traversals moved to common cue (#1067)

* traversals moved to common cue * remove contains from azure.InboundOutboundRelationshipKinds
SpecterOps · Jan 14, 2025 · 9b9f80c · 9b9f80c
1 parent 8d5bd4e
commit 9b9f80c
Show file tree

Hide file tree

Showing 11 changed files with 132 additions and 28 deletions.
diff --git a/packages/cue/bh/ad/ad.cue b/packages/cue/bh/ad/ad.cue
@@ -16,14 +16,19 @@
 
 package ad
 
-import "pkg.specterops.io/schemas/bh/types:types"
+import (
+	"list"
+	"pkg.specterops.io/schemas/bh/types:types"
+)
 
 // Exported requirements
 Properties: [...types.#StringEnum]
 NodeKinds: [...types.#Kind]
 RelationshipKinds: [...types.#Kind]
 ACLRelationships: [...types.#Kind]
 PathfindingRelationships: [...types.#Kind]
+InboundRelationshipKinds: [...types.#Kind]
+OutboundRelationshipKinds: [...types.#Kind] 
 EdgeCompositionRelationships: [...types.#Kind]
 
 // Property name enumerations
@@ -1412,8 +1417,8 @@ ACLRelationships: [
 	WritePKINameFlag,
 ]
 
-// Edges that are used in pathfinding
-PathfindingRelationships: [
+// these edges are common to inbound/outbound/pathfinding
+SharedRelationshipKinds: [
 	Owns,
 	GenericAll,
 	GenericWrite,
@@ -1424,11 +1429,9 @@ PathfindingRelationships: [
 	AllExtendedRights,
 	AddMember,
 	HasSession,
-	Contains,
 	GPLink,
 	AllowedToDelegate,
 	CoerceToTGT,
-	TrustedBy,
 	AllowedToAct,
 	AdminTo,
 	CanPSRemote,
@@ -1458,11 +1461,19 @@ PathfindingRelationships: [
 	ADCSESC10a,
 	ADCSESC10b,
 	ADCSESC13,
-	DCFor,
 	SyncedToEntraUser,
 	CoerceAndRelayNTLMToSMB,
 ]
 
+// Edges that are used during inbound traversal
+InboundRelationshipKinds: list.Concat([SharedRelationshipKinds,[Contains]])
+
+// Edges that are used during outbound traversal
+OutboundRelationshipKinds: list.Concat([SharedRelationshipKinds,[Contains, DCFor]])
+
+// Edges that are used in pathfinding
+PathfindingRelationships: list.Concat([SharedRelationshipKinds,[Contains, DCFor, TrustedBy]])
+
 EdgeCompositionRelationships: [
 	GoldenCert,
 	ADCSESC1,

diff --git a/packages/cue/bh/azure/azure.cue b/packages/cue/bh/azure/azure.cue
@@ -16,7 +16,10 @@
 
 package azure
 
-import "pkg.specterops.io/schemas/bh/types:types"
+import (
+	"list"
+	"pkg.specterops.io/schemas/bh/types:types"
+)
 
 // Exported requirements
 Properties: [...types.#StringEnum]
@@ -27,6 +30,7 @@ AbusableAppRoleRelationshipKinds: [... types.#Kind]
 ControlRelationshipKinds: [...types.#Kind]
 ExecutionPrivilegeKinds: [...types.#Kind]
 PathfindingRelationships: [...types.#Kind]
+InboundOutboundRelationshipKinds: [...types.#Kind]
 
 // Property name enumerations
 AppOwnerOrganizationID: types.#StringEnum & {
@@ -831,9 +835,9 @@ ExecutionPrivilegeKinds: [
 	ExecuteCommand,
 ]
 
-PathfindingRelationships: [
+// Edges that are used during inbound and outbound traversals
+InboundOutboundRelationshipKinds: [
 	AvereContributor,
-	Contains,
 	Contributor,
 	GetCertificates,
 	GetKeys,
@@ -872,3 +876,5 @@ PathfindingRelationships: [
 	AZMGGrantRole,
 	SyncedToADUser,
 ]
+
+PathfindingRelationships: list.Concat([InboundOutboundRelationshipKinds, [Contains]])
diff --git a/packages/cue/bh/bh.cue b/packages/cue/bh/bh.cue
@@ -28,6 +28,8 @@ import (
 	Properties: [...types.#StringEnum]
 	NodeKinds: [...types.#Kind]
 	RelationshipKinds: [...types.#Kind]
+	InboundRelationshipKinds: [...types.#Kind]
+	OutboundRelationshipKinds: [...types.#Kind]
 }
 
 #Azure: {
@@ -39,6 +41,7 @@ import (
 	ControlRelationshipKinds: [...types.#Kind]
 	ExecutionPrivilegeKinds: [...types.#Kind]
 	PathfindingRelationships: [...types.#Kind]
+	InboundOutboundRelationshipKinds: [...types.#Kind]
 }
 
 #ActiveDirectory: {
@@ -47,6 +50,8 @@ import (
 	RelationshipKinds: [...types.#Kind]
 	ACLRelationships: [...types.#Kind]
 	PathfindingRelationships: [...types.#Kind]
+	InboundRelationshipKinds: [...types.#Kind]
+	OutboundRelationshipKinds: [...types.#Kind]
 	EdgeCompositionRelationships: [...types.#Kind]
 }
 
@@ -55,6 +60,8 @@ Common: #Common & {
 	Properties:        common.Properties
 	NodeKinds:         common.NodeKinds
 	RelationshipKinds: common.RelationshipKinds
+	InboundRelationshipKinds: common.InboundRelationshipKinds
+	OutboundRelationshipKinds: common.OutboundRelationshipKinds
 }
 
 Azure: #Azure & {
@@ -66,6 +73,7 @@ Azure: #Azure & {
 	ControlRelationshipKinds:         azure.ControlRelationshipKinds
 	ExecutionPrivilegeKinds:          azure.ExecutionPrivilegeKinds
 	PathfindingRelationships:         azure.PathfindingRelationships
+	InboundOutboundRelationshipKinds: azure.InboundOutboundRelationshipKinds
 }
 
 ActiveDirectory: #ActiveDirectory & {
@@ -74,6 +82,7 @@ ActiveDirectory: #ActiveDirectory & {
 	RelationshipKinds:        		ad.RelationshipKinds
 	ACLRelationships:         		ad.ACLRelationships
 	PathfindingRelationships: 		ad.PathfindingRelationships
+	InboundRelationshipKinds:		ad.InboundRelationshipKinds
+	OutboundRelationshipKinds:		ad.OutboundRelationshipKinds
 	EdgeCompositionRelationships: 	ad.EdgeCompositionRelationships
-
 }
diff --git a/packages/cue/bh/common/common.cue b/packages/cue/bh/common/common.cue
@@ -16,12 +16,19 @@
 
 package common
 
-import "pkg.specterops.io/schemas/bh/types:types"
+import (
+	"pkg.specterops.io/schemas/bh/types:types"
+	"pkg.specterops.io/schemas/bh/ad:ad"
+	"pkg.specterops.io/schemas/bh/azure:azure"
+	"list"
+)
 
 // Exported requirements
 Properties: [...types.#StringEnum]
 NodeKinds: [...types.#Kind]
 RelationshipKinds: [...types.#Kind]
+InboundRelationshipKinds: [...types.#Kind]
+OutboundRelationshipKinds: [...types.#Kind]
 
 // Property name enumerations
 ObjectID: types.#StringEnum & {
@@ -168,3 +175,6 @@ NodeKinds: [
 
 RelationshipKinds: [
 ]
+
+InboundRelationshipKinds: list.Concat([ad.InboundRelationshipKinds, azure.InboundOutboundRelationshipKinds])
+OutboundRelationshipKinds: list.Concat([ad.OutboundRelationshipKinds, azure.InboundOutboundRelationshipKinds])
diff --git a/packages/go/graphschema/ad/ad.go b/packages/go/graphschema/ad/ad.go
diff --git a/packages/go/graphschema/azure/azure.go b/packages/go/graphschema/azure/azure.go
diff --git a/packages/go/graphschema/common/common.go b/packages/go/graphschema/common/common.go
diff --git a/packages/go/graphschema/graph.go b/packages/go/graphschema/graph.go
diff --git a/packages/go/schemagen/generator/golang.go b/packages/go/schemagen/generator/golang.go
@@ -25,9 +25,11 @@ import (
 )
 
 const (
-	GraphPackageName  = "github.com/specterops/bloodhound/dawgs/graph"
-	SchemaPackageName = "github.com/specterops/bloodhound/graphschema"
-	SchemaSourceName  = "github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas"
+	GraphPackageName       = "github.com/specterops/bloodhound/dawgs/graph"
+	SchemaPackageName      = "github.com/specterops/bloodhound/graphschema"
+	ADSchemaPackageName    = "github.com/specterops/bloodhound/graphschema/ad"
+	AzureSchemaPackageName = "github.com/specterops/bloodhound/graphschema/azure"
+	SchemaSourceName       = "github.com/specterops/bloodhound/-/tree/main/packages/cue/schemas"
 )
 
 func WriteGolangKindDefinitions(root *jen.File, values []model.StringEnum) {
@@ -308,6 +310,34 @@ func GenerateGolangGraphModel(pkgName, dir string, graphSchema model.Graph) (*je
 		),
 	)
 
+	root.Func().Id("InboundRelationshipKinds").Params().Index().Qual(GraphPackageName, "Kind").Block(
+		jen.Return(
+			jen.Index().Qual(GraphPackageName, "Kind").ValuesFunc(func(group *jen.Group) {
+				for _, relKind := range graphSchema.InboundRelationshipKinds {
+					if relKind.Schema == "active_directory" {
+						group.Qual(ADSchemaPackageName, "").Id(relKind.Symbol)
+					} else if relKind.Schema == "azure" {
+						group.Qual(AzureSchemaPackageName, "").Id(relKind.Symbol)
+					}
+				}
+			}),
+		),
+	)
+
+	root.Func().Id("OutboundRelationshipKinds").Params().Index().Qual(GraphPackageName, "Kind").Block(
+		jen.Return(
+			jen.Index().Qual(GraphPackageName, "Kind").ValuesFunc(func(group *jen.Group) {
+				for _, relKind := range graphSchema.OutboundRelationshipKinds {
+					if relKind.Schema == "active_directory" {
+						group.Qual(ADSchemaPackageName, "").Id(relKind.Symbol)
+					} else if relKind.Schema == "azure" {
+						group.Qual(AzureSchemaPackageName, "").Id(relKind.Symbol)
+					}
+				}
+			}),
+		),
+	)
+
 	return root, filepath.Join(dir, pkgName+".go")
 }
 
@@ -362,6 +392,26 @@ func GenerateGolangActiveDirectory(pkgName, dir string, adSchema model.ActiveDir
 		),
 	)
 
+	root.Func().Id("InboundRelationshipKinds").Params().Index().Qual(GraphPackageName, "Kind").Block(
+		jen.Return(
+			jen.Index().Qual(GraphPackageName, "Kind").ValuesFunc(func(group *jen.Group) {
+				for _, pathRelationship := range adSchema.InboundRelationshipKinds {
+					group.Id(pathRelationship.Symbol)
+				}
+			}),
+		),
+	)
+
+	root.Func().Id("OutboundRelationshipKinds").Params().Index().Qual(GraphPackageName, "Kind").Block(
+		jen.Return(
+			jen.Index().Qual(GraphPackageName, "Kind").ValuesFunc(func(group *jen.Group) {
+				for _, pathRelationship := range adSchema.OutboundRelationshipKinds {
+					group.Id(pathRelationship.Symbol)
+				}
+			}),
+		),
+	)
+
 	root.Func().
 		Id("IsACLKind").
 		Params(jen.Id("s").Qual(GraphPackageName, "Kind")).

diff --git a/packages/go/schemagen/model/schema.go b/packages/go/schemagen/model/schema.go
@@ -40,9 +40,11 @@ func (s StringEnum) GetName() string {
 }
 
 type Graph struct {
-	Properties        []StringEnum
-	NodeKinds         []StringEnum
-	RelationshipKinds []StringEnum
+	Properties                []StringEnum
+	NodeKinds                 []StringEnum
+	RelationshipKinds         []StringEnum
+	InboundRelationshipKinds  []StringEnum
+	OutboundRelationshipKinds []StringEnum
 }
 
 type Azure struct {
@@ -62,5 +64,7 @@ type ActiveDirectory struct {
 	RelationshipKinds            []StringEnum
 	ACLRelationships             []StringEnum
 	PathfindingRelationships     []StringEnum
+	InboundRelationshipKinds     []StringEnum
+	OutboundRelationshipKinds    []StringEnum
 	EdgeCompositionRelationships []StringEnum
 }