContext.NewRelationship(s.RootCA1, s.Domain1, ad.RootCAFor) + graphTestContext.NewRelationship(s.NTAuthStore1, s.Domain1, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.DC1, s.Domain1, ad.DCFor) + graphTestContext.NewRelationship(s.CertTemplate1, s.EnterpriseCA1, ad.PublishedTo) + graphTestContext.NewRelationship(s.EnterpriseCA1, s.RootCA1, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.EnterpriseCA1, s.NTAuthStore1, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.User1, s.EnterpriseCA1, ad.Enroll) + graphTestContext.NewRelationship(s.EnterpriseCA1, s.DC1, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.User1, s.CertTemplate1, ad.Enroll) + graphTestContext.NewRelationship(s.RootCA2, s.Domain2, ad.RootCAFor) + graphTestContext.NewRelationship(s.NTAuthStore2, s.Domain2, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.DC2, s.Domain2, ad.DCFor) + graphTestContext.NewRelationship(s.CertTemplate2, s.EnterpriseCA2, ad.PublishedTo) + graphTestContext.NewRelationship(s.EnterpriseCA2, s.RootCA2, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.EnterpriseCA2, s.NTAuthStore2, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.User2, s.EnterpriseCA2, ad.Enroll) + graphTestContext.NewRelationship(s.User2, s.CertTemplate2, ad.Enroll) + graphTestContext.NewRelationship(s.RootCA3, s.Domain3, ad.RootCAFor) + graphTestContext.NewRelationship(s.NTAuthStore3, s.Domain3, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.DC3, s.Domain3, ad.DCFor) + graphTestContext.NewRelationship(s.CertTemplate3, s.EnterpriseCA3, ad.PublishedTo) + graphTestContext.NewRelationship(s.EnterpriseCA3, s.RootCA3, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.User3, s.EnterpriseCA3, ad.Enroll) + graphTestContext.NewRelationship(s.EnterpriseCA3, s.DC3, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.User3, s.CertTemplate3, ad.Enroll) + graphTestContext.NewRelationship(s.RootCA4, s.Domain4, ad.RootCAFor) + graphTestContext.NewRelationship(s.NTAuthStore4, s.Domain4, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.DC4, s.Domain4, ad.DCFor) + graphTestContext.NewRelationship(s.CertTemplate4, s.EnterpriseCA4, ad.PublishedTo) + graphTestContext.NewRelationship(s.EnterpriseCA4, s.NTAuthStore4, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.User4, s.EnterpriseCA4, ad.Enroll) + graphTestContext.NewRelationship(s.EnterpriseCA4, s.DC4, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.User4, s.CertTemplate4, ad.Enroll) + graphTestContext.NewRelationship(s.RootCA5, s.Domain5, ad.RootCAFor) + graphTestContext.NewRelationship(s.NTAuthStore5, s.Domain5, ad.NTAuthStoreFor) + graphTestContext.NewRelationship(s.DC5, s.Domain5, ad.DCFor) + graphTestContext.NewRelationship(s.EnterpriseCA5, s.RootCA5, ad.IssuedSignedBy) + graphTestContext.NewRelationship(s.EnterpriseCA5, s.NTAuthStore5, ad.TrustedForNTAuth) + graphTestContext.NewRelationship(s.User5, s.EnterpriseCA5, ad.Enroll) + graphTestContext.NewRelationship(s.EnterpriseCA5, s.DC5, ad.CanAbuseWeakCertBinding) + graphTestContext.NewRelationship(s.User5, s.CertTemplate5, ad.Enroll) + graphTestContext.NewRelationship(s.Group1, s.User1, ad.GenericAll) + graphTestContext.NewRelationship(s.Group1, s.Domain1, ad.ADCSESC9a) + graphTestContext.NewRelationship(s.Group2, s.User2, ad.GenericAll) + graphTestContext.NewRelationship(s.Group5, s.User5, ad.GenericAll) + graphTestContext.NewRelationship(s.Group4, s.User4, ad.GenericAll) + graphTestContext.NewRelationship(s.Group3, s.User3, ad.GenericAll) } type ESC9bPrincipalHarness struct { @@ -3577,7 +4220,11 @@ type HarnessDetails struct { ESC6aHarnessECA ESC6aHarnessECA ESC6aHarnessTemplate1 ESC6aHarnessTemplate1 ESC6aHarnessTemplate2 ESC6aHarnessTemplate2 - ESC9AHarness ESC9AHarness + ESC9aPrincipalHarness ESC9aPrincipalHarness + ESC9aHarness1 ESC9aHarness1 + ESC9aHarness2 ESC9aHarness2 + ESC9aHarnessVictim ESC9aHarnessVictim + ESC9aHarnessECA ESC9aHarnessECA ESC9bPrincipalHarness ESC9bPrincipalHarness ESC9bHarness1 ESC9bHarness1 ESC9bHarness2 ESC9bHarness2 diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness.svg b/cmd/api/src/test/integration/harnesses/esc9aharness.svg deleted file mode 100644 index bd9dfa524..000000000 --- a/cmd/api/src/test/integration/harnesses/esc9aharness.svg +++ /dev/null @@ -1,18 +0,0 @@ - -PublishedToRootCAForEnrollEnrollIssuedSignedByNTAuthStoreForTrustedForNTAuthGenericWriteADCSESC9aDCForCanAbuseWeakCertBindingDomainname:dNTAuthStoreRootCAEnterpriseCAname:ecaCertTemplatename:ctAuthenticationEnabled:TrueRequiresManagerApproval:FalseNoSecurityExtension:TrueSubjectAltNameRequireUPN:TrueSchemaVersion:1EnrolleeSuppliesSubject:FalseSubjectAltRequireSPN:TrueADprincipal(Victim)name:vpADprincipal(attacker)name:apDCname:dc diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness1.json b/cmd/api/src/test/integration/harnesses/esc9aharness1.json new file mode 100644 index 000000000..d2f5e2852 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharness1.json @@ -0,0 +1,896 @@ +{ + "style": { + "font-family": "sans-serif", + "background-color": "#ffffff", + "background-image": "", + "background-size": "100%", + "node-color": "#ffffff", + "border-width": 4, + "border-color": "#000000", + "radius": 50, + "node-padding": 5, + "node-margin": 2, + "outside-position": "auto", + "node-icon-image": "", + "node-background-image": "", + "icon-position": "inside", + "icon-size": 64, + "caption-position": "inside", + "caption-max-width": 200, + "caption-color": "#000000", + "caption-font-size": 50, + "caption-font-weight": "normal", + "label-position": "inside", + "label-display": "pill", + "label-color": "#000000", + "label-background-color": "#ffffff", + "label-border-color": "#000000", + "label-border-width": 4, + "label-font-size": 40, + "label-padding": 5, + "label-margin": 4, + "directionality": "directed", + "detail-position": "inline", + "detail-orientation": "parallel", + "arrow-width": 5, + "arrow-color": "#000000", + "margin-start": 5, + "margin-end": 5, + "margin-peer": 20, + "attachment-start": "normal", + "attachment-end": "normal", + "relationship-icon-image": "", + "type-color": "#000000", + "type-background-color": "#ffffff", + "type-border-color": "#000000", + "type-border-width": 0, + "type-font-size": 16, + "type-padding": 5, + "property-position": "outside", + "property-alignment": "colon", + "property-color": "#000000", + "property-font-size": 16, + "property-font-weight": "normal" + }, + "nodes": [ + { + "id": "n0", + "position": { + "x": 578.3650824278708, + "y": 1773.5650963170865 + }, + "caption": "Domain", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n1", + "position": { + "x": 1175.94187190964, + "y": 1649.7394228815854 + }, + "caption": "NTAuthStore", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n2", + "position": { + "x": 1175.94187190964, + "y": 1773.5650963170863 + }, + "caption": "RootCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n3", + "position": { + "x": 1755.6240743012013, + "y": 1374.3084608098086 + }, + "caption": "EnterpriseCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n4", + "position": { + "x": 1389.310975309572, + "y": 285.7652224205525 + }, + "caption": "CertTemplate2", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n5", + "position": { + "x": 1175.94187190964, + "y": 1523.915316805959 + }, + "caption": "DC", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n7", + "position": { + "x": -45.200719376812174, + "y": 1077.2736470114025 + }, + "caption": "User4", + "labels": [], + "properties": {}, + "style": { + "border-color": "#000000", + "node-color": "#a4dd00" + } + }, + { + "id": "n8", + "position": { + "x": 1389.310975309572, + "y": 417.6832931856942 + }, + "caption": "CertTemplate3", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "False", + "NoSecurityExtension": "True", + "SubjectAltRequireSPN": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n9", + "position": { + "x": -201.09216982798324, + "y": 1077.2736470114025 + }, + "caption": "User3", + "labels": [], + "properties": {}, + "style": { + "border-color": "#000000", + "node-color": "#a4dd00" + } + }, + { + "id": "n10", + "position": { + "x": -356.98362027915437, + "y": 1077.2736470114025 + }, + "caption": "User2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00" + } + }, + { + "id": "n11", + "position": { + "x": 1389.310975309572, + "y": 549.6013639508353 + }, + "caption": "CertTemplate4", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "True", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff", + "caption-position": "inside", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n12", + "position": { + "x": 578.3650824278708, + "y": 1374.3084608098086 + }, + "caption": "Group0", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n13", + "position": { + "x": 1389.310975309572, + "y": 681.5194347159766 + }, + "caption": "CertTemplate5", + "labels": [], + "properties": { + "AuthenticationEnabled": "False", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n14", + "position": { + "x": 110.6907310743589, + "y": 1077.2736470114025 + }, + "caption": "User5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n15", + "position": { + "x": 1389.310975309572, + "y": 813.4375054811183 + }, + "caption": "CertTemplate6", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "2", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True", + "AuthorizedSignatures": "1" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n16", + "position": { + "x": 1389.310975309572, + "y": 153.8471516554107 + }, + "caption": "CertTemplate1", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "2", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True", + "AuthorizedSignatures": "0" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n17", + "position": { + "x": 266.5821815255296, + "y": 1077.2736470114007 + }, + "caption": "User6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n18", + "position": { + "x": -512.8750707303254, + "y": 1077.2736470114025 + }, + "caption": "User1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00" + } + }, + { + "id": "n19", + "position": { + "x": 1389.310975309572, + "y": 945.3555762462604 + }, + "caption": "CertTemplate7", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "False", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n20", + "position": { + "x": 422.4736319767002, + "y": 1077.2736470114007 + }, + "caption": "User7", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n21", + "position": { + "x": 1389.310975309572, + "y": 1077.2736470114025 + }, + "caption": "CertTemplate8", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "False" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n22", + "position": { + "x": 578.3650824278708, + "y": 1077.2736470114025 + }, + "caption": "User8", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n23", + "position": { + "x": 578.3650824278708, + "y": 153.84715165540956 + }, + "caption": "Group8", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n24", + "position": { + "x": 422.4736319766997, + "y": 153.8471516554096 + }, + "caption": "Group7", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n25", + "position": { + "x": 266.5821815255286, + "y": 153.8471516554096 + }, + "caption": "Group6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n26", + "position": { + "x": 110.69073107435759, + "y": 153.8471516554096 + }, + "caption": "Group5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n27", + "position": { + "x": -45.20071937681354, + "y": 153.8471516554096 + }, + "caption": "Group4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n28", + "position": { + "x": -201.09216982798324, + "y": 1523.915316805959 + }, + "caption": "Group3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#000000" + } + }, + { + "id": "n29", + "position": { + "x": -356.98362027915437, + "y": 1649.7394228815854 + }, + "caption": "Group2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#000000" + } + }, + { + "id": "n30", + "position": { + "x": -512.8750707303254, + "y": 1773.5650963170865 + }, + "caption": "Group1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#000000" + } + } + ], + "relationships": [ + { + "id": "n0", + "fromId": "n4", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n1", + "fromId": "n2", + "toId": "n0", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n2", + "fromId": "n3", + "toId": "n2", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n3", + "fromId": "n1", + "toId": "n0", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n4", + "fromId": "n3", + "toId": "n1", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n5", + "fromId": "n3", + "toId": "n5", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n6", + "fromId": "n5", + "toId": "n0", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n7", + "fromId": "n9", + "toId": "n8", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n8", + "fromId": "n8", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n9", + "fromId": "n11", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n10", + "fromId": "n7", + "toId": "n11", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n11", + "fromId": "n10", + "toId": "n4", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n12", + "fromId": "n12", + "toId": "n3", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n13", + "fromId": "n10", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n14", + "fromId": "n9", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n15", + "fromId": "n7", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n16", + "fromId": "n13", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n17", + "fromId": "n14", + "toId": "n13", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n18", + "fromId": "n14", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n20", + "fromId": "n17", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n21", + "fromId": "n17", + "toId": "n15", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n22", + "fromId": "n15", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n23", + "fromId": "n16", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n24", + "fromId": "n18", + "toId": "n16", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n26", + "fromId": "n18", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n27", + "fromId": "n19", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n28", + "fromId": "n20", + "toId": "n19", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n29", + "fromId": "n20", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n30", + "fromId": "n21", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n31", + "fromId": "n22", + "toId": "n21", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n32", + "fromId": "n22", + "toId": "n12", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n33", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n23", + "toId": "n22" + }, + { + "id": "n34", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n24", + "toId": "n20" + }, + { + "id": "n35", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n25", + "toId": "n17" + }, + { + "id": "n36", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n26", + "toId": "n14" + }, + { + "id": "n37", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n27", + "toId": "n7" + }, + { + "id": "n38", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n28", + "toId": "n9" + }, + { + "id": "n39", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n29", + "toId": "n10" + }, + { + "id": "n40", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n30", + "toId": "n18" + }, + { + "id": "n41", + "type": "ADCSESC9a", + "style": {}, + "properties": {}, + "fromId": "n28", + "toId": "n0" + }, + { + "id": "n42", + "type": "ADCSESC9a", + "style": {}, + "properties": {}, + "fromId": "n29", + "toId": "n0" + }, + { + "id": "n43", + "type": "ADCSESC9a", + "style": {}, + "properties": {}, + "fromId": "n30", + "toId": "n0" + } + ] +} \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness1.svg b/cmd/api/src/test/integration/harnesses/esc9aharness1.svg new file mode 100644 index 000000000..cfaff2d85 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharness1.svg @@ -0,0 +1 @@ +PublishedToRootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthCanAbuseWeakCertBindingDCForEnrollPublishedToPublishedToEnrollEnrollEnrollMemberOfMemberOfMemberOfPublishedToEnrollMemberOfMemberOfEnrollPublishedToPublishedToEnrollMemberOfPublishedToEnrollMemberOfPublishedToEnrollMemberOfGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllADCSESC9aADCSESC9aADCSESC9aDomainNTAuthStoreRootCAEnterpriseCACertTemplate2AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDCUser4CertTemplate3AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:FalseNoSecurityExtension:TrueSubjectAltRequireSPN:TrueUser3User2CertTemplate4AuthenticationEnabled:TrueRequireManagerApproval:TrueSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueGroup0CertTemplate5AuthenticationEnabled:FalseRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueUser5CertTemplate6AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:2SubjectAltRequireUPN:TrueNoSecurityExtension:TrueAuthorizedSignatures:1CertTemplate1AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:2SubjectAltRequireUPN:TrueNoSecurityExtension:TrueAuthorizedSignatures:0User6User1CertTemplate7AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:FalseNoSecurityExtension:TrueUser7CertTemplate8AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:FalseUser8Group8Group7Group6Group5Group4Group3Group2Group1 \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness2.json b/cmd/api/src/test/integration/harnesses/esc9aharness2.json new file mode 100644 index 000000000..8b77a7162 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharness2.json @@ -0,0 +1,800 @@ +{ + "style": { + "font-family": "sans-serif", + "background-color": "#ffffff", + "background-image": "", + "background-size": "100%", + "node-color": "#ffffff", + "border-width": 4, + "border-color": "#000000", + "radius": 50, + "node-padding": 5, + "node-margin": 2, + "outside-position": "auto", + "node-icon-image": "", + "node-background-image": "", + "icon-position": "inside", + "icon-size": 64, + "caption-position": "inside", + "caption-max-width": 200, + "caption-color": "#000000", + "caption-font-size": 50, + "caption-font-weight": "normal", + "label-position": "inside", + "label-display": "pill", + "label-color": "#000000", + "label-background-color": "#ffffff", + "label-border-color": "#000000", + "label-border-width": 4, + "label-font-size": 40, + "label-padding": 5, + "label-margin": 4, + "directionality": "directed", + "detail-position": "inline", + "detail-orientation": "parallel", + "arrow-width": 5, + "arrow-color": "#000000", + "margin-start": 5, + "margin-end": 5, + "margin-peer": 20, + "attachment-start": "normal", + "attachment-end": "normal", + "relationship-icon-image": "", + "type-color": "#000000", + "type-background-color": "#ffffff", + "type-border-color": "#000000", + "type-border-width": 0, + "type-font-size": 16, + "type-padding": 5, + "property-position": "outside", + "property-alignment": "colon", + "property-color": "#000000", + "property-font-size": 16, + "property-font-weight": "normal" + }, + "nodes": [ + { + "id": "n0", + "position": { + "x": 203.75362436450789, + "y": 1381.41620651926 + }, + "caption": "Domain", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n1", + "position": { + "x": 1739.567151172265, + "y": 1172.6584948427476 + }, + "caption": "NTAuthStore", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n2", + "position": { + "x": 1808.8297992130572, + "y": 1280.5718804439516 + }, + "caption": "RootCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n3", + "position": { + "x": 2164.09443892902, + "y": 976.3660942769798 + }, + "caption": "EnterpriseCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n4", + "position": { + "x": 1930.2386475906515, + "y": 1381.41620651926 + }, + "caption": "DC", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n5", + "position": { + "x": 1399.5299049613134, + "y": 976.3660942769798 + }, + "caption": "Group0", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n6", + "position": { + "x": 1930.2386475906515, + "y": 703.2340527998417 + }, + "caption": "CertTemplate1", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "2", + "AuthorizedSignatures": "0", + "NoSecurityExtension": "True", + "SubjectAltRequireEmail": "True", + "SubjectAltRequireUPN": "True", + "SubjectAltRequireDNS": "False", + "SubjectAltRequireDomainDNS": "False" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n7", + "position": { + "x": 1048.392672240942, + "y": 781.2392440430749 + }, + "caption": "Group1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n8", + "position": { + "x": 1930.2386475906515, + "y": 420.352007001999 + }, + "caption": "CertTemplate2", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "2", + "AuthorizedSignatures": "0", + "NoSecurityExtension": "True", + "SubjectAltRequireEmail": "True", + "SubjectAltRequireUPN": "True", + "SubjectAltRequireDNS": "True", + "SubjectAltRequireDomainDNS": "False" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n9", + "position": { + "x": 1930.2386475906515, + "y": 128.00519124323318 + }, + "caption": "CertTemplate3", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "2", + "AuthorizedSignatures": "0", + "NoSecurityExtension": "True", + "SubjectAltRequireEmail": "True", + "SubjectAltRequireUPN": "True", + "SubjectAltRequireDNS": "False", + "SubjectAltRequireDomainDNS": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n10", + "position": { + "x": 958.1708629806734, + "y": 703.2340527998417 + }, + "caption": "Computer1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b" + } + }, + { + "id": "n11", + "position": { + "x": 1048.392672240942, + "y": 625.2288615566085 + }, + "caption": "User1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00" + } + }, + { + "id": "n12", + "position": { + "x": 1048.392672240942, + "y": 498.3571982452322 + }, + "caption": "Group2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n13", + "position": { + "x": 958.1708629806734, + "y": 420.352007001999 + }, + "caption": "Computer2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b" + } + }, + { + "id": "n14", + "position": { + "x": 1048.392672240942, + "y": 342.3468157587656 + }, + "caption": "User2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n15", + "position": { + "x": 1048.392672240942, + "y": 206.01038248646637 + }, + "caption": "Group3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n16", + "position": { + "x": 958.1708629806734, + "y": 128.00519124323318 + }, + "caption": "Computer3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b" + } + }, + { + "id": "n17", + "position": { + "x": 1048.392672240942, + "y": 50 + }, + "caption": "User3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n18", + "position": { + "x": 769.8667202877737, + "y": 781.2392440430749 + }, + "caption": "Group4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400", + "border-color": "#73d8ff" + } + }, + { + "id": "n19", + "position": { + "x": 693.9677791509978, + "y": 703.2340527998417 + }, + "caption": "Group5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n20", + "position": { + "x": 616.1916207003551, + "y": 625.2288615566085 + }, + "caption": "Group6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcc400" + } + }, + { + "id": "n21", + "position": { + "x": 573.7059003190309, + "y": 498.3571982452322 + }, + "caption": "Computer4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "border-color": "#73d8ff" + } + }, + { + "id": "n22", + "position": { + "x": 494.6881709874001, + "y": 420.352007001999 + }, + "caption": "Computer5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b" + } + }, + { + "id": "n23", + "position": { + "x": 418.08495553040996, + "y": 342.3468157587656 + }, + "caption": "Computer6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "border-color": "#73d8ff" + } + }, + { + "id": "n24", + "position": { + "x": 356.9055181813032, + "y": 206.01038248646637 + }, + "caption": "User4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#73d8ff" + } + }, + { + "id": "n25", + "position": { + "x": 281.4337560355306, + "y": 128.00519124323318 + }, + "caption": "User5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00" + } + }, + { + "id": "n26", + "position": { + "x": 203.75362436450789, + "y": 50 + }, + "caption": "User6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#73d8ff" + } + } + ], + "relationships": [ + { + "id": "n0", + "fromId": "n2", + "toId": "n0", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n1", + "fromId": "n3", + "toId": "n2", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n2", + "fromId": "n1", + "toId": "n0", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n3", + "fromId": "n3", + "toId": "n1", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n4", + "fromId": "n3", + "toId": "n4", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n5", + "fromId": "n4", + "toId": "n0", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n6", + "fromId": "n5", + "toId": "n3", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n7", + "fromId": "n6", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n8", + "fromId": "n7", + "toId": "n6", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n9", + "fromId": "n7", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n10", + "fromId": "n8", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n11", + "fromId": "n9", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n12", + "fromId": "n10", + "toId": "n6", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n13", + "fromId": "n10", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n14", + "fromId": "n11", + "toId": "n6", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n15", + "fromId": "n11", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n16", + "fromId": "n12", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n17", + "fromId": "n13", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n18", + "fromId": "n14", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n19", + "fromId": "n14", + "toId": "n8", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n20", + "fromId": "n13", + "toId": "n8", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n21", + "fromId": "n12", + "toId": "n8", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n22", + "fromId": "n15", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n23", + "fromId": "n16", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n24", + "fromId": "n17", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n25", + "fromId": "n15", + "toId": "n9", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n26", + "fromId": "n16", + "toId": "n9", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n27", + "fromId": "n17", + "toId": "n9", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n28", + "fromId": "n26", + "toId": "n17", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n29", + "fromId": "n25", + "toId": "n16", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n30", + "fromId": "n24", + "toId": "n15", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n31", + "fromId": "n23", + "toId": "n14", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n32", + "fromId": "n22", + "toId": "n13", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n33", + "fromId": "n21", + "toId": "n12", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n34", + "fromId": "n20", + "toId": "n11", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n35", + "fromId": "n19", + "toId": "n10", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n36", + "fromId": "n18", + "toId": "n7", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n37", + "fromId": "n25", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n40", + "fromId": "n22", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n42", + "fromId": "n20", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n43", + "fromId": "n19", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + } + ] +} \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness2.svg b/cmd/api/src/test/integration/harnesses/esc9aharness2.svg new file mode 100644 index 000000000..2affdbf34 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharness2.svg @@ -0,0 +1 @@ +RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthCanAbuseWeakCertBindingDCForEnrollPublishedToEnrollMemberOfPublishedToPublishedToEnrollMemberOfEnrollMemberOfMemberOfMemberOfMemberOfEnrollEnrollEnrollMemberOfMemberOfMemberOfEnrollEnrollEnrollGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllGenericAllADCSESC9aADCSESC9aADCSESC9aADCSESC9aDomainNTAuthStoreRootCAEnterpriseCADCGroup0CertTemplate1AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:2AuthorizedSignatures:0NoSecurityExtension:TrueSubjectAltRequireEmail:TrueSubjectAltRequireUPN:TrueSubjectAltRequireDNS:FalseSubjectAltRequireDomainDNS:FalseGroup1CertTemplate2AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:2AuthorizedSignatures:0NoSecurityExtension:TrueSubjectAltRequireEmail:TrueSubjectAltRequireUPN:TrueSubjectAltRequireDNS:TrueSubjectAltRequireDomainDNS:FalseCertTemplate3AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:2AuthorizedSignatures:0NoSecurityExtension:TrueSubjectAltRequireEmail:TrueSubjectAltRequireUPN:TrueSubjectAltRequireDNS:FalseSubjectAltRequireDomainDNS:TrueComputer1User1Group2Computer2User2Group3Computer3User3Group4Group5Group6Computer4Computer5Computer6User4User5User6 \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharnesseca.json b/cmd/api/src/test/integration/harnesses/esc9aharnesseca.json new file mode 100644 index 000000000..bc18979af --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharnesseca.json @@ -0,0 +1,1083 @@ +{ + "style": { + "font-family": "sans-serif", + "background-color": "#ffffff", + "background-image": "", + "background-size": "100%", + "node-color": "#ffffff", + "border-width": 4, + "border-color": "#000000", + "radius": 50, + "node-padding": 5, + "node-margin": 2, + "outside-position": "auto", + "node-icon-image": "", + "node-background-image": "", + "icon-position": "inside", + "icon-size": 64, + "caption-position": "inside", + "caption-max-width": 200, + "caption-color": "#000000", + "caption-font-size": 50, + "caption-font-weight": "normal", + "label-position": "inside", + "label-display": "pill", + "label-color": "#000000", + "label-background-color": "#ffffff", + "label-border-color": "#000000", + "label-border-width": 4, + "label-font-size": 40, + "label-padding": 5, + "label-margin": 4, + "directionality": "directed", + "detail-position": "inline", + "detail-orientation": "parallel", + "arrow-width": 5, + "arrow-color": "#000000", + "margin-start": 5, + "margin-end": 5, + "margin-peer": 20, + "attachment-start": "normal", + "attachment-end": "normal", + "relationship-icon-image": "", + "type-color": "#000000", + "type-background-color": "#ffffff", + "type-border-color": "#000000", + "type-border-width": 0, + "type-font-size": 16, + "type-padding": 5, + "property-position": "outside", + "property-alignment": "colon", + "property-color": "#000000", + "property-font-size": 16, + "property-font-weight": "normal" + }, + "nodes": [ + { + "id": "n0", + "position": { + "x": 1838.2521199214677, + "y": 2555.736538757399 + }, + "caption": "Domain1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n1", + "position": { + "x": 1442.701427932503, + "y": 2273.231824786215 + }, + "caption": "NTAuthStore1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n2", + "position": { + "x": 1442.701427932503, + "y": 2428.987863580507 + }, + "caption": "RootCA1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n3", + "position": { + "x": 446.2054422641352, + "y": 2273.231824786215 + }, + "caption": "CertTemplate1", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff" + } + }, + { + "id": "n4", + "position": { + "x": 1442.701427932503, + "y": 2117.4757859919237 + }, + "caption": "DC1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n5", + "position": { + "x": 956.6260599607343, + "y": 2273.231824786215 + }, + "caption": "EnterpriseCA1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n6", + "position": { + "x": 75.00000000000023, + "y": 2555.736538757399 + }, + "caption": "User1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n7", + "position": { + "x": 1838.2521199214673, + "y": 2038.867592259418 + }, + "caption": "Domain2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n8", + "position": { + "x": 1442.7014279325028, + "y": 1756.3628782882338 + }, + "caption": "NTAuthStore2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n9", + "position": { + "x": 1442.7014279325028, + "y": 1912.118917082525 + }, + "caption": "RootCA2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n10", + "position": { + "x": 446.20544226413443, + "y": 1756.3628782882338 + }, + "caption": "CertTemplate2", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff" + } + }, + { + "id": "n11", + "position": { + "x": 1442.7014279325028, + "y": 1600.6068394939425 + }, + "caption": "DC2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n12", + "position": { + "x": 956.6260599607343, + "y": 1756.3628782882338 + }, + "caption": "EnterpriseCA2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n13", + "position": { + "x": 75.00000000000034, + "y": 2038.867592259418 + }, + "caption": "User2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n14", + "position": { + "x": 1838.2521199214673, + "y": 1521.9986457614368 + }, + "caption": "Domain3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n15", + "position": { + "x": 1442.7014279325022, + "y": 1239.4939317902526 + }, + "caption": "NTAuthStore3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n16", + "position": { + "x": 1442.7014279325022, + "y": 1395.249970584544 + }, + "caption": "RootCA3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n17", + "position": { + "x": 446.20544226413415, + "y": 1239.4939317902526 + }, + "caption": "CertTemplate3", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff" + } + }, + { + "id": "n18", + "position": { + "x": 1442.7014279325022, + "y": 1083.7378929959623 + }, + "caption": "DC3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n19", + "position": { + "x": 956.6260599607343, + "y": 1239.4939317902526 + }, + "caption": "EnterpriseCA3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n20", + "position": { + "x": 75, + "y": 1521.9986457614368 + }, + "caption": "User3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n21", + "position": { + "x": 1838.2521199214677, + "y": 1005.1296992634557 + }, + "caption": "Domain4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n22", + "position": { + "x": 1442.7014279325026, + "y": 722.6249852922715 + }, + "caption": "NTAuthStore4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n23", + "position": { + "x": 1442.7014279325026, + "y": 878.3810240865628 + }, + "caption": "RootCA4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n24", + "position": { + "x": 446.2054422641343, + "y": 722.6249852922715 + }, + "caption": "CertTemplate4", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff" + } + }, + { + "id": "n25", + "position": { + "x": 1442.7014279325026, + "y": 566.8689464979814 + }, + "caption": "DC4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n26", + "position": { + "x": 956.6260599607343, + "y": 722.6249852922715 + }, + "caption": "EnterpriseCA4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n27", + "position": { + "x": 75.00000000000023, + "y": 1005.1296992634557 + }, + "caption": "User4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n28", + "position": { + "x": 1838.2521199214682, + "y": 488.26075276547454 + }, + "caption": "Domain5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n29", + "position": { + "x": 1442.7014279325024, + "y": 205.75603879429036 + }, + "caption": "NTAuthStore5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n30", + "position": { + "x": 1442.7014279325024, + "y": 361.51207758858163 + }, + "caption": "RootCA5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n31", + "position": { + "x": 446.2054422641345, + "y": 205.75603879429036 + }, + "caption": "CertTemplate5", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "SubjectAltRequireUPN": "True", + "NoSecurityExtension": "True" + }, + "style": { + "node-color": "#fda1ff" + } + }, + { + "id": "n32", + "position": { + "x": 1442.7014279325024, + "y": 50 + }, + "caption": "DC5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n33", + "position": { + "x": 956.6260599607343, + "y": 205.75603879429036 + }, + "caption": "EnterpriseCA5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n34", + "position": { + "x": 75.00000000000034, + "y": 488.26075276547454 + }, + "caption": "User5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n35", + "position": { + "x": -194.9337573355329, + "y": 2761.1687609848414 + }, + "caption": "Group1", + "style": { + "node-color": "#fcdc00" + }, + "labels": [], + "properties": {} + }, + { + "id": "n36", + "position": { + "x": -194.9337573355329, + "y": 2244.299814486861 + }, + "caption": "Group2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n37", + "position": { + "x": -194.9337573355329, + "y": 1727.430867988881 + }, + "caption": "Group3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n38", + "position": { + "x": -194.9337573355329, + "y": 1210.5619214909007 + }, + "caption": "Group4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n39", + "position": { + "x": -194.9337573355329, + "y": 693.6929749929204 + }, + "caption": "Group5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + } + ], + "relationships": [ + { + "id": "n0", + "fromId": "n2", + "toId": "n0", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n1", + "fromId": "n1", + "toId": "n0", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n2", + "fromId": "n4", + "toId": "n0", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n3", + "fromId": "n3", + "toId": "n5", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n4", + "fromId": "n5", + "toId": "n2", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n5", + "fromId": "n5", + "toId": "n1", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n6", + "fromId": "n6", + "toId": "n5", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n7", + "fromId": "n5", + "toId": "n4", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": {} + }, + { + "id": "n8", + "fromId": "n6", + "toId": "n3", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n9", + "fromId": "n9", + "toId": "n7", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n10", + "fromId": "n8", + "toId": "n7", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n11", + "fromId": "n11", + "toId": "n7", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n12", + "fromId": "n10", + "toId": "n12", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n13", + "fromId": "n12", + "toId": "n9", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n14", + "fromId": "n12", + "toId": "n8", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n15", + "fromId": "n13", + "toId": "n12", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n16", + "fromId": "n13", + "toId": "n10", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n17", + "fromId": "n16", + "toId": "n14", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n18", + "fromId": "n15", + "toId": "n14", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n19", + "fromId": "n18", + "toId": "n14", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n20", + "fromId": "n17", + "toId": "n19", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n21", + "fromId": "n19", + "toId": "n16", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n22", + "fromId": "n20", + "toId": "n19", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n23", + "fromId": "n19", + "toId": "n18", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": {} + }, + { + "id": "n24", + "fromId": "n20", + "toId": "n17", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n25", + "fromId": "n23", + "toId": "n21", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n26", + "fromId": "n22", + "toId": "n21", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n27", + "fromId": "n25", + "toId": "n21", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n28", + "fromId": "n24", + "toId": "n26", + "type": "PublishedTo", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n29", + "fromId": "n26", + "toId": "n22", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n30", + "fromId": "n27", + "toId": "n26", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n31", + "fromId": "n26", + "toId": "n25", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": {} + }, + { + "id": "n32", + "fromId": "n27", + "toId": "n24", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n33", + "fromId": "n30", + "toId": "n28", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n34", + "fromId": "n29", + "toId": "n28", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n35", + "fromId": "n32", + "toId": "n28", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n36", + "fromId": "n33", + "toId": "n30", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n37", + "fromId": "n33", + "toId": "n29", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n38", + "fromId": "n34", + "toId": "n33", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n39", + "fromId": "n33", + "toId": "n32", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": {} + }, + { + "id": "n40", + "fromId": "n34", + "toId": "n31", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n41", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n35", + "toId": "n6" + }, + { + "id": "n42", + "type": "ADCSESC9a", + "style": {}, + "properties": {}, + "fromId": "n35", + "toId": "n0" + }, + { + "id": "n43", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n36", + "toId": "n13" + }, + { + "id": "n44", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n39", + "toId": "n34" + }, + { + "id": "n45", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n38", + "toId": "n27" + }, + { + "id": "n46", + "type": "GenericAll", + "style": {}, + "properties": {}, + "fromId": "n37", + "toId": "n20" + } + ] +} \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharnesseca.svg b/cmd/api/src/test/integration/harnesses/esc9aharnesseca.svg new file mode 100644 index 000000000..849bf3e42 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharnesseca.svg @@ -0,0 +1 @@ +RootCAForNTAuthStoreForDCForPublishedToIssuedSignedByTrustedForNTAuthEnrollCanAbuseWeakCertBindingEnrollRootCAForNTAuthStoreForDCForPublishedToIssuedSignedByTrustedForNTAuthEnrollEnrollRootCAForNTAuthStoreForDCForPublishedToIssuedSignedByEnrollCanAbuseWeakCertBindingEnrollRootCAForNTAuthStoreForDCForPublishedToTrustedForNTAuthEnrollCanAbuseWeakCertBindingEnrollRootCAForNTAuthStoreForDCForIssuedSignedByTrustedForNTAuthEnrollCanAbuseWeakCertBindingEnrollGenericAllADCSESC9aGenericAllGenericAllGenericAllGenericAllDomain1NTAuthStore1RootCA1CertTemplate1AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDC1EnterpriseCA1User1Domain2NTAuthStore2RootCA2CertTemplate2AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDC2EnterpriseCA2User2Domain3NTAuthStore3RootCA3CertTemplate3AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDC3EnterpriseCA3User3Domain4NTAuthStore4RootCA4CertTemplate4AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDC4EnterpriseCA4User4Domain5NTAuthStore5RootCA5CertTemplate5AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1SubjectAltRequireUPN:TrueNoSecurityExtension:TrueDC5EnterpriseCA5User5Group1Group2Group3Group4Group5 \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharness.json b/cmd/api/src/test/integration/harnesses/esc9aharnessvictim.json similarity index 51% rename from cmd/api/src/test/integration/harnesses/esc9aharness.json rename to cmd/api/src/test/integration/harnesses/esc9aharnessvictim.json index edd9cad15..8a402c736 100644 --- a/cmd/api/src/test/integration/harnesses/esc9aharness.json +++ b/cmd/api/src/test/integration/harnesses/esc9aharnessvictim.json @@ -54,25 +54,23 @@ }, "nodes": [ { - "id": "n1", + "id": "n0", "position": { - "x": 2055.0393057401334, - "y": 641.1074078540869 + "x": 337.04748861166024, + "y": 50 }, "caption": "Domain", "labels": [], - "properties": { - "name": "d" - }, + "properties": {}, "style": { "node-color": "#68ccca" } }, { - "id": "n2", + "id": "n1", "position": { - "x": 1596.163360694819, - "y": 182.23146280877245 + "x": 2497.3664674686984, + "y": 410.62726890336444 }, "caption": "NTAuthStore", "labels": [], @@ -83,10 +81,10 @@ } }, { - "id": "n3", + "id": "n2", "position": { - "x": 1596.163360694819, - "y": 350.35614824592676 + "x": 2381.5025296927042, + "y": 212.5597044346638 }, "caption": "RootCA", "labels": [], @@ -97,218 +95,359 @@ } }, { - "id": "n4", + "id": "n3", "position": { - "x": 1092.7453131854052, - "y": 182.23146280877245 + "x": 2215.339273936165, + "y": 1016.8790026674126 }, "caption": "EnterpriseCA", "labels": [], - "properties": { - "name": "eca" - }, + "properties": {}, "style": { "node-color": "#194d33", "caption-color": "#ffffff" } }, { - "id": "n5", + "id": "n4", "position": { - "x": 748.6949982406376, - "y": 182.23146280877245 + "x": 2215.339273936165, + "y": 50 }, - "caption": "CertTemplate", + "caption": "DC", "labels": [], - "properties": { - "name": "ct", - "AuthenticationEnabled": "True", - "RequiresManagerApproval": "False", - "NoSecurityExtension": "True", - "SubjectAltNameRequireUPN": "True", - "SchemaVersion": "1", - "EnrolleeSuppliesSubject": "False", - "SubjectAltRequireSPN": "True" + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n5", + "position": { + "x": 531.0993047358514, + "y": 1016.8790026674126 }, + "caption": "Group0", + "labels": [], + "properties": {}, "style": { - "node-color": "#fda1ff" + "node-color": "#fcdc00" } }, { "id": "n6", "position": { - "x": 748.6949982406376, - "y": 436.7832960176713 + "x": 1987.2171233355546, + "y": 529.3782522542996 }, - "caption": "AD principal (Victim)", + "caption": "CertTemplate1", "labels": [], "properties": { - "name": "vp" + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "NoSecurityExtension": "True", + "SubjectAltRequireUPN": "True" }, "style": { - "node-color": "#ffffff" + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 } }, { "id": "n7", "position": { - "x": 472.5320881490078, - "y": 641.1074078540869 + "x": 1041.8790026674124, + "y": 312.04748861166024 }, - "caption": "AD principal (attacker)", + "caption": "User1", "labels": [], - "properties": { - "name": "ap" - }, - "style": {} + "properties": {}, + "style": { + "node-color": "#a4dd00" + } }, { "id": "n8", "position": { - "x": 129, - "y": 641.1074078540869 + "x": 1041.8790026674124, + "y": 456.9346643734199 }, - "caption": "", + "caption": "User2", "labels": [], "properties": {}, "style": { - "border-color": "#ffffff" + "node-color": "#a4dd00" } }, { "id": "n9", "position": { - "x": 1596.163360694819, - "y": -4 + "x": 1041.8790026674124, + "y": 601.8218401351795 }, - "caption": "DC", + "caption": "User3", "labels": [], - "properties": { - "name": "dc" + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n10", + "position": { + "x": 1041.8790026674124, + "y": 746.7090158969393 + }, + "caption": "User4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#000000" + } + }, + { + "id": "n11", + "position": { + "x": 75, + "y": 312.04748861166024 }, + "caption": "Group1", + "labels": [], + "properties": {}, "style": { - "node-color": "#f44e3b" + "node-color": "#fcdc00" + } + }, + { + "id": "n12", + "position": { + "x": 158.45112686904184, + "y": 456.9346643734199 + }, + "caption": "Group2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n13", + "position": { + "x": 246.0320350312874, + "y": 601.8218401351795 + }, + "caption": "Group3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n14", + "position": { + "x": 337.04748861166024, + "y": 746.7090158969393 + }, + "caption": "Group4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" } } ], "relationships": [ { "id": "n0", - "fromId": "n5", - "toId": "n4", - "type": "PublishedTo", + "fromId": "n2", + "toId": "n0", + "type": "RootCAFor", "properties": {}, "style": { - "arrow-color": "#a4dd00" + "arrow-color": "#000000" } }, { "id": "n1", "fromId": "n3", - "toId": "n1", - "type": "RootCAFor", + "toId": "n2", + "type": "IssuedSignedBy", "properties": {}, "style": { - "arrow-color": "#a4dd00" + "arrow-color": "#000000" } }, { "id": "n2", - "fromId": "n6", - "toId": "n4", - "type": "Enroll", + "fromId": "n1", + "toId": "n0", + "type": "NTAuthStoreFor", "properties": {}, "style": { - "arrow-color": "#a4dd00" + "arrow-color": "#000000" } }, { "id": "n3", - "fromId": "n6", - "toId": "n5", - "type": "Enroll", + "fromId": "n3", + "toId": "n1", + "type": "TrustedForNTAuth", "properties": {}, "style": { - "arrow-color": "#a4dd00" + "arrow-color": "#000000" } }, { "id": "n4", - "fromId": "n4", - "toId": "n3", - "type": "IssuedSignedBy", + "fromId": "n3", + "toId": "n4", + "type": "CanAbuseWeakCertBinding", "properties": {}, "style": { - "arrow-color": "#7b64ff" + "arrow-color": "#000000" } }, { "id": "n5", - "fromId": "n2", - "toId": "n1", - "type": "NTAuthStoreFor", + "fromId": "n4", + "toId": "n0", + "type": "DCFor", "properties": {}, "style": { - "arrow-color": "#a4dd00" + "type-color": "#000000", + "arrow-color": "#000000" } }, { "id": "n6", - "fromId": "n4", - "toId": "n2", - "type": "TrustedForNTAuth", + "fromId": "n5", + "toId": "n3", + "type": "Enroll", "properties": {}, - "style": { - "arrow-color": "#7b64ff" - } + "style": {} }, { "id": "n7", - "fromId": "n7", - "toId": "n6", - "type": "GenericWrite", + "fromId": "n6", + "toId": "n3", + "type": "PublishedTo", "properties": {}, "style": {} }, { "id": "n8", "fromId": "n7", - "toId": "n1", - "type": "ADCSESC9a", + "toId": "n6", + "type": "GenericAll", "properties": {}, - "style": { - "arrow-color": "#7b64ff" - } + "style": {} }, { "id": "n9", "fromId": "n7", - "toId": "n8", - "type": "", + "toId": "n5", + "type": "MemberOf", "properties": {}, - "style": { - "arrow-color": "#ffffff" - } + "style": {} }, { "id": "n10", - "fromId": "n9", - "toId": "n1", - "type": "DCFor", + "type": "AllExtendedRights", + "style": {}, "properties": {}, - "style": { - "arrow-color": "#a4dd00" - } + "fromId": "n8", + "toId": "n6" }, { "id": "n11", - "fromId": "n4", + "fromId": "n8", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n12", + "fromId": "n9", + "toId": "n6", + "type": "GenericWrite", + "properties": {}, + "style": {} + }, + { + "id": "n13", + "fromId": "n9", + "toId": "n5", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n14", + "fromId": "n10", + "toId": "n6", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n15", + "fromId": "n11", + "toId": "n7", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n16", + "fromId": "n11", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n17", + "fromId": "n12", + "toId": "n8", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n18", + "fromId": "n12", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n19", + "fromId": "n13", "toId": "n9", - "type": "CanAbuseWeakCertBinding", + "type": "GenericAll", "properties": {}, - "style": { - "arrow-color": "#7b64ff" - } + "style": {} + }, + { + "id": "n20", + "fromId": "n14", + "toId": "n10", + "type": "GenericAll", + "properties": {}, + "style": {} } ] } \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aharnessvictim.svg b/cmd/api/src/test/integration/harnesses/esc9aharnessvictim.svg new file mode 100644 index 000000000..286aa5ac9 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aharnessvictim.svg @@ -0,0 +1 @@ +RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthCanAbuseWeakCertBindingDCForEnrollPublishedToGenericAllMemberOfAllExtendedRightsMemberOfGenericWriteMemberOfEnrollGenericAllADCSESC9aGenericAllADCSESC9aGenericAllGenericAllDomainNTAuthStoreRootCAEnterpriseCADCGroup0CertTemplate1AuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1NoSecurityExtension:TrueSubjectAltRequireUPN:TrueUser1User2User3User4Group1Group2Group3Group4 \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json new file mode 100644 index 000000000..59d6d0e25 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.json @@ -0,0 +1,475 @@ +{ + "style": { + "font-family": "sans-serif", + "background-color": "#ffffff", + "background-image": "", + "background-size": "100%", + "node-color": "#ffffff", + "border-width": 4, + "border-color": "#000000", + "radius": 50, + "node-padding": 5, + "node-margin": 2, + "outside-position": "auto", + "node-icon-image": "", + "node-background-image": "", + "icon-position": "inside", + "icon-size": 64, + "caption-position": "inside", + "caption-max-width": 200, + "caption-color": "#000000", + "caption-font-size": 50, + "caption-font-weight": "normal", + "label-position": "inside", + "label-display": "pill", + "label-color": "#000000", + "label-background-color": "#ffffff", + "label-border-color": "#000000", + "label-border-width": 4, + "label-font-size": 40, + "label-padding": 5, + "label-margin": 4, + "directionality": "directed", + "detail-position": "inline", + "detail-orientation": "parallel", + "arrow-width": 5, + "arrow-color": "#000000", + "margin-start": 5, + "margin-end": 5, + "margin-peer": 20, + "attachment-start": "normal", + "attachment-end": "normal", + "relationship-icon-image": "", + "type-color": "#000000", + "type-background-color": "#ffffff", + "type-border-color": "#000000", + "type-border-width": 0, + "type-font-size": 16, + "type-padding": 5, + "property-position": "outside", + "property-alignment": "colon", + "property-color": "#000000", + "property-font-size": 16, + "property-font-weight": "normal" + }, + "nodes": [ + { + "id": "n0", + "position": { + "x": 24.6412667909101, + "y": 1790.9164380862208 + }, + "caption": "Domain", + "labels": [], + "properties": {}, + "style": { + "node-color": "#68ccca" + } + }, + { + "id": "n1", + "position": { + "x": 915.5043544911281, + "y": 1554.763441047 + }, + "caption": "NTAuthStore", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n2", + "position": { + "x": 915.5043544911281, + "y": 1672.8399395666104 + }, + "caption": "RootCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#653294", + "caption-color": "#ffffff" + } + }, + { + "id": "n3", + "position": { + "x": 1729.453404980963, + "y": 1396.5299845769014 + }, + "caption": "EnterpriseCA", + "labels": [], + "properties": {}, + "style": { + "node-color": "#194d33", + "caption-color": "#ffffff" + } + }, + { + "id": "n4", + "position": { + "x": 915.5043544911281, + "y": 1790.9164380862208 + }, + "caption": "DC", + "labels": [], + "properties": {}, + "style": { + "node-color": "#f44e3b", + "caption-position": "inside", + "property-alignment": "colon", + "property-position": "outside" + } + }, + { + "id": "n6", + "position": { + "x": 1729.453404980963, + "y": 1082.4385788188413 + }, + "caption": "CertTemplate", + "labels": [], + "properties": { + "AuthenticationEnabled": "True", + "RequireManagerApproval": "False", + "SchemaVersion": "1", + "NoSecurityExtension": "True", + "SubjectAltRequireUPN": "True" + }, + "style": { + "node-color": "#fda1ff", + "outside-position": "left", + "node-margin": 50 + } + }, + { + "id": "n7", + "position": { + "x": 915.5043544911281, + "y": 1082.4385788188413 + }, + "caption": "User1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00", + "border-color": "#73d8ff" + } + }, + { + "id": "n11", + "position": { + "x": 24.6412667909101, + "y": 842.2531080094587 + }, + "caption": "Group1", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n12", + "position": { + "x": 97.83319758088052, + "y": 977.4451369153232 + }, + "caption": "Group2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n14", + "position": { + "x": 432.58749843883385, + "y": 1449.4515969240565 + }, + "caption": "Group6", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00", + "border-color": "#73d8ff" + } + }, + { + "id": "n15", + "position": { + "x": 180.7937059276843, + "y": 1105.4077644506815 + }, + "caption": "Group3", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n16", + "position": { + "x": 259.9130584079944, + "y": 1235.2263846542628 + }, + "caption": "Group4", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n17", + "position": { + "x": 345.4214516200178, + "y": 1344.891677696618 + }, + "caption": "Group5", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + }, + { + "id": "n18", + "position": { + "x": 915.504354491128, + "y": 1396.5299845769018 + }, + "caption": "User2", + "labels": [], + "properties": {}, + "style": { + "node-color": "#a4dd00" + } + }, + { + "id": "n19", + "position": { + "x": 1311.4447947779927, + "y": 1235.2263846542628 + }, + "caption": "Group0", + "labels": [], + "properties": {}, + "style": { + "node-color": "#fcdc00" + } + } + ], + "relationships": [ + { + "id": "n0", + "fromId": "n2", + "toId": "n0", + "type": "RootCAFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n1", + "fromId": "n3", + "toId": "n2", + "type": "IssuedSignedBy", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n2", + "fromId": "n1", + "toId": "n0", + "type": "NTAuthStoreFor", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n3", + "fromId": "n3", + "toId": "n1", + "type": "TrustedForNTAuth", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n4", + "fromId": "n3", + "toId": "n4", + "type": "CanAbuseWeakCertBinding", + "properties": {}, + "style": { + "arrow-color": "#000000" + } + }, + { + "id": "n5", + "fromId": "n4", + "toId": "n0", + "type": "DCFor", + "properties": {}, + "style": { + "type-color": "#000000", + "arrow-color": "#000000" + } + }, + { + "id": "n7", + "fromId": "n6", + "toId": "n3", + "type": "PublishedTo", + "properties": {}, + "style": {} + }, + { + "id": "n17", + "fromId": "n11", + "toId": "n7", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n18", + "fromId": "n11", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n20", + "fromId": "n12", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n21", + "fromId": "n12", + "toId": "n7", + "type": "GenericWrite", + "properties": {}, + "style": {} + }, + { + "id": "n22", + "fromId": "n14", + "toId": "n7", + "type": "AllExtendedRights", + "properties": {}, + "style": {} + }, + { + "id": "n23", + "fromId": "n15", + "toId": "n7", + "type": "WriteDacl", + "properties": {}, + "style": {} + }, + { + "id": "n24", + "fromId": "n15", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n25", + "fromId": "n16", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n26", + "fromId": "n16", + "toId": "n7", + "type": "WriteOwner", + "properties": {}, + "style": {} + }, + { + "id": "n27", + "fromId": "n17", + "toId": "n0", + "type": "ADCSESC9a", + "properties": {}, + "style": {} + }, + { + "id": "n28", + "fromId": "n17", + "toId": "n7", + "type": "WriteOwner", + "properties": {}, + "style": {} + }, + { + "id": "n38", + "fromId": "n18", + "toId": "n18", + "type": "GenericAll", + "properties": {}, + "style": {} + }, + { + "id": "n39", + "type": "ADCSESC9a", + "style": {}, + "properties": {}, + "fromId": "n18", + "toId": "n0" + }, + { + "id": "n40", + "fromId": "n7", + "toId": "n19", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n41", + "fromId": "n18", + "toId": "n19", + "type": "MemberOf", + "properties": {}, + "style": {} + }, + { + "id": "n42", + "fromId": "n19", + "toId": "n6", + "type": "Enroll", + "properties": {}, + "style": {} + }, + { + "id": "n43", + "fromId": "n19", + "toId": "n3", + "type": "Enroll", + "properties": {}, + "style": {} + } + ] +} \ No newline at end of file diff --git a/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg new file mode 100644 index 000000000..0438324f1 --- /dev/null +++ b/cmd/api/src/test/integration/harnesses/esc9aprincipalharness.svg @@ -0,0 +1 @@ +RootCAForIssuedSignedByNTAuthStoreForTrustedForNTAuthCanAbuseWeakCertBindingDCForPublishedToGenericAllADCSESC9aADCSESC9aGenericWriteAllExtendedRightsWriteDaclADCSESC9aADCSESC9aWriteOwnerADCSESC9aWriteOwnerGenericAllADCSESC9aMemberOfMemberOfEnrollEnrollDomainNTAuthStoreRootCAEnterpriseCADCCertTemplateAuthenticationEnabled:TrueRequireManagerApproval:FalseSchemaVersion:1NoSecurityExtension:TrueSubjectAltRequireUPN:TrueUser1Group1Group2Group6Group3Group4Group5User2Group0 \ No newline at end of file