Documentation ¶
Overview ¶
Package inzure provides the tools for an automated assessment of Azure subscriptions.
This package does not implement any tests! It is only for data gathering and defining data structures. The tests need to be build on top of those tools.
If you're editing this as .go source file, it will be overwriten when this code is generated again. Make sure you're editing qs.y!
Index ¶
- Constants
- Variables
- func BatchSubscriptionsFromEnvChan(ctx context.Context, pw []byte, ec chan<- error) <-chan *Subscription
- func EncryptSubscriptionAsJSON(sub *Subscription, pw []byte, w io.Writer) error
- func FirewallAllowsIPFromString(f Firewall, ip string) (UnknownBool, []PacketRoute, error)
- func FirewallAllowsIPToIP(f Firewall, src, dst AzureIPv4) (UnknownBool, []PacketRoute, error)
- func FirewallAllowsIPToIPPort(f Firewall, src, dst AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func FirewallAllowsIPToPortFromString(f Firewall, ip, port string) (UnknownBool, []PacketRoute, error)
- func GetQSFillableValue(qs *QueryString) reflect.Value
- func GetQSFillableValueForString(qs string) reflect.Value
- func IPIsRFC1918Private(ip AzureIPv4) bool
- func NewError(msg string, ty ErrorType) error
- func NewGenericError(err error) error
- func NewLineCommentScanner(r io.Reader) *bufio.Scanner
- func NewMalformedIPv4Error(ip string) error
- func PortContains(in AzurePort, find AzurePort) bool
- func PortsEqual(a AzurePort, b AzurePort) bool
- func StringLooksLikeResourceID(s string) bool
- func ToQueryString(i interface{}) (string, error)
- type API
- type APIBackend
- type APIOpParameter
- type APIOperation
- type APIRepresentation
- type APISchema
- type APIService
- type APIServiceAttackSurface
- type APIServiceHostnameConfig
- type APIServiceProduct
- type APIServiceUser
- type APIServiceUserIdentity
- type APIServiceVNetType
- type APIUserActivationState
- func (it *APIUserActivationState) FromAzure(az *azpkg.UserState)
- func (it APIUserActivationState) IsActive() UnknownBool
- func (it APIUserActivationState) IsBlocked() UnknownBool
- func (it APIUserActivationState) IsDeleted() UnknownBool
- func (it APIUserActivationState) IsKnown() bool
- func (it APIUserActivationState) IsPending() UnknownBool
- func (it APIUserActivationState) IsUnknown() bool
- func (it APIUserActivationState) String() string
- type AppLanguage
- func (it AppLanguage) IsCSharp() UnknownBool
- func (it AppLanguage) IsDocker() UnknownBool
- func (it AppLanguage) IsDotNet() UnknownBool
- func (it AppLanguage) IsFSharp() UnknownBool
- func (it AppLanguage) IsJava() UnknownBool
- func (it AppLanguage) IsKnown() bool
- func (it AppLanguage) IsNode() UnknownBool
- func (it AppLanguage) IsPHP() UnknownBool
- func (it AppLanguage) IsPowerShell() UnknownBool
- func (it AppLanguage) IsPython() UnknownBool
- func (it AppLanguage) IsRuby() UnknownBool
- func (it AppLanguage) IsUnknown() bool
- func (it AppLanguage) String() string
- type AppServiceEnvironment
- type ApplicationSecurityGroup
- type AttackSurface
- type AzureAPI
- type AzureAPIError
- type AzureAbstractIPType
- type AzureIPv4
- type AzurePort
- type AzureResourceTag
- type Container
- type ContainerPermission
- func (it *ContainerPermission) FromAzure(az *azpkg.PublicAccess)
- func (it ContainerPermission) IsBlob() UnknownBool
- func (it ContainerPermission) IsContainer() UnknownBool
- func (it ContainerPermission) IsKnown() bool
- func (it ContainerPermission) IsPrivate() UnknownBool
- func (it ContainerPermission) IsUnknown() bool
- func (it ContainerPermission) String() string
- type CosmosDB
- type CosmosDBFirewall
- func (f CosmosDBFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (f CosmosDBFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (f CosmosDBFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (f CosmosDBFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (f CosmosDBFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- type DataLakeAnalytics
- type DataLakeFirewall
- func (fw *DataLakeFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (fw *DataLakeFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (fw *DataLakeFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (fw *DataLakeFirewall) AllowsIPToPortString(ip string, port string) (UnknownBool, []PacketRoute, error)
- func (fw *DataLakeFirewall) RespectsAllowlist(allowlist FirewallAllowlist) (UnknownBool, []IPPort, error)
- type DataLakeStore
- type DiskEncryption
- type Error
- type ErrorType
- type FTPState
- type FileShare
- type FileShareAccessPolicy
- type FileShareProtocol
- type Firewall
- type FirewallAllowlist
- func (fw FirewallAllowlist) AddPortEntry(port string, ips []AzureIPv4)
- func (fwl *FirewallAllowlist) IPPassesAny(port AzurePort, ip AzureIPv4) UnknownBool
- func (fwl *FirewallAllowlist) IPPassesPort(port AzurePort, ip AzureIPv4) UnknownBool
- func (fwl *FirewallAllowlist) IPPassesStar(ip AzureIPv4) UnknownBool
- func (fw FirewallAllowlist) RemovePortEntry(port string)
- func (fwl *FirewallAllowlist) Reset()
- func (fwl *FirewallAllowlist) UnmarshalJSON(b []byte) error
- type FirewallRule
- func (fw *FirewallRule) FromAzureDataLakeAnalytics(az *armdatalakeanalytics.FirewallRule)
- func (fw *FirewallRule) FromAzureDataLakeStore(az *armdatalakestore.FirewallRule)
- func (fw *FirewallRule) FromAzurePostgres(az *armpostgresql.FirewallRule)
- func (fw *FirewallRule) FromAzureRedis(az *armredis.FirewallRule)
- func (fw *FirewallRule) FromAzureSQL(az *armsql.FirewallRule)
- func (f FirewallRule) SetupEmpty()
- func (fw *FirewallRule) UnmarshalJSON(b []byte) error
- type FirewallRules
- func (f FirewallRules) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (f FirewallRules) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (f FirewallRules) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (f FirewallRules) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (f FirewallRules) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- type FromAzurer
- type Function
- type FunctionConfig
- type FunctionConfigBinding
- type IPCollection
- func (ipc IPCollection) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (ipc IPCollection) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (ipc IPCollection) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (ipc IPCollection) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (ipc *IPCollection) MarshalJSON() ([]byte, error)
- func (ipc IPCollection) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- func (ipc IPCollection) String() string
- func (ipc *IPCollection) UnmarshalJSON(b []byte) error
- type IPConfiguration
- type IPPort
- type IPPortCollection
- type IQSComparer
- type KeyVault
- type KeyVaultAccessPolicy
- type KeyVaultCertificatesPermission
- type KeyVaultFirewall
- func (kvf KeyVaultFirewall) AllowsIP(chk AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (kvf KeyVaultFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (kvf KeyVaultFirewall) AllowsIPToPort(ip AzureIPv4, _ AzurePort) (UnknownBool, []PacketRoute, error)
- func (kvf KeyVaultFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (kvf *KeyVaultFirewall) FromAzure(az *armkeyvault.NetworkRuleSet)
- func (kvf KeyVaultFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- type KeyVaultKeysPermission
- type KeyVaultSecretsPermission
- type KeyVaultStoragePermission
- type LexError
- type LoadBalancer
- func (lb *LoadBalancer) AddAzureBackendConfiguration(azConf *armnetwork.BackendAddressPool)
- func (lb *LoadBalancer) AddAzureFrontendIPConfiguration(azConf *armnetwork.FrontendIPConfiguration)
- func (lb *LoadBalancer) AddLoadBalancerRule(azRule *armnetwork.LoadBalancingRule)
- func (lb *LoadBalancer) FromAzure(az *armnetwork.LoadBalancer)
- type LoadBalancerAttackSurface
- type LoadBalancerBackend
- type LoadBalancerFrontendIPConfiguration
- type LoadBalancerProtocol
- type LoadBalancerRule
- type NetworkInterface
- type NetworkSecurityGroup
- func (nsg *NetworkSecurityGroup) AllowsIP(checkIP AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (nsg *NetworkSecurityGroup) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (nsg *NetworkSecurityGroup) AllowsIPToPort(checkIP AzureIPv4, checkPort AzurePort) (UnknownBool, []PacketRoute, error)
- func (nsg *NetworkSecurityGroup) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (nsg *NetworkSecurityGroup) DeepCopySetVNet(vnet string) (*NetworkSecurityGroup, error)
- func (nsg *NetworkSecurityGroup) FromAzure(aznsg *armnetwork.SecurityGroup)
- func (nsg *NetworkSecurityGroup) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- type OsType
- type PacketRoute
- type ParentResource
- type PortCollection
- type PostgresDB
- type PostgresServer
- type PublicIP
- type QSArraySelT
- type QSComparer
- type QSCondition
- func (qsc *QSCondition) Compare(v reflect.Value) (bool, error)
- func (qsc *QSCondition) Equals(o *QSCondition) bool
- func (qsc *QSCondition) FilterValue(v reflect.Value) (reflect.Value, error)
- func (qsc *QSCondition) PushAnd(ic *QSCondition)
- func (qsc *QSCondition) PushOr(ic *QSCondition)
- func (qsc *QSCondition) String() string
- type QSField
- type QSOpT
- type QSSelector
- type QueryString
- func (qs *QueryString) BaseString() string
- func (p *QueryString) ContainsIQS(oqs *QueryString) bool
- func (p *QueryString) ContainsString(s string) bool
- func (qs *QueryString) GetReturnType() (reflect.Type, bool)
- func (qs *QueryString) Parse(s string) error
- func (qs *QueryString) String() string
- func (qs *QueryString) Validate() error
- type RedisFirewall
- func (f RedisFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (f RedisFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (f RedisFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (f RedisFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (f RedisFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- type RedisServer
- type ResourceGroup
- type ResourceID
- func (r *ResourceID) Equals(o *ResourceID) bool
- func (r *ResourceID) ExtractValueForTag(tag string, caseInsensitive bool) string
- func (r *ResourceID) FromID(id string)
- func (r *ResourceID) MarshalJSON() ([]byte, error)
- func (r *ResourceID) QueryString() (string, error)
- func (r *ResourceID) SetupEmpty()
- func (r *ResourceID) UnmarshalJSON(b []byte) error
- type SQLDatabase
- type SQLServer
- type SSHPublicKey
- type SearchTarget
- type SecurityRule
- type SecurityRuleProtocol
- func (it *SecurityRuleProtocol) FromAzure(az *azpkg.SecurityRuleProtocol)
- func (it SecurityRuleProtocol) IsAll() UnknownBool
- func (it SecurityRuleProtocol) IsKnown() bool
- func (it SecurityRuleProtocol) IsTCP() UnknownBool
- func (it SecurityRuleProtocol) IsUDP() UnknownBool
- func (it SecurityRuleProtocol) IsUnknown() bool
- func (p *SecurityRuleProtocol) MarshalJSON() ([]byte, error)
- func (p SecurityRuleProtocol) String() string
- func (p *SecurityRuleProtocol) UnmarshalJSON(b []byte) error
- type SecurityRules
- type StorageAccount
- type StorageAccountKind
- func (it *StorageAccountKind) FromAzure(az *azpkg.Kind)
- func (it StorageAccountKind) IsBlobStorage() UnknownBool
- func (it StorageAccountKind) IsBlockBlobStorage() UnknownBool
- func (it StorageAccountKind) IsFileStorage() UnknownBool
- func (it StorageAccountKind) IsKnown() bool
- func (it StorageAccountKind) IsStorage() UnknownBool
- func (it StorageAccountKind) IsStorageV2() UnknownBool
- func (it StorageAccountKind) IsUnknown() bool
- func (it StorageAccountKind) String() string
- type StorageEncryption
- type StorageKeySource
- type Subnet
- type Subscription
- func BatchSubscriptionsFromEnv(pw []byte) ([]*Subscription, error)
- func NewSubscription(id string) Subscription
- func NewSubscriptionFromID(id SubscriptionID) Subscription
- func NewSubscriptionWithAlias(id, alias string) Subscription
- func SubscriptionFromEncryptedJSON(pw []byte, r io.Reader) (*Subscription, error)
- func SubscriptionFromFile(fname string) (sub *Subscription, err error)
- func SubscriptionFromFilePassword(fname string, pw []byte) (sub *Subscription, err error)
- func (s *Subscription) AddTarget(tag SearchTarget) *Subscription
- func (s *Subscription) Diff(o *Subscription) (*SubscriptionDiff, error)
- func (s *Subscription) FromQueryString(qs string, into interface{}) error
- func (s *Subscription) GetAttackSurface() AttackSurface
- func (s *Subscription) ReflectFromParsedQueryString(p *QueryString) (reflect.Value, error)
- func (s *Subscription) ReflectFromQueryString(qs string) (reflect.Value, error)
- func (s *Subscription) SearchAllTargets(ctx context.Context, ec chan<- error)
- func (s *Subscription) SetClassicKey(key []byte)
- func (s *Subscription) SetProxy(dialer proxy.Dialer)
- func (s *Subscription) SetQuiet(quiet bool)
- func (s *Subscription) String() string
- func (s *Subscription) UnsetTarget(tag SearchTarget) *Subscription
- func (s *Subscription) ValueFromQueryString(qs string, v reflect.Value) error
- type SubscriptionDiff
- type SubscriptionID
- type TLSVersion
- func (t *TLSVersion) FromAzureRedis(az *armredis.TLSVersion)
- func (t *TLSVersion) FromAzureStorage(az *armstorage.MinimumTLSVersion)
- func (t *TLSVersion) FromAzureWeb(az *armappservice.SupportedTLSVersions)
- func (it TLSVersion) IsKnown() bool
- func (it TLSVersion) IsOneOne() UnknownBool
- func (it TLSVersion) IsOneTwo() UnknownBool
- func (it TLSVersion) IsOneZero() UnknownBool
- func (it TLSVersion) IsUnknown() bool
- func (t TLSVersion) String() string
- type UnknownBool
- func (ub UnknownBool) Applicable() bool
- func (ub UnknownBool) False() bool
- func (ub UnknownBool) FalseOrUnknown() bool
- func (ub *UnknownBool) FromBool(b bool)
- func (ub *UnknownBool) FromBoolPtr(b *bool)
- func (ub *UnknownBool) FromStringPtrEq(lhs string, rhs *string)
- func (ub UnknownBool) Known() bool
- func (ub UnknownBool) NA() bool
- func (ub UnknownBool) String() string
- func (ub UnknownBool) True() bool
- func (ub UnknownBool) TrueOrUnknown() bool
- func (ub UnknownBool) Unknown() bool
- type VMDisk
- type VirtualMachine
- type VirtualNetwork
- type WebApp
- type WebAppClientCertMode
- func (it *WebAppClientCertMode) FromAzure(az *azpkg.ClientCertMode)
- func (it WebAppClientCertMode) IsKnown() bool
- func (it WebAppClientCertMode) IsOptional() UnknownBool
- func (it WebAppClientCertMode) IsOptionalInteractiveUser() UnknownBool
- func (it WebAppClientCertMode) IsRequired() UnknownBool
- func (it WebAppClientCertMode) IsUnknown() bool
- func (it WebAppClientCertMode) String() string
- type WebAppHandlerMapping
- type WebAppIPFirewall
- func (waf WebAppIPFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
- func (waf WebAppIPFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
- func (waf WebAppIPFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
- func (waf WebAppIPFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
- func (s WebAppIPFirewall) Len() int
- func (s WebAppIPFirewall) Less(i, j int) bool
- func (waf WebAppIPFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
- func (s WebAppIPFirewall) Swap(i, j int)
- type WebAppIPRestriction
- type WebAppLanguage
- type WebHost
- type WindowsRMListener
Constants ¶
const ( // PBKDF2Rounds the number of rounds to run for PBKDF2. This can also be // overriden with the INZURE_PBKDF2_ROUNDS as long as that value is higher // than this default. PBKDF2Rounds int = 10000 // RoundsEnvironmentalVariableName is the name of the environmental variable // that can be set to override the default PBKDF2Rounds. If this value is not // greater than the default, the default is used. RoundsEnvironmentalVariableName = "INZURE_PBKDF2_ROUNDS" // KeyEnvironmentalVariableName is the environmental variable to check // for a user's chosen encryption/decryption key KeyEnvironmentalVariableName = "INZURE_ENCRYPT_PASSWORD" // EncryptedFileExtension is the extension that should be put at the end of // a file that is encrypted by this package. If you see a file with this ext // as the input it is reasonable to assume it is encrypted and the // environmental defined by KeyEnvironmentalVariableName is set. EncryptedFileExtension = ".enc" )
const ( KeyVaultKeyPermissionsBackup KeyVaultKeysPermission = 1 << iota KeyVaultKeyPermissionsCreate = 1 << iota KeyVaultKeyPermissionsDecrypt = 1 << iota KeyVaultKeyPermissionsDelete = 1 << iota KeyVaultKeyPermissionsEncrypt = 1 << iota KeyVaultKeyPermissionsGet = 1 << iota KeyVaultKeyPermissionsImport = 1 << iota KeyVaultKeyPermissionsList = 1 << iota KeyVaultKeyPermissionsPurge = 1 << iota KeyVaultKeyPermissionsRecover = 1 << iota KeyVaultKeyPermissionsRestore = 1 << iota KeyVaultKeyPermissionsSign = 1 << iota KeyVaultKeyPermissionsUnwrapKey = 1 << iota KeyVaultKeyPermissionsUpdate = 1 << iota KeyVaultKeyPermissionsVerify = 1 << iota KeyVaultKeyPermissionsWrapKey = 1 << iota )
const ( KeyVaultSecretPermissionsBackup KeyVaultSecretsPermission = 1 << iota KeyVaultSecretPermissionsDelete = 1 << iota KeyVaultSecretPermissionsGet = 1 << iota KeyVaultSecretPermissionsList = 1 << iota KeyVaultSecretPermissionsPurge = 1 << iota KeyVaultSecretPermissionsRecover = 1 << iota KeyVaultSecretPermissionsRestore = 1 << iota KeyVaultSecretPermissionsSet = 1 << iota )
const ( KeyVaultCertificateBackup KeyVaultCertificatesPermission = 1 << iota KeyVaultCertificateCreate = 1 << iota KeyVaultCertificateDelete = 1 << iota KeyVaultCertificateDeleteissuers = 1 << iota KeyVaultCertificateGet = 1 << iota KeyVaultCertificateGetissuers = 1 << iota KeyVaultCertificateImport = 1 << iota KeyVaultCertificateList = 1 << iota KeyVaultCertificateListissuers = 1 << iota KeyVaultCertificateManagecontacts = 1 << iota KeyVaultCertificateManageissuers = 1 << iota KeyVaultCertificatePurge = 1 << iota KeyVaultCertificateRecover = 1 << iota KeyVaultCertificateRestore = 1 << iota KeyVaultCertificateSetissuers = 1 << iota KeyVaultCertificateUpdate = 1 << iota )
const ( KeyVaultStoragePermissionBackup KeyVaultStoragePermission = 1 << iota KeyVaultStoragePermissionDelete = 1 << iota KeyVaultStoragePermissionDeletesas = 1 << iota KeyVaultStoragePermissionGet = 1 << iota KeyVaultStoragePermissionGetsas = 1 << iota KeyVaultStoragePermissionList = 1 << iota KeyVaultStoragePermissionListsas = 1 << iota KeyVaultStoragePermissionPurge = 1 << iota KeyVaultStoragePermissionRecover = 1 << iota KeyVaultStoragePermissionRegeneratekey = 1 << iota KeyVaultStoragePermissionRestore = 1 << iota KeyVaultStoragePermissionSet = 1 << iota KeyVaultStoragePermissionSetsas = 1 << iota KeyVaultStoragePermissionUpdate = 1 << iota )
const ( // TargetSearchUnsetString is the string value for TargetSearchUnset TargetSearchUnsetString = "TargetSearchUnset" TargetStorageAccountsString = "storage" TargetNetworkString = "network" TargetAppServiceString = "apps" TargetDataLakesString = "datalakes" TargetSQLString = "sql" TargetRedisString = "redis" TargetAPIsString = "apis" TargetKeyVaultsString = "keyvaults" TargetCosmosDBsString = "cosmosdbs" TargetLoadBalancersString = "loadbalancers" TargetPostgresString = "postgres" )
const ( // BoolUnknown is a "boolean" parameter that we never figured out the // actual state of. This is the default value for an UnknownBool. BoolUnknown UnknownBool = 0 BoolTrue = 1 BoolFalse = -1 // BoolNotApplicable is for when the parameter is not applicable to the // specific instance. In some cases we need this state because resources // can have other configuration options that make a different // configuration option not applicable anymore. BoolNotApplicable = -2 )
const AND = 57347
const BOOL = 57350
const CBRA = 57355
const CHARS = 57351
const CPAR = 57353
const FIELD = 57349
const LibVersion = "1.0.0"
LibVersion is the current inzure library version as a string
const NUMBER = 57354
const OBRA = 57356
const OP = 57346
const OPAR = 57352
const OR = 57348
const STR = 57357
const UNKNOWN_BOOL = 57358
Variables ¶
var ( // EnvSubscriptionJSON defines an environmental variable that can hold // a single filename referring to an inzure JSON file EnvSubscriptionJSON = "INZURE_JSON_FILE" // EnvSubscription defines an environmental variable that can hold a single // inzure subscription UUID and optional alias. To specify an alias, use an // = after the UUID. EnvSubscription = "INZURE_SUBSCRIPTION" // EnvSubscriptionFile defines an environmental variable that can hold a // file containing a newline separated list of subscription UUIDs and // optional aliases. EnvSubscriptionFile = "INZURE_SUBSCRIPTION_FILE" // EnvSubscriptionBatchFiles contains a list of files that should be used // when multiple subscriptions are possible. You can use the associated // BatchSubscriptionsFromEnv or BatchSubscriptionsFromEnvChan functions // to get these subscirptions. EnvSubscriptionBatchFiles = "INZURE_SUBSCRIPTION_BATCH_FILES" )
var AvailableTargets = map[string]SearchTarget{ TargetStorageAccountsString: TargetStorageAccounts, TargetNetworkString: TargetNetwork, TargetAppServiceString: TargetAppService, TargetDataLakesString: TargetDataLakes, TargetSQLString: TargetSQL, TargetRedisString: TargetRedis, TargetAPIsString: TargetAPIs, TargetKeyVaultsString: TargetKeyVaults, TargetCosmosDBsString: TargetCosmosDBs, TargetLoadBalancersString: TargetLoadBalancers, TargetPostgresString: TargetPostgres, }
AvailableTargets is a map containing all available targets for easy lookup
var ( // BadAllowlist will be returned for malformed allowlist BadAllowlist = errors.New("allowlist was malformed") )
var ErrDifferentSubscriptions = errors.New("diff subscriptions are not the same")
Functions ¶
func BatchSubscriptionsFromEnvChan ¶
func BatchSubscriptionsFromEnvChan( ctx context.Context, pw []byte, ec chan<- error, ) <-chan *Subscription
BatchSubscriptionsFromEnvChan will pull all subscriptions from the files in the EnvSubscriptionBatchFiles environmental variable. Errors are passed on the provided channel and the passed context can be used to stop everything. The provided password is only needed if the files are encrypted and the password can't be pulled out of the environment, otherwise it can be nil.
func EncryptSubscriptionAsJSON ¶
func EncryptSubscriptionAsJSON(sub *Subscription, pw []byte, w io.Writer) error
EncryptSubscriptionAsJSON writes the given Subscription as an encrypted JSON to the given writer. This uses inzure's encryption format defined as follows:
1. PBKDF2 is used on the given password with inzure.PBKDF2Rounds number of rounds and an 8 byte salt from crypto/rand. Note that this salt is merely writen to the writer as the first 8 bytes and is not a secret.
2. AES256 is used in CBC mode to encrypt the output marshaled JSON with the IV as the first block.
3. An HMAC with SHA256 is taken of the entire cipher text (including the IV) and written to the writer after the salt.
Note that this method is intended to make people actually use encryption for this data and is not intended to be the most secure possible way to encrypt this data. If you have a better tool it is recommended that you use it.
If pw is nil this function checks the KeyEnvironmentalVariableName environmental variable.
func FirewallAllowsIPFromString ¶
func FirewallAllowsIPFromString(f Firewall, ip string) (UnknownBool, []PacketRoute, error)
FirewallAllowsIPFromString is a convenience method for calling a Firewalls AllowsIP method with a string input. This can be used to trivially implement the AllowsIPString methods on the firewall interface.
func FirewallAllowsIPToIP ¶
func FirewallAllowsIPToIP(f Firewall, src, dst AzureIPv4) (UnknownBool, []PacketRoute, error)
FirewallAllowsIPToIP is a convenience function for filtering the results of the Firewall's AllowsIP method for a specific destination. The returned slice of PacketRoutes will have the IP of every PacketRoute populated with
func FirewallAllowsIPToIPPort ¶
func FirewallAllowsIPToIPPort(f Firewall, src, dst AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
FirewallAllowsIPToIPPort is a convenience wrapper for checking if a given IP is allowed to a given IP:Port combination.
func FirewallAllowsIPToPortFromString ¶
func FirewallAllowsIPToPortFromString(f Firewall, ip, port string) (UnknownBool, []PacketRoute, error)
FirewallAllowsIPToPortFromString is a convenience method for calling a Firewalls AllowsIPToPort method with a string input. This can be used to trivially implement the AllowsIPToPortString methods on the firewall interface.
func GetQSFillableValue ¶
func GetQSFillableValue(qs *QueryString) reflect.Value
func GetQSFillableValueForString ¶
GetQSFillableValueForString returns a reflect.Value that can be filled by the *QueryString methods on a Subscription. You can either give this a full QueryString or the name of a field in a ResourceGroup.
func IPIsRFC1918Private ¶
func NewGenericError ¶
func NewLineCommentScanner ¶
NewLineCommentScanner returns a bufio.Scanner that reads a line at a time and ignores ones that start with \s*#.
func NewMalformedIPv4Error ¶
func PortContains ¶
func PortsEqual ¶
PortsEqual compares two ports. If the underlying types are they same then reflect.DeepEqual is used. Otherwise it will try to compare using the interface methods. If a long noncontinuous port range is used this could be a very slow function.
func StringLooksLikeResourceID ¶
TODO This could be better.
func ToQueryString ¶
ToQueryString accepts an interface struct and attempts to turn it in to a valid query string. This is not always successful and it isn't always easy to detect when it is unsuccessful and return an error, so YMMV.
Types ¶
type API ¶
type API struct { Meta ResourceID ServiceURL string Path string Revision string Online UnknownBool SubKeyHeader string SubKeyQuery string Schemas []*APISchema Protocols []string Operations []*APIOperation }
API is an Azure managed API
func NewEmptyAPI ¶
func NewEmptyAPI() *API
func (*API) FromAzure ¶
func (a *API) FromAzure(az *armapimanagement.APIContract)
type APIBackend ¶
type APIBackend struct { Meta ResourceID Protocol string URL string ClientCertThumbprints []string AuthQuery map[string][]string AuthHeader map[string][]string AuthHeaderScheme string AuthHeaderParam string ValidateCertChain UnknownBool ValidateCertName UnknownBool ProxyURL string ProxyUser string ProxyPass string }
func NewEmptyAPIBackend ¶
func NewEmptyAPIBackend() *APIBackend
func (*APIBackend) FromAzure ¶
func (b *APIBackend) FromAzure(az *armapimanagement.BackendContract)
type APIOpParameter ¶
type APIOpParameter struct { Name string Required UnknownBool Desc string Type string DefaultValue string Values []string }
func (*APIOpParameter) FromAzure ¶
func (p *APIOpParameter) FromAzure(az *armapimanagement.ParameterContract)
type APIOperation ¶
type APIOperation struct { Meta ResourceID Method string URL string URLParamaters []APIOpParameter QueryParameters []APIOpParameter Headers []APIOpParameter Representations []APIRepresentation }
func NewEmptyAPIOperation ¶
func NewEmptyAPIOperation() *APIOperation
func (*APIOperation) FromAzure ¶
func (op *APIOperation) FromAzure(az *armapimanagement.OperationContract)
type APIRepresentation ¶
type APIRepresentation struct { ContentType string // SchemaID is not set when the content type isn't form data SchemaID string // TypeName TypeName string // FormParameters is required if we have form data as the content type FormParameters []APIOpParameter }
APIRepresentations are examples of legitmate body data that can be sent to the API. There is
func (*APIRepresentation) FromAzure ¶
func (r *APIRepresentation) FromAzure(az *armapimanagement.RepresentationContract)
type APISchema ¶
type APISchema struct { Meta ResourceID ContentType string JSON string }
func NewEmptyAPISchema ¶
func NewEmptyAPISchema() *APISchema
func (*APISchema) FromAzure ¶
func (s *APISchema) FromAzure(az *armapimanagement.SchemaContract)
type APIService ¶
type APIService struct { Meta ResourceID GatewayURL string DeveloperPortalURL string PortalURL string ManagementAPIURL string SCMURL string StaticIPs []AzureIPv4 CustomProperties map[string]string HostnameConfigs []APIServiceHostnameConfig VNetType APIServiceVNetType SubnetRef ResourceID APIs []*API Users []*APIServiceUser //PrimaryKey string //SecondaryKey string //AccessEnabled UnknownBool SignupEnabled UnknownBool Backends []*APIBackend Products []*APIServiceProduct }
func NewEmptyAPIService ¶
func NewEmptyAPIService() *APIService
func (*APIService) FromAzure ¶
func (as *APIService) FromAzure(az *armapimanagement.ServiceResource)
type APIServiceAttackSurface ¶
APIServiceAttackSurface is the attack surface presented by managed APIs. Note that, since we have read access to all API Management Services, we can sometimes even get direct backend URLs as well.
type APIServiceHostnameConfig ¶
type APIServiceHostnameConfig struct {
Hostname string
}
func (*APIServiceHostnameConfig) FromAzure ¶
func (hc *APIServiceHostnameConfig) FromAzure(az *armapimanagement.HostnameConfiguration)
type APIServiceProduct ¶
type APIServiceProduct struct { Meta ResourceID DisplayName string SubscriptionRequired UnknownBool ApprovalRequired UnknownBool IsPublished UnknownBool }
func NewEmptyAPIServiceProduct ¶
func NewEmptyAPIServiceProduct() *APIServiceProduct
func (*APIServiceProduct) FromAzure ¶
func (p *APIServiceProduct) FromAzure(az *armapimanagement.ProductContract)
type APIServiceUser ¶
type APIServiceUser struct { FirstName string LastName string Email string RegisteredAt time.Time State APIUserActivationState Groups []string Identities []APIServiceUserIdentity }
func NewAPIServiceUser ¶
func NewAPIServiceUser() *APIServiceUser
func (*APIServiceUser) FromAzure ¶
func (asu *APIServiceUser) FromAzure(az *armapimanagement.UserContract)
type APIServiceUserIdentity ¶
type APIServiceVNetType ¶ added in v0.1.0
type APIServiceVNetType int
const ( APIServiceVNetTypeNone APIServiceVNetType = 0 APIServiceVNetTypeExternal APIServiceVNetType = 1 APIServiceVNetTypeInternal APIServiceVNetType = 2 )
func (*APIServiceVNetType) FromAzure ¶ added in v0.1.0
func (it *APIServiceVNetType) FromAzure(az *azpkg.VirtualNetworkType)
func (APIServiceVNetType) IsExternal ¶ added in v0.1.0
func (it APIServiceVNetType) IsExternal() bool
func (APIServiceVNetType) IsInternal ¶ added in v0.1.0
func (it APIServiceVNetType) IsInternal() bool
func (APIServiceVNetType) IsNone ¶ added in v0.1.0
func (it APIServiceVNetType) IsNone() bool
func (APIServiceVNetType) String ¶ added in v0.1.0
func (it APIServiceVNetType) String() string
type APIUserActivationState ¶
type APIUserActivationState int
const ( APIUserStateUnknown APIUserActivationState = 0 APIUserStateActive APIUserActivationState = 1 APIUserStatePending APIUserActivationState = 2 APIUserStateBlocked APIUserActivationState = 3 APIUserStateDeleted APIUserActivationState = 4 )
func (*APIUserActivationState) FromAzure ¶
func (it *APIUserActivationState) FromAzure(az *azpkg.UserState)
func (APIUserActivationState) IsActive ¶ added in v0.1.0
func (it APIUserActivationState) IsActive() UnknownBool
func (APIUserActivationState) IsBlocked ¶ added in v0.1.0
func (it APIUserActivationState) IsBlocked() UnknownBool
func (APIUserActivationState) IsDeleted ¶ added in v0.1.0
func (it APIUserActivationState) IsDeleted() UnknownBool
func (APIUserActivationState) IsKnown ¶ added in v0.1.0
func (it APIUserActivationState) IsKnown() bool
func (APIUserActivationState) IsPending ¶ added in v0.1.0
func (it APIUserActivationState) IsPending() UnknownBool
func (APIUserActivationState) IsUnknown ¶ added in v0.1.0
func (it APIUserActivationState) IsUnknown() bool
func (APIUserActivationState) String ¶ added in v0.1.0
func (it APIUserActivationState) String() string
type AppLanguage ¶
type AppLanguage int
const ( LanguageUnknown AppLanguage = 0 LanguageNode AppLanguage = 1 LanguagePHP AppLanguage = 2 LanguageJava AppLanguage = 3 LanguageDotNet AppLanguage = 4 LanguageRuby AppLanguage = 5 LanguagePython AppLanguage = 6 LanguageDocker AppLanguage = 7 LanguagePowerShell AppLanguage = 8 LanguageFSharp AppLanguage = 9 LanguageCSharp AppLanguage = 10 )
func (AppLanguage) IsCSharp ¶ added in v0.1.0
func (it AppLanguage) IsCSharp() UnknownBool
func (AppLanguage) IsDocker ¶ added in v0.1.0
func (it AppLanguage) IsDocker() UnknownBool
func (AppLanguage) IsDotNet ¶ added in v0.1.0
func (it AppLanguage) IsDotNet() UnknownBool
func (AppLanguage) IsFSharp ¶ added in v0.1.0
func (it AppLanguage) IsFSharp() UnknownBool
func (AppLanguage) IsJava ¶ added in v0.1.0
func (it AppLanguage) IsJava() UnknownBool
func (AppLanguage) IsKnown ¶ added in v0.1.0
func (it AppLanguage) IsKnown() bool
func (AppLanguage) IsNode ¶ added in v0.1.0
func (it AppLanguage) IsNode() UnknownBool
func (AppLanguage) IsPHP ¶ added in v0.1.0
func (it AppLanguage) IsPHP() UnknownBool
func (AppLanguage) IsPowerShell ¶ added in v0.1.0
func (it AppLanguage) IsPowerShell() UnknownBool
func (AppLanguage) IsPython ¶ added in v0.1.0
func (it AppLanguage) IsPython() UnknownBool
func (AppLanguage) IsRuby ¶ added in v0.1.0
func (it AppLanguage) IsRuby() UnknownBool
func (AppLanguage) IsUnknown ¶ added in v0.1.0
func (it AppLanguage) IsUnknown() bool
func (AppLanguage) String ¶
func (it AppLanguage) String() string
type AppServiceEnvironment ¶
type AppServiceEnvironment struct {
Meta ResourceID
}
type ApplicationSecurityGroup ¶
type ApplicationSecurityGroup struct {
Meta ResourceID
}
func NewEmptyASG ¶
func NewEmptyASG() *ApplicationSecurityGroup
func (*ApplicationSecurityGroup) FromAzure ¶
func (asg *ApplicationSecurityGroup) FromAzure(az *armnetwork.ApplicationSecurityGroup)
type AttackSurface ¶
type AttackSurface struct { WebApps []string Functions []string LoadBalancers []LoadBalancerAttackSurface VirtualMachines []string MSQL []string Redis []string PostgreSQL []string CosmosDBs []string DataLakeAnalytics []string DataLakeStores []string KeyVaults []string PublicContainers []string APIServices []APIServiceAttackSurface }
AttackSurface contains a collection of IP addresses and domain names that may POTENTIALLY be exposed. Note that there is no evaluation of firewalls at this point!
func NewEmptyAttackSurface ¶
func NewEmptyAttackSurface() AttackSurface
type AzureAPI ¶
type AzureAPI interface { // SetProxy sets a custom proxy.Dialer for the client. Note that by default // the HTTP_PROXY and HTTPS_PROXY environmental variables should be supported. // This can also use proxy.Direct{} to completely bypass the proxy for some // calls. // // Note that this can't be used in combination with `SetClient` SetProxy(proxy proxy.Dialer) // ClearProxy resets the proxy to the default configuration. The default proxy // configuration supports the HTTP_PROXY and HTTPS_PROXY environmental // variables. ClearProxy() // Setclient allows to completely customize the http.Client in use. Note that // this can't be used in combination with `SetProxy` SetClient(client *http.Client) // GetResourceGroups gets all resource groups for the given subscription // ResourceGroups are returned on the provided channel. They are empty // except for basic identifying data. You can send those resource groups // to other methods to get resources for that group. // // Note that, even though other methods take a pointer to the ResourceGroup, // no method modifies the resource group itself. GetResourceGroups(ctx context.Context, sub string, ec chan<- error) <-chan *ResourceGroup // GetNetworks gets the virtual networks on the subscription. VirtualNetwork // objects returned from this are not fully populated. Information about // VirtualMachines and NetworkInterfaces needs to come from the // GetVirtualMachines method. GetNetworks(ctx context.Context, sub string, ec chan<- error) <-chan *VirtualNetwork // GetVirtualMachines gets the virtual machines in the subscription. The // VirtualMachine data struct contains information about VM configurations // as well as references to NetworkInterfaces. Note that these // NetworkInterface structs only contain the ResourceID and need to be // fully populated via results from other API calls. GetVirtualMachines(ctx context.Context, sub string, ec chan<- error) <-chan *VirtualMachine // GetLoadBalancers gets all LoadBalancers in a given resource group. If rg // is an empty string, it gets all of them regardless of resource group. GetLoadBalancers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *LoadBalancer GetDataLakeStores(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *DataLakeStore GetDataLakeAnalytics(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *DataLakeAnalytics GetPostgresServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *PostgresServer GetSQLServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *SQLServer GetCosmosDBs(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *CosmosDB GetNetworkInterfaces(ctx context.Context, sub string, ec chan<- error) <-chan *NetworkInterface // GetNetworkSecurityGroups gets all of the NetworkSecurityGroups in the // subscription. This gathers firewall rules and associated subnet and // interface ResourceIDs. Note that this does not gather information // specifically about those network interfaces and subnets, that info can // be gathered from the VirtualNetworks structs. GetNetworkSecurityGroups(ctx context.Context, sub string, ec chan<- error) <-chan *NetworkSecurityGroup GetApplicationSecurityGroups(ctx context.Context, sub string, ec chan<- error) <-chan *ApplicationSecurityGroup GetWebApps(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *WebApp GetAPIs(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *APIService GetStorageAccounts(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *StorageAccount GetRedisServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *RedisServer GetKeyVaults(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *KeyVault // EnableClassic enables the classic management API and uses the passed // management certificate. For more information see the README. EnableClassic([]byte, string) error // GetClassicStorageAccounts gets all classic storage accounts from the // subscription set with EnableClassic. If EnableClassic isn't called // beforehand this returns an immediately closed channel. GetClassicStorageAccounts(context.Context, chan<- error) <-chan *StorageAccount }
AzureAPI is an interface wrapper for the Azure API itself. Interaction with the API only happens through this interface.
The interface is intended to act solely based on channels and streaming. The goal is to have all requests essentially be async since we don't actually care about the order of responses for _most_ cases.
Errors are only handled if necessary otherwise they are simply reported on the past error channel. The error _should_ be AzureAPIError pointers, but that isn't currently guaranteed.
To ignore direct usage of the API you can set up a Subscription to gather the data you want and then pass it an API.
func NewAzureAPI ¶
NewAzureAPI returns an AzureAPI instance taking the credentials it needs from the environment.
In general if you're using the provided tool setting this up is just as mentioned in the documentation there. That is, the following environmental variables need to be set:
- AZURE_TENANT_ID - This always needs to be set.
Then you can either log in as the previously created application with:
- AZURE_CLIENT_ID - This is the Inzure Tool client ID setup before
- AZURE_CLIENT_SECRET - This is the tool's secret
Or login with your username and password with just:
- AZURE_CLIENT_ID
This triggers the device login flow you should be familiar with from the Azure CLI.
Note that AZURE_ENVIRONMENT can also be set to change the environment. Valid values are:
- AZURECHINACLOUD
- AZUREGERMANCLOUD
- AZUREPUBLICCLOUD
- AZUREUSGOVERNMENTCLOUD
type AzureAPIError ¶
type AzureAPIError struct { Err error Action string ResourceID ResourceID }
AzureAPIError is an error associated with an action on the Azure API.
In many cases only the Subscription and Tag fields of the ResourceID will be populated.
func (*AzureAPIError) Error ¶
func (e *AzureAPIError) Error() string
func (*AzureAPIError) Unwrap ¶ added in v0.1.0
func (e *AzureAPIError) Unwrap() error
type AzureAbstractIPType ¶
type AzureAbstractIPType uint8
const ( AzureAbstractIPUnknown AzureAbstractIPType = iota AzureAbstractIPVirtualNetwork AzureAbstractIPAzureLoadBalancer AzureAbstractIPInternet AzureAbstractIPNormal AzureAbstractIPEmpty )
type AzureIPv4 ¶
type AzureIPv4 interface { // IsSpecial returns whether or not this is a special definition within // Azure. If it is, there isn't much we can do with it without other // information. IsSpecial() bool // GetType returns the abstract IP type. This is typically useful only // when IsSpecial returns true GetType() AzureAbstractIPType // AsUint32 will return the single IP as a uint32. This function is // undefined if size != 1. AsUint32() uint32 // FromAzure loads an Azure IP into the instance of this interface type. // There are no guarantees about continuity of state before and after this // call. If you call this you should view the given underlying value to // be completely unrelated to its previous value. FromAzure(string) // Contains tells us if this rule contains the given IPv4 given as a string. // Contains has undefined behavior if the given string is not a dot notation // IPv4 address. Contains(string) UnknownBool // ContainsUint32 is the same as Contains except for a uint32 representation // of the IPv4 address ContainsUint32(uint32) UnknownBool // ContainsRange is the same as Contains except with a range. ContainsRange(string, string) UnknownBool // ContainsRangeUint32 is the same as ContainsUint32 except with a range. ContainsRangeUint32(uint32, uint32) UnknownBool // ContinuousRange returns whether or not the IP address is a continuous // range. If it is the beginning and end of that range are returned as // strings. Note that a single IP address is a continuous range ending // and begining with itself. ContinuousRange() (UnknownBool, string, string) // ContinuousRangeUint32 does the same as continuous range but instead // returns uint32 vales of the IPv4 address. ContinuousRangeUint32() (UnknownBool, uint32, uint32) // Size returns how many IPs this AzureIPv4 contains. If this cannot be // determined 0 is returned. Note that this is a uint64 because the range // [0, ^uint32(0)] is "*" and overflows an uint32 Size() uint64 // AllIPsGen is a generator function that returns all of the ips on the // return channel. If the passed buffer parameter is <=0 then there is // no buffering on the returned channel. AllIPsGen(ctx context.Context, buffer int) <-chan string // AllIPsUint32Gen is the uint32 equivalent of AllIPsGen AllIPsUint32Gen(ctx context.Context, buffer int) <-chan uint32 // AllIPs returns string reprsentations of every IP contained in this // AzureIPv4. Note that this could be a lot of IPs. AllIPs() []string // AllIPsUint32 is the same as AllIPs except it returns uint32 // representations AllIPsUint32() []uint32 String() string json.Marshaler json.Unmarshaler }
AzureIPv4 manages the complex type that is a security rule IP. Azure allows CIDR notation, single IPs, IP ranges, and a "*" type. We need to encapsulate all of those in one type to accurately work with them. This interface ensures that these types are not misused.
Allowed formats:
- 10.0.0.0/8 - CIDR
- 10.0.0.1 - Single IP
- 10.0.0.3,10.0.1.2 - Comma separated single
- 10.0.0.0/24,10.0.1.0/24 - Comma separated CIDR
- 10.0.0.0/24,10.0.1.24 - Comma separated mixed
- * - Any
- https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
func NewAzureIPv4FromAzure ¶
NewAzureIPv4FromAzure makes a default implementation AzureIPv4 from an Azure string
func NewAzureIPv4FromRange ¶
NewAzureIPv4FromRange creates a new AzureIPv4 from a range of IPs
func NewEmptyAzureIPv4 ¶
func NewEmptyAzureIPv4() AzureIPv4
type AzurePort ¶
type AzurePort interface { // FromAzure loads an Azure port into the instance of this interface type. // There are no guarantees about continuity of state before and after this // call. If you call this you should view the given underlying value to // be completely unrelated to its previous value. FromAzure(string) // AsUint16 should return the port as a uint16. The behavior of this // function is undefined if Size() != 1. AsUint16() uint16 // Contains tells us if this rule contains the given port Contains(uint16) bool ContainsRange(uint16, uint16) bool ContinuousRange() (bool, uint16, uint16) Size() uint32 AllPorts() []uint16 AllPortsGen(ctx context.Context, buffer int) <-chan uint16 IsStar() bool String() string UnmarshalJSON(b []byte) error MarshalJSON() ([]byte, error) }
AzurePort manages the complex type that is a security rule port. Azure allows "*" for all ports, single ports, ranges of ports, and a combination of single and ranges
func NewCheckedPortFromAzure ¶
func NewEmptyPort ¶
func NewEmptyPort() AzurePort
func NewPortFromAzure ¶
NewPortFromAzure builds a default AzurePort implementation from the given Azure port string.
func NewPortFromUint16 ¶
type AzureResourceTag ¶
type AzureResourceTag uint
AzureResourceTag is a tag given to a known Azure resource type for quick identification
const ( // ResourceUnsetT indicates that the resource was never set. If you see this // tag on any ResourceID struct, it means that any data in it should not be // trusted. ResourceUnsetT AzureResourceTag = iota ResourceUnknownT ResourceGroupT StorageAccountT ContainerT QueueT TableT ProviderT NetworkSecurityGroupT VirtualNetworkT VirtualMachineT SubnetT NetworkInterfaceT IPConfigurationT PublicIPT WebAppT FunctionT DataLakeT DataLakeStoreT DataLakeAnalyticsT SQLServerT WebAppSlotT RedisServerT RecommendationT SQLDatabaseT VirtualMachineScaleSetT ApiT ApiServiceT ApiOperationT ApiBackendT ApiServiceProductT ServiceBusT ServiceFabricT ApiSchemaT LoadBalancerT FrontendIPConfigurationT ApplicationSecurityGroupT KeyVaultT CosmosDBT PostgresServerT PostgresDBT )
func (AzureResourceTag) String ¶
func (i AzureResourceTag) String() string
type Container ¶
type Container struct { Name string StorageAccount ResourceID URL string Access ContainerPermission }
func (*Container) FromAzure ¶
func (c *Container) FromAzure(az *armstorage.ListContainerItem)
func (*Container) QueryString ¶
func (*Container) SetURL ¶
func (c *Container) SetURL(sa *StorageAccount)
SetURL sets the URL using the Container's name and the StorageAccount.
type ContainerPermission ¶
type ContainerPermission int
const ( ContainerPermissionUnknown ContainerPermission = 0 ContainerPermissionPrivate ContainerPermission = 1 ContainerPermissionBlob ContainerPermission = 2 ContainerPermissionContainer ContainerPermission = 3 )
func (*ContainerPermission) FromAzure ¶ added in v0.1.0
func (it *ContainerPermission) FromAzure(az *azpkg.PublicAccess)
func (ContainerPermission) IsBlob ¶ added in v0.1.0
func (it ContainerPermission) IsBlob() UnknownBool
func (ContainerPermission) IsContainer ¶ added in v0.1.0
func (it ContainerPermission) IsContainer() UnknownBool
func (ContainerPermission) IsKnown ¶ added in v0.1.0
func (it ContainerPermission) IsKnown() bool
func (ContainerPermission) IsPrivate ¶ added in v0.1.0
func (it ContainerPermission) IsPrivate() UnknownBool
func (ContainerPermission) IsUnknown ¶ added in v0.1.0
func (it ContainerPermission) IsUnknown() bool
func (ContainerPermission) String ¶
func (it ContainerPermission) String() string
type CosmosDB ¶
type CosmosDB struct { Meta ResourceID Endpoint string Firewall CosmosDBFirewall }
func NewEmptyCosmosDB ¶
func NewEmptyCosmosDB() *CosmosDB
func (*CosmosDB) FromAzure ¶
func (c *CosmosDB) FromAzure(az *armcosmos.DatabaseAccountGetResults)
type CosmosDBFirewall ¶
type CosmosDBFirewall struct { IPs IPCollection PublicNetworkAllowed UnknownBool AzureCanBypass UnknownBool AllowedResources []ResourceID VNetEnabled UnknownBool VNetRules []ResourceID }
func (CosmosDBFirewall) AllowsIP ¶
func (f CosmosDBFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
func (CosmosDBFirewall) AllowsIPString ¶
func (f CosmosDBFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (CosmosDBFirewall) AllowsIPToPort ¶
func (f CosmosDBFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
func (CosmosDBFirewall) AllowsIPToPortString ¶
func (f CosmosDBFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (CosmosDBFirewall) RespectsAllowlist ¶ added in v0.1.0
func (f CosmosDBFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
type DataLakeAnalytics ¶
type DataLakeAnalytics struct { Meta ResourceID Endpoint string Firewall DataLakeFirewall }
DataLakeAnalytics holds the import information for a Data Lake analytics acount
func NewEmptyDataLakeAnalytics ¶
func NewEmptyDataLakeAnalytics() *DataLakeAnalytics
func (*DataLakeAnalytics) FromAzure ¶
func (dl *DataLakeAnalytics) FromAzure(az *armdatalakeanalytics.Account)
type DataLakeFirewall ¶ added in v0.1.0
type DataLakeFirewall struct { Enabled UnknownBool AllowAzure UnknownBool Rules FirewallRules }
func (*DataLakeFirewall) AllowsIP ¶ added in v0.1.0
func (fw *DataLakeFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
func (*DataLakeFirewall) AllowsIPString ¶ added in v0.1.0
func (fw *DataLakeFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (*DataLakeFirewall) AllowsIPToPort ¶ added in v0.1.0
func (fw *DataLakeFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
func (*DataLakeFirewall) AllowsIPToPortString ¶ added in v0.1.0
func (fw *DataLakeFirewall) AllowsIPToPortString(ip string, port string) (UnknownBool, []PacketRoute, error)
func (*DataLakeFirewall) RespectsAllowlist ¶ added in v0.1.0
func (fw *DataLakeFirewall) RespectsAllowlist(allowlist FirewallAllowlist) (UnknownBool, []IPPort, error)
type DataLakeStore ¶
type DataLakeStore struct { Meta ResourceID Endpoint string Encrypted UnknownBool Firewall DataLakeFirewall TrustedIDProviders []string TrustIDProviders UnknownBool }
DataLakeStore holds the important information for a Data Lake store account
func NewEmptyDataLakeStore ¶
func NewEmptyDataLakeStore() *DataLakeStore
func (*DataLakeStore) FromAzure ¶
func (dl *DataLakeStore) FromAzure(az *armdatalakestore.Account)
type DiskEncryption ¶
type DiskEncryption struct { Enabled UnknownBool EncryptionKey string KeyEncryptionKey string }
DiskEncryption holds the location of an encryption key and whether that key is enabled for the given disk
type Error ¶
Error is inzure's generic error type. These should give slightly more information specific to inzure functionality, but in some cases they may just be wrapping a generic error.
type FTPState ¶
type FTPState int
func (FTPState) IsAll ¶ added in v0.1.0
func (it FTPState) IsAll() UnknownBool
func (FTPState) IsDisabled ¶ added in v0.1.0
func (it FTPState) IsDisabled() UnknownBool
func (FTPState) IsFTPSOnly ¶ added in v0.1.0
func (it FTPState) IsFTPSOnly() UnknownBool
type FileShare ¶ added in v0.1.0
type FileShare struct {}
func (*FileShare) FromAzure ¶ added in v0.1.0
func (f *FileShare) FromAzure(az *armstorage.FileShareItem)
func (*FileShare) QueryString ¶ added in v0.1.0
type FileShareAccessPolicy ¶ added in v0.1.0
type FileShareAccessPolicy struct {}
func (*FileShareAccessPolicy) FromAzure ¶ added in v0.1.0
func (fsap *FileShareAccessPolicy) FromAzure(az *armstorage.SignedIdentifier)
type FileShareProtocol ¶ added in v0.1.0
type FileShareProtocol int
const ()
func (*FileShareProtocol) FromAzure ¶ added in v0.1.0
func (it *FileShareProtocol) FromAzure(az *azpkg.EnabledProtocols)
func (FileShareProtocol) IsKnown ¶ added in v0.1.0
func (it FileShareProtocol) IsKnown() bool
func (FileShareProtocol) IsNFS ¶ added in v0.1.0
func (it FileShareProtocol) IsNFS() UnknownBool
func (FileShareProtocol) IsSMB ¶ added in v0.1.0
func (it FileShareProtocol) IsSMB() UnknownBool
func (FileShareProtocol) IsUnknown ¶ added in v0.1.0
func (it FileShareProtocol) IsUnknown() bool
func (FileShareProtocol) String ¶ added in v0.1.0
func (it FileShareProtocol) String() string
type Firewall ¶
type Firewall interface { // AllowsIP checks if the given IP is allowed through the firewall for any // potential source. If BoolTrue is returned, the PacketRoute slice gives // all of the known firewall protected targets that this IP is allowed to // access. If that can't be determined, it should be a single */* for // caution's sake. AllowsIP(AzureIPv4) (UnknownBool, []PacketRoute, error) AllowsIPString(string) (UnknownBool, []PacketRoute, error) // AllowsIPToPort checks if an IP can access the given port on any server // protected by the firewall. If BoolTrue is returned, the PacketRoute // slice gives IPs that can be reached at that port. AllowsIPToPort(AzureIPv4, AzurePort) (UnknownBool, []PacketRoute, error) AllowsIPToPortString(string, string) (UnknownBool, []PacketRoute, error) // RespectsAllowlist checks if the firewall respects a given allowlist. // // Note that blocking all traffic is considered respecting the allowlist // in this method. This keeps the complexity of implementation functions // lower. You can use the other Allows* methods to verify that it is // respecting a allowlist in a positive sense (ie it allows everything // in the allowlist through). // // A allowlist that is empty (this is dependent on the implementation's // definition of "empty") should cause this to return the BadAllowlist // error with a BoolUnknown. // // If this given firewall is port agnostic (SQL and Redis servers for // example) then this can return BoolNotApplicable for all ports that // are not supported by the service. // // On return, if BoolTrue/Unknown the []IPPort should specify which IPs // failed on which Ports. If port agnostic, the port should simply be "*" RespectsAllowlist(FirewallAllowlist) (UnknownBool, []IPPort, error) }
Firewall represents anything that has rules to allow or disallow specific IPs to communicate with specific ports.
If any functions return BoolNotApplicable, the firewall is considered to have "no opinion" on the connection. In most cases, this will probably be treated as if it were BoolTrue.
type FirewallAllowlist ¶ added in v0.1.0
type FirewallAllowlist struct { AllPorts []AzureIPv4 PortMap map[string][]AzureIPv4 // contains filtered or unexported fields }
FirewallAllowlist defines a allowlist for inzure. These are intended to be ingested by Firewalls for validation.
func (FirewallAllowlist) AddPortEntry ¶ added in v0.1.0
func (fw FirewallAllowlist) AddPortEntry(port string, ips []AzureIPv4)
func (*FirewallAllowlist) IPPassesAny ¶ added in v0.1.0
func (fwl *FirewallAllowlist) IPPassesAny(port AzurePort, ip AzureIPv4) UnknownBool
IPPassesAny checks if the port/ip combo passes.
func (*FirewallAllowlist) IPPassesPort ¶ added in v0.1.0
func (fwl *FirewallAllowlist) IPPassesPort(port AzurePort, ip AzureIPv4) UnknownBool
IPPassesPort does not check if the IP is in AllPorts, for that behavior use IPPassesAny.
func (*FirewallAllowlist) IPPassesStar ¶ added in v0.1.0
func (fwl *FirewallAllowlist) IPPassesStar(ip AzureIPv4) UnknownBool
IPPassesStar ONLY checks AllPorts. If you need to also check for ports, use IPPassesAny
func (FirewallAllowlist) RemovePortEntry ¶ added in v0.1.0
func (fw FirewallAllowlist) RemovePortEntry(port string)
func (*FirewallAllowlist) Reset ¶ added in v0.1.0
func (fwl *FirewallAllowlist) Reset()
func (*FirewallAllowlist) UnmarshalJSON ¶ added in v0.1.0
func (fwl *FirewallAllowlist) UnmarshalJSON(b []byte) error
type FirewallRule ¶
type FirewallRule struct { Name string IPRange AzureIPv4 // AllowsAllAzure is a special case when the start and end IP are both // 0.0.0.0 for certain resources. This means that _any_ Azure resource // has access to this service -- including other people's VMs. // // This is a very useful flag and actually a security issue in and of // itself. AllowsAllAzure UnknownBool }
FirewallRule holds the information for a simple firewall rule that allows a range of IP addresses. It does not specify ports.
func (*FirewallRule) FromAzureDataLakeAnalytics ¶
func (fw *FirewallRule) FromAzureDataLakeAnalytics(az *armdatalakeanalytics.FirewallRule)
func (*FirewallRule) FromAzureDataLakeStore ¶
func (fw *FirewallRule) FromAzureDataLakeStore(az *armdatalakestore.FirewallRule)
func (*FirewallRule) FromAzurePostgres ¶
func (fw *FirewallRule) FromAzurePostgres(az *armpostgresql.FirewallRule)
func (*FirewallRule) FromAzureRedis ¶
func (fw *FirewallRule) FromAzureRedis(az *armredis.FirewallRule)
func (*FirewallRule) FromAzureSQL ¶
func (fw *FirewallRule) FromAzureSQL(az *armsql.FirewallRule)
func (FirewallRule) SetupEmpty ¶
func (f FirewallRule) SetupEmpty()
SetupEmpty initializes a FirewallRule to not contain nulls.
func (*FirewallRule) UnmarshalJSON ¶
func (fw *FirewallRule) UnmarshalJSON(b []byte) error
UnmarshalJSON is a custom unmarshaler for the IP
type FirewallRules ¶
type FirewallRules []FirewallRule
func (FirewallRules) AllowsIP ¶
func (f FirewallRules) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
func (FirewallRules) AllowsIPString ¶
func (f FirewallRules) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (FirewallRules) AllowsIPToPort ¶
func (f FirewallRules) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
func (FirewallRules) AllowsIPToPortString ¶
func (f FirewallRules) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (FirewallRules) RespectsAllowlist ¶ added in v0.1.0
func (f FirewallRules) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
RespectsAllowlist for the general FirewallRules type is port agnostic. This means that if the given list has a PortMap specified, this immediately returns BoolNotApplicable. This also means that a allowlist without AllPorts defined is an error.
type FromAzurer ¶ added in v0.1.0
type FromAzurer[T any] interface { FromAzure(T) }
type Function ¶
type Function struct { Meta ResourceID Config FunctionConfig IsDisabled UnknownBool Language AppLanguage ScriptRootPath string ScriptURL string ConfigURL string SecretsURL string URL string }
Function holds important information about a function associated with a webapp
func NewEmptyFunction ¶
func NewEmptyFunction() *Function
func (*Function) CanHttpTrigger ¶ added in v0.1.0
func (f *Function) CanHttpTrigger() UnknownBool
func (*Function) FromAzure ¶
func (f *Function) FromAzure(fe *armappservice.FunctionEnvelope)
type FunctionConfig ¶
type FunctionConfig struct {
Bindings []FunctionConfigBinding
}
FunctionConfig is just an `interface{}` type in the AzureAPI. There is some information we might want out of this though. When we try to get it, we'll just ignore the error since I can't be sure it'll always return the same data.
func NewEmtpyFunctionConfig ¶
func NewEmtpyFunctionConfig() FunctionConfig
type FunctionConfigBinding ¶
func NewEmptyFunctionConfigBinding ¶
func NewEmptyFunctionConfigBinding() FunctionConfigBinding
type IPCollection ¶
type IPCollection []AzureIPv4
func (IPCollection) AllowsIP ¶
func (ipc IPCollection) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
AllowsIP in the context of an IPCollection will return true if the collection is empty or the ip is in the list.
func (IPCollection) AllowsIPString ¶
func (ipc IPCollection) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (IPCollection) AllowsIPToPort ¶
func (ipc IPCollection) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
AllowsIPToPort is equivalent to AllowsIP in this case as there is no knowledge of ports.
func (IPCollection) AllowsIPToPortString ¶
func (ipc IPCollection) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (*IPCollection) MarshalJSON ¶
func (ipc *IPCollection) MarshalJSON() ([]byte, error)
func (IPCollection) RespectsAllowlist ¶ added in v0.1.0
func (ipc IPCollection) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
RespectsAllowlist in the context of an IPCollection will return false if the collection is empty. Otherwise it checks if the list it has is a subset of the given list. If it is given a nil list it returns the same as it would an. empty list, which is BoolTrue
func (IPCollection) String ¶
func (ipc IPCollection) String() string
func (*IPCollection) UnmarshalJSON ¶
func (ipc *IPCollection) UnmarshalJSON(b []byte) error
type IPConfiguration ¶
type IPConfiguration struct { Meta ResourceID PublicIP PublicIP PrivateIP string SubnetRef ResourceID ASGRefs []ResourceID }
IPConfiguration is the IPConfiguration of a NetworkInterface.
func (*IPConfiguration) FromAzure ¶
func (ipc *IPConfiguration) FromAzure(azipc *armnetwork.InterfaceIPConfiguration)
type IPPort ¶
func AllIPPorts ¶ added in v0.1.0
func AllIPPorts() []IPPort
type IPPortCollection ¶
type IPPortCollection []IPPort
func (IPPortCollection) Len ¶
func (ippc IPPortCollection) Len() int
func (IPPortCollection) Less ¶
func (ippc IPPortCollection) Less(i, j int) bool
func (IPPortCollection) Swap ¶
func (ippc IPPortCollection) Swap(i, j int)
type KeyVault ¶
type KeyVault struct { Meta ResourceID URL string EnabledForDeployment UnknownBool EnabledForDiskEncryption UnknownBool EnabledForTemplateDeployment UnknownBool AccessPolicies []KeyVaultAccessPolicy Firewall KeyVaultFirewall }
func NewEmptyKeyVault ¶
func NewEmptyKeyVault() *KeyVault
func (*KeyVault) FromAzure ¶
func (kv *KeyVault) FromAzure(az *armkeyvault.Vault)
type KeyVaultAccessPolicy ¶
type KeyVaultAccessPolicy struct { TenantID string ObjectID string ApplicationID string Storage KeyVaultStoragePermission Secret KeyVaultSecretsPermission Cert KeyVaultCertificatesPermission Key KeyVaultKeysPermission }
func (*KeyVaultAccessPolicy) FromAzure ¶
func (kva *KeyVaultAccessPolicy) FromAzure(az *armkeyvault.AccessPolicyEntry)
type KeyVaultCertificatesPermission ¶
type KeyVaultCertificatesPermission uint64
const KeyVaultCertificatesPermissionNone KeyVaultCertificatesPermission = 0
func (*KeyVaultCertificatesPermission) FromAzure ¶
func (p *KeyVaultCertificatesPermission) FromAzure(az []*armkeyvault.CertificatePermissions)
type KeyVaultFirewall ¶
type KeyVaultFirewall struct { IPRules IPCollection DefaultAllow UnknownBool VNetRules []ResourceID }
func (KeyVaultFirewall) AllowsIP ¶
func (kvf KeyVaultFirewall) AllowsIP(chk AzureIPv4) (UnknownBool, []PacketRoute, error)
func (KeyVaultFirewall) AllowsIPString ¶
func (kvf KeyVaultFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (KeyVaultFirewall) AllowsIPToPort ¶
func (kvf KeyVaultFirewall) AllowsIPToPort(ip AzureIPv4, _ AzurePort) (UnknownBool, []PacketRoute, error)
func (KeyVaultFirewall) AllowsIPToPortString ¶
func (kvf KeyVaultFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (*KeyVaultFirewall) FromAzure ¶
func (kvf *KeyVaultFirewall) FromAzure(az *armkeyvault.NetworkRuleSet)
func (KeyVaultFirewall) RespectsAllowlist ¶ added in v0.1.0
func (kvf KeyVaultFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
type KeyVaultKeysPermission ¶
type KeyVaultKeysPermission uint64
const KeyVaultKeyPermissionsNone KeyVaultKeysPermission = 0
func (*KeyVaultKeysPermission) FromAzure ¶
func (p *KeyVaultKeysPermission) FromAzure(az []*armkeyvault.KeyPermissions)
type KeyVaultSecretsPermission ¶
type KeyVaultSecretsPermission uint64
const KeyVaultSecretPermissionsNone KeyVaultSecretsPermission = 0
func (*KeyVaultSecretsPermission) FromAzure ¶
func (p *KeyVaultSecretsPermission) FromAzure(az []*armkeyvault.SecretPermissions)
type KeyVaultStoragePermission ¶
type KeyVaultStoragePermission uint32
const KeyVaultStoragePermissionNone KeyVaultStoragePermission = 0
func (*KeyVaultStoragePermission) FromAzure ¶
func (p *KeyVaultStoragePermission) FromAzure(az []*armkeyvault.StoragePermissions)
type LexError ¶
func (LexError) ErrorWithHint ¶
type LoadBalancer ¶
type LoadBalancer struct { Meta ResourceID FrontendIPs []LoadBalancerFrontendIPConfiguration Backends []LoadBalancerBackend Rules []LoadBalancerRule }
func NewEmptyLoadBalancer ¶
func NewEmptyLoadBalancer() *LoadBalancer
func (*LoadBalancer) AddAzureBackendConfiguration ¶
func (lb *LoadBalancer) AddAzureBackendConfiguration(azConf *armnetwork.BackendAddressPool)
func (*LoadBalancer) AddAzureFrontendIPConfiguration ¶
func (lb *LoadBalancer) AddAzureFrontendIPConfiguration(azConf *armnetwork.FrontendIPConfiguration)
func (*LoadBalancer) AddLoadBalancerRule ¶
func (lb *LoadBalancer) AddLoadBalancerRule(azRule *armnetwork.LoadBalancingRule)
func (*LoadBalancer) FromAzure ¶
func (lb *LoadBalancer) FromAzure(az *armnetwork.LoadBalancer)
type LoadBalancerAttackSurface ¶
type LoadBalancerAttackSurface struct { Frontends []string Backends []string Paths map[string]string }
LoadBalancerAttackSurface provides both a list of frontend IPs, backend IPs, and an association of frontend to backend ips
type LoadBalancerBackend ¶
type LoadBalancerBackend struct { Meta ResourceID IPConfigurations []IPConfiguration }
func (*LoadBalancerBackend) FromAzure ¶
func (lbb *LoadBalancerBackend) FromAzure(az *armnetwork.BackendAddressPool)
type LoadBalancerFrontendIPConfiguration ¶
type LoadBalancerFrontendIPConfiguration struct { Meta ResourceID PublicIP PublicIP Subnet ResourceID PrivateIP AzureIPv4 }
func (*LoadBalancerFrontendIPConfiguration) FromAzure ¶
func (lbf *LoadBalancerFrontendIPConfiguration) FromAzure(az *armnetwork.FrontendIPConfiguration)
func (*LoadBalancerFrontendIPConfiguration) SetupEmpty ¶
func (lbf *LoadBalancerFrontendIPConfiguration) SetupEmpty()
func (*LoadBalancerFrontendIPConfiguration) UnmarshalJSON ¶
func (lbf *LoadBalancerFrontendIPConfiguration) UnmarshalJSON(b []byte) error
type LoadBalancerProtocol ¶
type LoadBalancerProtocol = SecurityRuleProtocol
type LoadBalancerRule ¶
type LoadBalancerRule struct { Meta ResourceID FrontendIP AzureIPv4 FrontendPort AzurePort BackendIP AzureIPv4 BackendPort AzurePort Protocol LoadBalancerProtocol }
func (*LoadBalancerRule) SetupEmpty ¶
func (lbr *LoadBalancerRule) SetupEmpty()
func (*LoadBalancerRule) UnmarshalJSON ¶
func (lbr *LoadBalancerRule) UnmarshalJSON(js []byte) error
type NetworkInterface ¶
type NetworkInterface struct { Meta ResourceID IPConfigurations []IPConfiguration }
A NetworkInterface enables Virtual Machine's to communicate with the internet. They are a link between NSGs and VMs. They also optionally have a public IP address.
func NewEmptyNetworkInterface ¶
func NewEmptyNetworkInterface() *NetworkInterface
func (*NetworkInterface) FromAzure ¶
func (n *NetworkInterface) FromAzure(az *armnetwork.Interface)
type NetworkSecurityGroup ¶
type NetworkSecurityGroup struct { Meta ResourceID InboundRules []SecurityRule OutboundRules []SecurityRule Subnets []ResourceID NetworkInterfaces []ResourceID }
NetworkSecurityGroup holds all necessary information for an automatic analysis of network security groups.
NetworkSecurityGroups are big. They have inbound/outbound firewall rules and are associated with both subnets and network interfaces. Network interfaces and subnets can be used to associate them with virtual machines. The data contained here needs to be complemented with the data in a VirtualNetwork to get a full picture of the subscription's compute networking.
NetworkSecurityGroups do belong to a resource group, but they can be applied to resources in different resource groups.
func NewEmptyNSG ¶
func NewEmptyNSG() *NetworkSecurityGroup
func (*NetworkSecurityGroup) AllowsIP ¶
func (nsg *NetworkSecurityGroup) AllowsIP(checkIP AzureIPv4) (UnknownBool, []PacketRoute, error)
AllowsIP is implementing Firewall for NetworkSecurityGroup
func (*NetworkSecurityGroup) AllowsIPString ¶
func (nsg *NetworkSecurityGroup) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (*NetworkSecurityGroup) AllowsIPToPort ¶
func (nsg *NetworkSecurityGroup) AllowsIPToPort(checkIP AzureIPv4, checkPort AzurePort) (UnknownBool, []PacketRoute, error)
AllowsIPToPort is implementing Firewall for NetworkSecurityGroup
func (*NetworkSecurityGroup) AllowsIPToPortString ¶
func (nsg *NetworkSecurityGroup) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (*NetworkSecurityGroup) DeepCopySetVNet ¶
func (nsg *NetworkSecurityGroup) DeepCopySetVNet(vnet string) (*NetworkSecurityGroup, error)
DeepCopySetVNet returns a deep copy of the NetworkSecurityGroup with the VirtualNetwork set. This can be very helpful when trying to get good results from firewall tests. Note that the original NSG is unchanged.
Note that "DeepCopy" is currently implemented as a JSON conversion.
func (*NetworkSecurityGroup) FromAzure ¶
func (nsg *NetworkSecurityGroup) FromAzure(aznsg *armnetwork.SecurityGroup)
func (*NetworkSecurityGroup) RespectsAllowlist ¶ added in v0.1.0
func (nsg *NetworkSecurityGroup) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
RespectsAllowlist for a NetworkSecurityGroup is NOT port agnostic. This means you'll never get a BoolNotApplicable from this and the only time an error is returned is when both AllPorts and PortMap are not defined.
type OsType ¶
type OsType int
func (*OsType) FromAzure ¶ added in v0.1.0
func (it *OsType) FromAzure(az *azpkg.OperatingSystemTypes)
func (OsType) IsLinux ¶ added in v0.1.0
func (it OsType) IsLinux() UnknownBool
func (OsType) IsWindows ¶ added in v0.1.0
func (it OsType) IsWindows() UnknownBool
type PacketRoute ¶
type PacketRoute struct { IPs IPCollection Ports PortCollection Protocol SecurityRuleProtocol }
PacketRoute holds a potential inbound route on a firewall.
func AllowsAllPacketRoute ¶
func AllowsAllPacketRoute() PacketRoute
func AllowsAllPacketRoutes ¶ added in v0.1.0
func AllowsAllPacketRoutes() []PacketRoute
func PacketRouteFromSecurityRuleDests ¶
func PacketRouteFromSecurityRuleDests(s SecurityRule) PacketRoute
PacketRouteFromSecurityRuleDests creates a PacketRoute from the destination portions of a security rule. It safely copies the IPv4 and Port interfaces.
func (*PacketRoute) Equals ¶
func (p *PacketRoute) Equals(o *PacketRoute) bool
Equals tests for equality of two packet routes. Equality is defined as:
- Same protocol
- Same IPs
- Same ports
Note that one PacketRoute can be a subset of another PacketRoute, but that is different from equality.
type ParentResource ¶
type ParentResource struct { Name string Tag AzureResourceTag }
ParentResource is an intermediate piece of the resource ID string. For example almost everything has a subscription and resource group, but some things have a NSG as a parent or something like that. This is some basic metadata about that item.
func (*ParentResource) Equals ¶
func (r *ParentResource) Equals(o *ParentResource) bool
Equals tests two ParentResources for equality
type PortCollection ¶
type PortCollection []AzurePort
func (*PortCollection) MarshalJSON ¶
func (pc *PortCollection) MarshalJSON() ([]byte, error)
func (*PortCollection) UnmarshalJSON ¶
func (pc *PortCollection) UnmarshalJSON(b []byte) error
type PostgresDB ¶
type PostgresDB struct {
Meta ResourceID
}
func (*PostgresDB) FromAzure ¶
func (psd *PostgresDB) FromAzure(az *armpostgresql.Database)
type PostgresServer ¶
type PostgresServer struct { Meta ResourceID Version string FQDN string AdminUser string Databases []PostgresDB SSLEnforced UnknownBool Firewall FirewallRules Subnets []ResourceID }
func NewEmptyPostgresServer ¶
func NewEmptyPostgresServer() *PostgresServer
func (*PostgresServer) FromAzure ¶
func (ps *PostgresServer) FromAzure(az *armpostgresql.Server)
type PublicIP ¶
type PublicIP struct { Meta ResourceID FQDN string IP string }
PublicIP wrap the Azure public IP type which is the actual address and some pertinent metadata.
From the Azure structure we can actually get a FQDN.
func (*PublicIP) FromAzure ¶
func (p *PublicIP) FromAzure(ap *armnetwork.PublicIPAddress)
type QSArraySelT ¶
type QSArraySelT int
const ( QSArraySelUk QSArraySelT = -4 QSArraySelAny QSArraySelT = -3 QSArraySelAll QSArraySelT = -2 QSArraySelLen QSArraySelT = -1 )
func (QSArraySelT) String ¶
func (qsa QSArraySelT) String() string
type QSComparer ¶
type QSComparer struct { Fields QSField Op QSOpT To interface{} // contains filtered or unexported fields }
func (*QSComparer) String ¶
func (qsc *QSComparer) String() string
type QSCondition ¶
type QSCondition struct { Raw string Cmp IQSComparer And *QSCondition Or *QSCondition }
func (*QSCondition) Equals ¶
func (qsc *QSCondition) Equals(o *QSCondition) bool
func (*QSCondition) FilterValue ¶
func (*QSCondition) PushAnd ¶
func (qsc *QSCondition) PushAnd(ic *QSCondition)
func (*QSCondition) PushOr ¶
func (qsc *QSCondition) PushOr(ic *QSCondition)
func (*QSCondition) String ¶
func (qsc *QSCondition) String() string
type QSField ¶
type QSSelector ¶
type QSSelector struct { Resource string Condition *QSCondition }
func (*QSSelector) Contains ¶
func (qss *QSSelector) Contains(o *QSSelector) bool
func (*QSSelector) Equals ¶
func (qss *QSSelector) Equals(o *QSSelector) bool
func (*QSSelector) String ¶
func (qss *QSSelector) String() string
type QueryString ¶
type QueryString struct { Raw string Sel QSSelector ResourceGroup string Name string Subresource *QueryString // contains filtered or unexported fields }
func (*QueryString) BaseString ¶
func (qs *QueryString) BaseString() string
func (*QueryString) ContainsIQS ¶
func (p *QueryString) ContainsIQS(oqs *QueryString) bool
func (*QueryString) ContainsString ¶
func (p *QueryString) ContainsString(s string) bool
ContainsString checks if a query string is a superset of, or equal to, a given query string. Without context this can be difficult, so this function could potentially return a false negative.
func (*QueryString) GetReturnType ¶
func (qs *QueryString) GetReturnType() (reflect.Type, bool)
GetReturnType returns the reflect.Type that should be returned by this query string when used with a Subscription.
func (*QueryString) Parse ¶
func (qs *QueryString) Parse(s string) error
Parse takes an IQS and fills the given QueryString struct with the data it represents.
func (*QueryString) String ¶
func (qs *QueryString) String() string
func (*QueryString) Validate ¶ added in v0.1.0
func (qs *QueryString) Validate() error
Validate ensures that the query string is actually valid.
type RedisFirewall ¶
type RedisFirewall []FirewallRule
func (RedisFirewall) AllowsIP ¶
func (f RedisFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
AllowsIP for RedisFirewalls is different in that traffic is allowed by default from everywhere when no rules are present
func (RedisFirewall) AllowsIPString ¶
func (f RedisFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (RedisFirewall) AllowsIPToPort ¶
func (f RedisFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
func (RedisFirewall) AllowsIPToPortString ¶
func (f RedisFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (RedisFirewall) RespectsAllowlist ¶ added in v0.1.0
func (f RedisFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
RespectsAllowlist for a RedisFirewall is port agnostic, but it has a slight difference compared to FirewallRules: if it is empty it allows everything.
type RedisServer ¶
type RedisServer struct { Meta ResourceID Version string Host string Port int SSLPort int NonSSLPortEnabled UnknownBool StaticIP string Configuration map[string]string Firewall RedisFirewall Subnet ResourceID MinimumTLSVersion TLSVersion }
RedisServer holds all of the information pertinent to Azure redis servers.
If the ports cannot be found their value is -1
func NewEmptyRedisServer ¶
func NewEmptyRedisServer() *RedisServer
func (*RedisServer) FromAzure ¶
func (r *RedisServer) FromAzure(az *armredis.ResourceInfo)
type ResourceGroup ¶
type ResourceGroup struct { Meta ResourceID StorageAccounts []*StorageAccount NetworkSecurityGroups []*NetworkSecurityGroup VirtualNetworks []*VirtualNetwork VirtualMachines []*VirtualMachine WebApps []*WebApp DataLakeStores []*DataLakeStore DataLakeAnalytics []*DataLakeAnalytics SQLServers []*SQLServer RedisServers []*RedisServer APIServices []*APIService NetworkInterfaces []*NetworkInterface ApplicationSecurityGroups []*ApplicationSecurityGroup KeyVaults []*KeyVault LoadBalancers []*LoadBalancer CosmosDBs []*CosmosDB PostgresServers []*PostgresServer }
ResourceGroup is a way of diving up resources in a Subscription. Each Azure object belongs to a ResourceGroup. ResourceGroups can be retrieved from the main Subscription struct via their name.
func NewEmptyResourceGroup ¶
func NewEmptyResourceGroup() *ResourceGroup
func (*ResourceGroup) FromAzure ¶
func (rg *ResourceGroup) FromAzure(res *armresources.ResourceGroup)
type ResourceID ¶
type ResourceID struct { RawID string Subscription string ResourceGroupName string //Parents []ParentResource Name string Tag AzureResourceTag }
ResourceID is a normalized version of the longform resource string provided by Azure. Not every field is guaranteed to be populated.
func (*ResourceID) Equals ¶
func (r *ResourceID) Equals(o *ResourceID) bool
Equals tests two ResourceIDs for equality
func (*ResourceID) ExtractValueForTag ¶
func (r *ResourceID) ExtractValueForTag(tag string, caseInsensitive bool) string
ExtractValueForTag parses the RawID for something like `.../tag/value...` and returns value. Matches case insensitively if case insensitive is true. Returns the empty string if the tag is not found.
func (*ResourceID) FromID ¶
func (r *ResourceID) FromID(id string)
func (*ResourceID) MarshalJSON ¶
func (r *ResourceID) MarshalJSON() ([]byte, error)
func (*ResourceID) QueryString ¶
func (r *ResourceID) QueryString() (string, error)
func (*ResourceID) SetupEmpty ¶
func (r *ResourceID) SetupEmpty()
func (*ResourceID) UnmarshalJSON ¶
func (r *ResourceID) UnmarshalJSON(b []byte) error
type SQLDatabase ¶
type SQLDatabase struct { Meta ResourceID DatabaseID string Encrypted UnknownBool }
func NewEmptySQLDatabase ¶
func NewEmptySQLDatabase() *SQLDatabase
func (*SQLDatabase) FromAzure ¶
func (db *SQLDatabase) FromAzure(az *armsql.Database)
func (*SQLDatabase) QueryString ¶
func (db *SQLDatabase) QueryString() string
type SQLServer ¶
type SQLServer struct { Meta ResourceID AdminUser string FQDN string Version string Firewall FirewallRules Databases []*SQLDatabase Subnets []ResourceID }
SQLServer holds all information for a Microsoft SQL server
func NewEmptySQLServer ¶
func NewEmptySQLServer() *SQLServer
type SSHPublicKey ¶
SSHPublicKey contains the key itself as a string and the location on the VM
type SearchTarget ¶
type SearchTarget uint
SearchTarget is a target available for searching through this package
const ( // TargetSearchUnset is present to make the zero value of a SearchTarget // indicate it wasn't set TargetSearchUnset SearchTarget = iota TargetStorageAccounts TargetNetwork TargetAppService TargetDataLakes TargetSQL TargetRedis TargetAPIs TargetKeyVaults TargetCosmosDBs TargetLoadBalancers TargetPostgres )
type SecurityRule ¶
type SecurityRule struct { Name string Allows bool Inbound bool Priority int32 Description string Protocol SecurityRuleProtocol SourceIPs IPCollection DestIPs IPCollection SourcePorts PortCollection DestPorts PortCollection }
SecurityRule represents a single rule in a NetworkSecurityGroup
func (*SecurityRule) FromAzure ¶
func (s *SecurityRule) FromAzure(az *armnetwork.SecurityRule)
type SecurityRuleProtocol ¶
type SecurityRuleProtocol int
const ( ProtocolUnknown SecurityRuleProtocol = 0 ProtocolAll SecurityRuleProtocol = 1 ProtocolTCP SecurityRuleProtocol = 2 ProtocolUDP SecurityRuleProtocol = 3 )
func (*SecurityRuleProtocol) FromAzure ¶
func (it *SecurityRuleProtocol) FromAzure(az *azpkg.SecurityRuleProtocol)
func (SecurityRuleProtocol) IsAll ¶ added in v0.1.0
func (it SecurityRuleProtocol) IsAll() UnknownBool
func (SecurityRuleProtocol) IsKnown ¶ added in v0.1.0
func (it SecurityRuleProtocol) IsKnown() bool
func (SecurityRuleProtocol) IsTCP ¶ added in v0.1.0
func (it SecurityRuleProtocol) IsTCP() UnknownBool
func (SecurityRuleProtocol) IsUDP ¶ added in v0.1.0
func (it SecurityRuleProtocol) IsUDP() UnknownBool
func (SecurityRuleProtocol) IsUnknown ¶ added in v0.1.0
func (it SecurityRuleProtocol) IsUnknown() bool
func (*SecurityRuleProtocol) MarshalJSON ¶
func (p *SecurityRuleProtocol) MarshalJSON() ([]byte, error)
func (SecurityRuleProtocol) String ¶
func (p SecurityRuleProtocol) String() string
func (*SecurityRuleProtocol) UnmarshalJSON ¶
func (p *SecurityRuleProtocol) UnmarshalJSON(b []byte) error
type SecurityRules ¶
type SecurityRules []SecurityRule
func (SecurityRules) Len ¶
func (s SecurityRules) Len() int
func (SecurityRules) Less ¶
func (s SecurityRules) Less(i, j int) bool
func (SecurityRules) Swap ¶
func (s SecurityRules) Swap(i, j int)
type StorageAccount ¶
type StorageAccount struct { Meta ResourceID Kind StorageAccountKind IsClassic bool CustomDomain string Encryption StorageEncryption HTTPSOnly UnknownBool MinTLSVersion TLSVersion Containers []Container // contains filtered or unexported fields }
StorageAccount contains the Container, Queue, and File types associated with the given account.
This type is intended to contain information about both classical and managed storage accounts. Classical storage accounts may have less information and they've been deprecated by Azure for a LONG time.
func NewEmptyStorageAccount ¶ added in v0.1.0
func NewEmptyStorageAccount() *StorageAccount
func (*StorageAccount) FromAzure ¶
func (sa *StorageAccount) FromAzure(acc *armstorage.Account)
func (*StorageAccount) FromAzureClassic ¶
func (sa *StorageAccount) FromAzureClassic(acc *storageservice.StorageServiceResponse)
TODO: I don't think classic has any way to check for encryption, we might
need to use the more recent service for this?
type StorageAccountKind ¶ added in v0.1.0
type StorageAccountKind int
const ( StorageAccountKindUnknown StorageAccountKind = 0 StorageAccountKindBlobStorage StorageAccountKind = 1 StorageAccountKindBlockBlobStorage StorageAccountKind = 2 StorageAccountKindFileStorage StorageAccountKind = 3 StorageAccountKindStorage StorageAccountKind = 4 StorageAccountKindStorageV2 StorageAccountKind = 5 )
func (*StorageAccountKind) FromAzure ¶ added in v0.1.0
func (it *StorageAccountKind) FromAzure(az *azpkg.Kind)
func (StorageAccountKind) IsBlobStorage ¶ added in v0.1.0
func (it StorageAccountKind) IsBlobStorage() UnknownBool
func (StorageAccountKind) IsBlockBlobStorage ¶ added in v0.1.0
func (it StorageAccountKind) IsBlockBlobStorage() UnknownBool
func (StorageAccountKind) IsFileStorage ¶ added in v0.1.0
func (it StorageAccountKind) IsFileStorage() UnknownBool
func (StorageAccountKind) IsKnown ¶ added in v0.1.0
func (it StorageAccountKind) IsKnown() bool
func (StorageAccountKind) IsStorage ¶ added in v0.1.0
func (it StorageAccountKind) IsStorage() UnknownBool
func (StorageAccountKind) IsStorageV2 ¶ added in v0.1.0
func (it StorageAccountKind) IsStorageV2() UnknownBool
func (StorageAccountKind) IsUnknown ¶ added in v0.1.0
func (it StorageAccountKind) IsUnknown() bool
func (StorageAccountKind) String ¶ added in v0.1.0
func (it StorageAccountKind) String() string
type StorageEncryption ¶
type StorageEncryption struct { KeySource StorageKeySource Queue UnknownBool File UnknownBool Blob UnknownBool Table UnknownBool }
StorageEncryption specifies which services are encrypted in the storage account
func (*StorageEncryption) FromAzure ¶
func (se *StorageEncryption) FromAzure(enc *armstorage.Encryption)
type StorageKeySource ¶ added in v0.1.0
type StorageKeySource int
const ( StorageKeySourceUnknown StorageKeySource = 0 StorageKeySourceStorage StorageKeySource = 1 StorageKeySourceKeyVault StorageKeySource = 2 )
func (*StorageKeySource) FromAzure ¶ added in v0.1.0
func (it *StorageKeySource) FromAzure(az *azpkg.KeySource)
func (StorageKeySource) IsKeyVault ¶ added in v0.1.0
func (it StorageKeySource) IsKeyVault() UnknownBool
func (StorageKeySource) IsKnown ¶ added in v0.1.0
func (it StorageKeySource) IsKnown() bool
func (StorageKeySource) IsStorage ¶ added in v0.1.0
func (it StorageKeySource) IsStorage() UnknownBool
func (StorageKeySource) IsUnknown ¶ added in v0.1.0
func (it StorageKeySource) IsUnknown() bool
func (StorageKeySource) String ¶ added in v0.1.0
func (it StorageKeySource) String() string
type Subnet ¶
type Subnet struct { Meta ResourceID AddressRange string //VirtualNetwork string IPConfigurationRefs []ResourceID }
func (*Subnet) FromAzure ¶
func (s *Subnet) FromAzure(as *armnetwork.Subnet)
type Subscription ¶
type Subscription struct { ID string Alias string ResourceGroups map[string]*ResourceGroup AuditDate time.Time ClassicStorageAccounts []*StorageAccount // contains filtered or unexported fields }
Subscription is an entire Azure subscription. This struct can be used as the entrypoint for the entire analysis.
Subscriptions should not be instantiated directly, use the NewSubscription function.
func BatchSubscriptionsFromEnv ¶
func BatchSubscriptionsFromEnv(pw []byte) ([]*Subscription, error)
BatchSubscriptionsFromEnv will use the EnvSubscriptionBatchFiles environmental variable to load subscriptions into a slice. The passed password can be null if the files are unencrypted or the password can be pulled from the environment.
func NewSubscription ¶
func NewSubscription(id string) Subscription
NewSubscription is used to create a Subscription that is ready to be used.
func NewSubscriptionFromID ¶
func NewSubscriptionFromID(id SubscriptionID) Subscription
NewSubscriptionFromID creates a usable new Subscription from a SubscriptionID.
func NewSubscriptionWithAlias ¶
func NewSubscriptionWithAlias(id, alias string) Subscription
NewSubscriptionWithAlias creates a usable new Subscription with an alias.
func SubscriptionFromEncryptedJSON ¶
func SubscriptionFromEncryptedJSON(pw []byte, r io.Reader) (*Subscription, error)
SubscriptionFromEncryptedJSON is the counterpart decryption function.
If pw is nil this function checks the KeyEnvironmentalVariableName environmental variable.
func SubscriptionFromFile ¶
func SubscriptionFromFile(fname string) (sub *Subscription, err error)
SubscriptionFromFile will load a subscription from a file. This handles both encrypted and unencrypted files.
func SubscriptionFromFilePassword ¶
func SubscriptionFromFilePassword(fname string, pw []byte) (sub *Subscription, err error)
SubscriptionFromFilePassword will load a Subscription from the given encrypted JSON (must have the .enc extension)
func (*Subscription) AddTarget ¶
func (s *Subscription) AddTarget(tag SearchTarget) *Subscription
AddTarget sets the given SearchTarget to be searched.
func (*Subscription) Diff ¶
func (s *Subscription) Diff(o *Subscription) (*SubscriptionDiff, error)
Diff will diff two subscriptions
func (*Subscription) FromQueryString ¶
func (s *Subscription) FromQueryString(qs string, into interface{}) error
FromQueryString loads the item[s] identified by the query string into the passed interface.
`into` needs to be a pointer to the expected type. For instance, if '/SQLServers` is given, `into` needs to be `*[]*SQLServer`. Note that you are given the actual pointers so modifying what you get modifies the Subscription as well.
query strings are really just Go struct field selectors with a little more functionality. Everything starts on a ResourceGroup struct, so for VMs you'd start with `/VirtualMachines` for example. You can add conditions onto a query string type by putting it in brackets `[]`. For example, to get all virtual machines that might allow password auth, you'd use `/VirtualMachines[.DisablePasswordAuth != BoolTrue]`. You can also specify this on sub resources. To get all Containers in the subscription with public read access you could use `/StorageAccounts/*/*/Containers[.Access == 3]`
This makes dealing with inzure data significanly easier, and the accompanying `inzure search` command can be used to access this interface.
func (*Subscription) GetAttackSurface ¶
func (s *Subscription) GetAttackSurface() AttackSurface
func (*Subscription) ReflectFromParsedQueryString ¶
func (s *Subscription) ReflectFromParsedQueryString(p *QueryString) (reflect.Value, error)
func (*Subscription) ReflectFromQueryString ¶
func (s *Subscription) ReflectFromQueryString(qs string) (reflect.Value, error)
func (*Subscription) SearchAllTargets ¶
func (s *Subscription) SearchAllTargets(ctx context.Context, ec chan<- error)
SearchAllTargets searches all targets that are set with the AddTarget method The passed error channel is closed when this method is complete. If a classic key was given to this Subscription then this function also searches for classic items (StorageAccounts, VirtualMachines, NSGs, etc)
The returned errors are not guaranteed to be AzureAPIError pointers.
Note: At the moment the passed context is only useful for Azure SDK methods and has no direct effect on this method.
func (*Subscription) SetClassicKey ¶
func (s *Subscription) SetClassicKey(key []byte)
SetClassicKey sets the key to use for classic accounts. If this is non nil classic counts will also be searched.
func (*Subscription) SetProxy ¶ added in v0.1.0
func (s *Subscription) SetProxy(dialer proxy.Dialer)
func (*Subscription) SetQuiet ¶
func (s *Subscription) SetQuiet(quiet bool)
SetQuiet sets whether to log progress or not. Typically the SearchAllTargets method will give you some info that it is actually doing some work. To disable this use SetQuiet(true).
func (*Subscription) String ¶
func (s *Subscription) String() string
func (*Subscription) UnsetTarget ¶
func (s *Subscription) UnsetTarget(tag SearchTarget) *Subscription
UnsetTarget removes a SearchTarget
func (*Subscription) ValueFromQueryString ¶
func (s *Subscription) ValueFromQueryString(qs string, v reflect.Value) error
ValueFromQueryString is the same as FromQueryString except it accepts a reflect.Value
type SubscriptionDiff ¶
SubscriptionDiff holds the diff of two subscriptions as slices of inzure query strings.
type SubscriptionID ¶
SubscriptionID is just a combined UUID and optional Alias for a subscription. Aliases can be useful for human readable contexts.
func SubIDFromString ¶
func SubIDFromString(s string) SubscriptionID
SubIDFromString is a helper function for getting SubscriptionIDs from plain strings. This allows for optional aliasing with the `{UUID}={ALIAS}` syntax.
func SubIDsFromStrings ¶
func SubIDsFromStrings(ss []string) []SubscriptionID
SubIDsFromStrings just warap SubIDFromString with multiple strings.
func SubscriptionIDsFromEnv ¶
func SubscriptionIDsFromEnv() ([]SubscriptionID, error)
SubscriptionIDsFromEnv will read the EnvSubscriptionFile and return a slice of SubscriptionIDs
type TLSVersion ¶
type TLSVersion int
const ( TLSVersionUnknown TLSVersion = 0 TLSVersionOneZero TLSVersion = 1 TLSVersionOneOne TLSVersion = 2 TLSVersionOneTwo TLSVersion = 3 )
func TLSVersionFromString ¶
func TLSVersionFromString(s string) TLSVersion
func (*TLSVersion) FromAzureRedis ¶
func (t *TLSVersion) FromAzureRedis(az *armredis.TLSVersion)
func (*TLSVersion) FromAzureStorage ¶ added in v0.1.0
func (t *TLSVersion) FromAzureStorage(az *armstorage.MinimumTLSVersion)
func (*TLSVersion) FromAzureWeb ¶
func (t *TLSVersion) FromAzureWeb(az *armappservice.SupportedTLSVersions)
func (TLSVersion) IsKnown ¶ added in v0.1.0
func (it TLSVersion) IsKnown() bool
func (TLSVersion) IsOneOne ¶ added in v0.1.0
func (it TLSVersion) IsOneOne() UnknownBool
func (TLSVersion) IsOneTwo ¶ added in v0.1.0
func (it TLSVersion) IsOneTwo() UnknownBool
func (TLSVersion) IsOneZero ¶ added in v0.1.0
func (it TLSVersion) IsOneZero() UnknownBool
func (TLSVersion) IsUnknown ¶ added in v0.1.0
func (it TLSVersion) IsUnknown() bool
func (TLSVersion) String ¶
func (t TLSVersion) String() string
type UnknownBool ¶
type UnknownBool int8
UnknownBool is a true or false value that also includes an unknown or N/A state.
In integer forms these are:
BoolUnknown == 0 BoolTrue == 1 BoolFalse == -1 BoolNotApplicable == -2
There are some convenience methods defined on this type to make it easier to use in if statements directly, ie use `val.True()` where you'd just use `val` for a normal bool.
func IPContains ¶
func IPContains(in AzureIPv4, find AzureIPv4) UnknownBool
IPContains is a convience wrapper around checking for an IP containing another one using only the known methods.
func IPInList ¶
func IPInList(chk AzureIPv4, list []AzureIPv4) UnknownBool
func IPsEqual ¶
func IPsEqual(a AzureIPv4, b AzureIPv4) UnknownBool
IPsEqual compares two AzureIPv4 types. If the IPs are very large noncontinuous ranges this function will actually take a fairly long time since it doesn't want to allocate large slices.
func UnknownFromBool ¶
func UnknownFromBool(b bool) UnknownBool
UnknownFromBool is a convenience function for turning a bool into an UnknownBool.
func (UnknownBool) Applicable ¶
func (ub UnknownBool) Applicable() bool
Applicable returns true if the UnknownBool is anything other than NotApplicable
func (UnknownBool) False ¶
func (ub UnknownBool) False() bool
False returns true if the UnknownBool is BoolFalse
func (UnknownBool) FalseOrUnknown ¶ added in v0.1.0
func (ub UnknownBool) FalseOrUnknown() bool
func (*UnknownBool) FromBool ¶
func (ub *UnknownBool) FromBool(b bool)
FromBool loads a boal into an UnknownBool
func (*UnknownBool) FromBoolPtr ¶
func (ub *UnknownBool) FromBoolPtr(b *bool)
FromBoolPtr creates an UnknownBool from the 3 potential states of the pointer:
p == nil -> BoolUnkown *p == true -> BoolTrue *p == false -> BoolFalse
func (*UnknownBool) FromStringPtrEq ¶ added in v0.1.0
func (ub *UnknownBool) FromStringPtrEq(lhs string, rhs *string)
func (UnknownBool) Known ¶
func (ub UnknownBool) Known() bool
Known returns true if the UnknownBool is anything other than Unknown
func (UnknownBool) NA ¶
func (ub UnknownBool) NA() bool
NA returns true if the UnknownBool is BoolNotApplicable
func (UnknownBool) String ¶
func (ub UnknownBool) String() string
func (UnknownBool) True ¶
func (ub UnknownBool) True() bool
True returns true if the UnknownBool is BoolTrue
func (UnknownBool) TrueOrUnknown ¶ added in v0.1.0
func (ub UnknownBool) TrueOrUnknown() bool
func (UnknownBool) Unknown ¶
func (ub UnknownBool) Unknown() bool
Unknown returns true if the UnknownBool is BoolUnknown
type VMDisk ¶
type VMDisk struct { Name string EncryptionSettings []DiskEncryption }
VMDisk contains the name and encryption information for the disk
func NewEmptyVMDisk ¶
func NewEmptyVMDisk() VMDisk
type VirtualMachine ¶
type VirtualMachine struct { Meta ResourceID ComputerName string IsClassic bool AdminUser string DisablePasswordAuth UnknownBool SSHKeys []SSHPublicKey AutomaticUpdates UnknownBool WindowsRMListeners []WindowsRMListener NetworkInterfaces []NetworkInterface PrimaryNetworkInterface ResourceID OsName string OsVersion string CustomData string OsType OsType Disks []VMDisk }
VirtualMachine holds the data for a given Virtual Machine. note that this type is intended to collect information about both new and classical VMs.
func NewEmptyVirtualMachine ¶
func NewEmptyVirtualMachine() *VirtualMachine
func (*VirtualMachine) FromAzure ¶
func (vm *VirtualMachine) FromAzure(az *armcompute.VirtualMachine)
type VirtualNetwork ¶
type VirtualNetwork struct { Meta ResourceID AddressSpaces IPCollection VMProtectionEnabled UnknownBool DDoSProtectionEnabled UnknownBool Subnets []Subnet }
A VirtualNetwork holds all networking information about the subscription.
func NewEmptyVirtualNetwork ¶
func NewEmptyVirtualNetwork() *VirtualNetwork
func (*VirtualNetwork) FromAzure ¶
func (v *VirtualNetwork) FromAzure(az *armnetwork.VirtualNetwork)
func (*VirtualNetwork) UnmarshalJSON ¶
func (v *VirtualNetwork) UnmarshalJSON(b []byte) error
UnmarshalJSON is used to deal with AzureIPv4s
type WebApp ¶
type WebApp struct { Meta ResourceID Slot string Enabled UnknownBool RemoteDebuggingEnabled UnknownBool HasLocalSQL UnknownBool RemoteDebuggingVersion string FTPState FTPState HTTPLogging UnknownBool HostnamesDisabled UnknownBool HTTP2Enabled UnknownBool HTTPSOnly UnknownBool MinTLSVersion TLSVersion SCMMinTLSVersion TLSVersion Language WebAppLanguage CommandLine string VirtualNetworkName string APIDefinitionURL string UsesLocalSQL UnknownBool DocumentRoot string DefaultHostname string ClientCertEnabled UnknownBool ClientCertMode WebAppClientCertMode ClientCertExclusionPaths []string OutboundIPAddresses IPCollection HandlerMappings []WebAppHandlerMapping EnabledHosts []WebHost Functions []Function Firewall WebAppIPFirewall SCMFirewall WebAppIPFirewall }
WebApp holds all of the required information for an Azure mananged web app.
func NewEmptyWebApp ¶
func NewEmptyWebApp() *WebApp
func (*WebApp) FromAzure ¶
func (w *WebApp) FromAzure(aw *armappservice.Site)
type WebAppClientCertMode ¶ added in v0.1.0
type WebAppClientCertMode int
const ( WebAppClientCertModeUnknown WebAppClientCertMode = 0 WebAppClientCertModeRequired WebAppClientCertMode = 1 WebAppClientCertModeOptional WebAppClientCertMode = 2 WebAppClientCertModeOptionalInteractiveUser WebAppClientCertMode = 3 )
func (*WebAppClientCertMode) FromAzure ¶ added in v0.1.0
func (it *WebAppClientCertMode) FromAzure(az *azpkg.ClientCertMode)
func (WebAppClientCertMode) IsKnown ¶ added in v0.1.0
func (it WebAppClientCertMode) IsKnown() bool
func (WebAppClientCertMode) IsOptional ¶ added in v0.1.0
func (it WebAppClientCertMode) IsOptional() UnknownBool
func (WebAppClientCertMode) IsOptionalInteractiveUser ¶ added in v0.1.0
func (it WebAppClientCertMode) IsOptionalInteractiveUser() UnknownBool
func (WebAppClientCertMode) IsRequired ¶ added in v0.1.0
func (it WebAppClientCertMode) IsRequired() UnknownBool
func (WebAppClientCertMode) IsUnknown ¶ added in v0.1.0
func (it WebAppClientCertMode) IsUnknown() bool
func (WebAppClientCertMode) String ¶ added in v0.1.0
func (it WebAppClientCertMode) String() string
type WebAppHandlerMapping ¶ added in v0.1.0
func (*WebAppHandlerMapping) FromAzure ¶ added in v0.1.0
func (m *WebAppHandlerMapping) FromAzure(az *armappservice.HandlerMapping)
type WebAppIPFirewall ¶
type WebAppIPFirewall []WebAppIPRestriction
WebAppIPFirewall is a collection of WebAppIPRestrictions that will fullfill the Firewall interface.
func (WebAppIPFirewall) AllowsIP ¶
func (waf WebAppIPFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)
AllowsIP in this case needs to take priority into account. This means that every rule has to be searched before we can make a valid decision. If any uncertainty is discovered in this process, it is returned as an Unknown immediately.
The returned []PacketRoute is not too helpful in this instance either since it will just be a single */* element. This is a little deceptive because in reality this is just protecting a single web app which has a well defined IP space usually.
TODO: Maybe the Web App IP space can actually be put into the firewall here
func (WebAppIPFirewall) AllowsIPString ¶
func (waf WebAppIPFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)
func (WebAppIPFirewall) AllowsIPToPort ¶
func (waf WebAppIPFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)
AllowsIPToPort in this case is just AllowsIP because we don't have port specifications.
func (WebAppIPFirewall) AllowsIPToPortString ¶
func (waf WebAppIPFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)
func (WebAppIPFirewall) Len ¶
func (s WebAppIPFirewall) Len() int
func (WebAppIPFirewall) Less ¶
func (s WebAppIPFirewall) Less(i, j int) bool
func (WebAppIPFirewall) RespectsAllowlist ¶ added in v0.1.0
func (waf WebAppIPFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)
func (WebAppIPFirewall) Swap ¶
func (s WebAppIPFirewall) Swap(i, j int)
type WebAppIPRestriction ¶
type WebAppIPRestriction struct { FirewallRule Priority int32 Allow UnknownBool }
func (*WebAppIPRestriction) FromAzure ¶
func (ipr *WebAppIPRestriction) FromAzure(az *armappservice.IPSecurityRestriction)
func (*WebAppIPRestriction) UnmarshalJSON ¶
func (ipr *WebAppIPRestriction) UnmarshalJSON(b []byte) error
type WebAppLanguage ¶
type WebAppLanguage struct { Language AppLanguage Version string }
WebAppLanguage defines the language and version the web application backend is using.
func (*WebAppLanguage) FromAzureSiteConfig ¶
func (w *WebAppLanguage) FromAzureSiteConfig(az *armappservice.SiteConfig)
A few things on this:
- I couldn't make a Python app
- The SiteConfig struct doesn't mention Ruby at all
func (WebAppLanguage) String ¶
func (w WebAppLanguage) String() string
type WebHost ¶
type WebHost struct { Name string SSLEnabled UnknownBool }
WebHost is a host along with its SSL status
type WindowsRMListener ¶
type WindowsRMListener struct { IsHTTPS UnknownBool CertificateURL string }
WindowsRMListener is a listener for Windows VMs.
Source Files ¶
- api.go
- attack_surface.go
- azureapi.go
- azureresourcetag_string.go
- bytebuffer.go
- cosmosdb.go
- crypt.go
- datalake.go
- diff.go
- doc.go
- enum_apiservice_vnet_type.go
- enum_apiuser_activation_state.go
- enum_app_language.go
- enum_container_permission.go
- enum_file_share_protocol.go
- enum_ftpstate.go
- enum_os_type.go
- enum_security_rule_protocol.go
- enum_storage_account_kind.go
- enum_storage_key_source.go
- enum_tlsversion.go
- enum_web_app_client_cert_mode.go
- env.go
- error.go
- file_helpers.go
- firewall.go
- firewallrule.go
- ips.go
- keyvault.go
- line_reader.go
- load_balancers.go
- network.go
- ports.go
- postgres.go
- qs.y
- qs_comparisons.go
- qs_conditions.go
- qs_enums.go
- qs_lexer.go
- qs_selector.go
- query_string.go
- redis.go
- reflect_utils.go
- resourcegroup.go
- resourceid.go
- sql.go
- storageaccount.go
- subscription.go
- subscription_query_strings.go
- tls_version.go
- unknownbool.go
- utils.go
- version.go
- virtualmachine.go
- webapps.go