inzure

package module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 28, 2022 License: GPL-3.0 Imports: 50 Imported by: 0

Documentation

Overview

Package inzure provides the tools for an automated assessment of Azure subscriptions.

This package does not implement any tests! It is only for data gathering and defining data structures. The tests need to be build on top of those tools.

If you're editing this as .go source file, it will be overwriten when this code is generated again. Make sure you're editing qs.y!

Index

Constants

View Source 
const (
	// PBKDF2Rounds the number of rounds to run for PBKDF2. This can also be
	// overriden with the INZURE_PBKDF2_ROUNDS as long as that value is higher
	// than this default.
	PBKDF2Rounds int = 10000

	// RoundsEnvironmentalVariableName is the name of the environmental variable
	// that can be set to override the default PBKDF2Rounds. If this value is not
	// greater than the default, the default is used.
	RoundsEnvironmentalVariableName = "INZURE_PBKDF2_ROUNDS"
	// KeyEnvironmentalVariableName is the environmental variable to check
	// for a user's chosen encryption/decryption key
	KeyEnvironmentalVariableName = "INZURE_ENCRYPT_PASSWORD"
	// EncryptedFileExtension is the extension that should be put at the end of
	// a file that is encrypted by this package. If you see a file with this ext
	// as the input it is reasonable to assume it is encrypted and the
	// environmental defined by KeyEnvironmentalVariableName is set.
	EncryptedFileExtension = ".enc"
)
View Source 
const (
	KeyVaultKeyPermissionsBackup    KeyVaultKeysPermission = 1 << iota
	KeyVaultKeyPermissionsCreate                           = 1 << iota
	KeyVaultKeyPermissionsDecrypt                          = 1 << iota
	KeyVaultKeyPermissionsDelete                           = 1 << iota
	KeyVaultKeyPermissionsEncrypt                          = 1 << iota
	KeyVaultKeyPermissionsGet                              = 1 << iota
	KeyVaultKeyPermissionsImport                           = 1 << iota
	KeyVaultKeyPermissionsList                             = 1 << iota
	KeyVaultKeyPermissionsPurge                            = 1 << iota
	KeyVaultKeyPermissionsRecover                          = 1 << iota
	KeyVaultKeyPermissionsRestore                          = 1 << iota
	KeyVaultKeyPermissionsSign                             = 1 << iota
	KeyVaultKeyPermissionsUnwrapKey                        = 1 << iota
	KeyVaultKeyPermissionsUpdate                           = 1 << iota
	KeyVaultKeyPermissionsVerify                           = 1 << iota
	KeyVaultKeyPermissionsWrapKey                          = 1 << iota
)
View Source 
const (
	KeyVaultSecretPermissionsBackup  KeyVaultSecretsPermission = 1 << iota
	KeyVaultSecretPermissionsDelete                            = 1 << iota
	KeyVaultSecretPermissionsGet                               = 1 << iota
	KeyVaultSecretPermissionsList                              = 1 << iota
	KeyVaultSecretPermissionsPurge                             = 1 << iota
	KeyVaultSecretPermissionsRecover                           = 1 << iota
	KeyVaultSecretPermissionsRestore                           = 1 << iota
	KeyVaultSecretPermissionsSet                               = 1 << iota
)
View Source 
const (
	KeyVaultCertificateBackup         KeyVaultCertificatesPermission = 1 << iota
	KeyVaultCertificateCreate                                        = 1 << iota
	KeyVaultCertificateDelete                                        = 1 << iota
	KeyVaultCertificateDeleteissuers                                 = 1 << iota
	KeyVaultCertificateGet                                           = 1 << iota
	KeyVaultCertificateGetissuers                                    = 1 << iota
	KeyVaultCertificateImport                                        = 1 << iota
	KeyVaultCertificateList                                          = 1 << iota
	KeyVaultCertificateListissuers                                   = 1 << iota
	KeyVaultCertificateManagecontacts                                = 1 << iota
	KeyVaultCertificateManageissuers                                 = 1 << iota
	KeyVaultCertificatePurge                                         = 1 << iota
	KeyVaultCertificateRecover                                       = 1 << iota
	KeyVaultCertificateRestore                                       = 1 << iota
	KeyVaultCertificateSetissuers                                    = 1 << iota
	KeyVaultCertificateUpdate                                        = 1 << iota
)
View Source 
const (
	KeyVaultStoragePermissionBackup        KeyVaultStoragePermission = 1 << iota
	KeyVaultStoragePermissionDelete                                  = 1 << iota
	KeyVaultStoragePermissionDeletesas                               = 1 << iota
	KeyVaultStoragePermissionGet                                     = 1 << iota
	KeyVaultStoragePermissionGetsas                                  = 1 << iota
	KeyVaultStoragePermissionList                                    = 1 << iota
	KeyVaultStoragePermissionListsas                                 = 1 << iota
	KeyVaultStoragePermissionPurge                                   = 1 << iota
	KeyVaultStoragePermissionRecover                                 = 1 << iota
	KeyVaultStoragePermissionRegeneratekey                           = 1 << iota
	KeyVaultStoragePermissionRestore                                 = 1 << iota
	KeyVaultStoragePermissionSet                                     = 1 << iota
	KeyVaultStoragePermissionSetsas                                  = 1 << iota
	KeyVaultStoragePermissionUpdate                                  = 1 << iota
)
View Source 
const (
	// TargetSearchUnsetString is the string value for TargetSearchUnset
	TargetSearchUnsetString     = "TargetSearchUnset"
	TargetStorageAccountsString = "storage"
	TargetNetworkString         = "network"
	TargetAppServiceString      = "apps"
	TargetDataLakesString       = "datalakes"
	TargetSQLString             = "sql"
	TargetRedisString           = "redis"
	TargetAPIsString            = "apis"
	TargetKeyVaultsString       = "keyvaults"
	TargetCosmosDBsString       = "cosmosdbs"
	TargetLoadBalancersString   = "loadbalancers"
	TargetPostgresString        = "postgres"
)
View Source 
const (
	// BoolUnknown is a "boolean" parameter that we never figured out the
	// actual state of. This is the default value for an UnknownBool.
	BoolUnknown UnknownBool = 0
	BoolTrue                = 1
	BoolFalse               = -1
	// BoolNotApplicable is for when the parameter is not applicable to the
	// specific instance. In some cases we need this state because resources
	// can have other configuration options that make a different
	// configuration option not applicable anymore.
	BoolNotApplicable = -2
)
View Source 
const AND = 57347
View Source 
const BOOL = 57350
View Source 
const CBRA = 57355
View Source 
const CHARS = 57351
View Source 
const CPAR = 57353
View Source 
const FIELD = 57349
View Source 
const LibVersion = "1.0.0"

LibVersion is the current inzure library version as a string

View Source 
const NUMBER = 57354
View Source 
const OBRA = 57356
View Source 
const OP = 57346
View Source 
const OPAR = 57352
View Source 
const OR = 57348
View Source 
const STR = 57357
View Source 
const UNKNOWN_BOOL = 57358

Variables

View Source 
var (
	// EnvSubscriptionJSON defines an environmental variable that can hold
	// a single filename referring to an inzure JSON file
	EnvSubscriptionJSON = "INZURE_JSON_FILE"
	// EnvSubscription defines an environmental variable that can hold a single
	// inzure subscription UUID and optional alias. To specify an alias, use an
	// = after the UUID.
	EnvSubscription = "INZURE_SUBSCRIPTION"
	// EnvSubscriptionFile defines an environmental variable that can hold a
	// file containing a newline separated list of subscription UUIDs and
	// optional aliases.
	EnvSubscriptionFile = "INZURE_SUBSCRIPTION_FILE"

	// EnvSubscriptionBatchFiles contains a list of files that should be used
	// when multiple subscriptions are possible. You can use the associated
	// BatchSubscriptionsFromEnv or BatchSubscriptionsFromEnvChan functions
	// to get these subscirptions.
	EnvSubscriptionBatchFiles = "INZURE_SUBSCRIPTION_BATCH_FILES"
)
View Source 
var AvailableTargets = map[string]SearchTarget{
	TargetStorageAccountsString: TargetStorageAccounts,
	TargetNetworkString:         TargetNetwork,
	TargetAppServiceString:      TargetAppService,
	TargetDataLakesString:       TargetDataLakes,
	TargetSQLString:             TargetSQL,
	TargetRedisString:           TargetRedis,
	TargetAPIsString:            TargetAPIs,
	TargetKeyVaultsString:       TargetKeyVaults,
	TargetCosmosDBsString:       TargetCosmosDBs,
	TargetLoadBalancersString:   TargetLoadBalancers,
	TargetPostgresString:        TargetPostgres,
}

AvailableTargets is a map containing all available targets for easy lookup

View Source 
var (
	// BadAllowlist will be returned for malformed allowlist
	BadAllowlist = errors.New("allowlist was malformed")
)
View Source 
var ErrDifferentSubscriptions = errors.New("diff subscriptions are not the same")

Functions

func BatchSubscriptionsFromEnvChan 

func BatchSubscriptionsFromEnvChan(
	ctx context.Context, pw []byte, ec chan<- error,
) <-chan *Subscription

BatchSubscriptionsFromEnvChan will pull all subscriptions from the files in the EnvSubscriptionBatchFiles environmental variable. Errors are passed on the provided channel and the passed context can be used to stop everything. The provided password is only needed if the files are encrypted and the password can't be pulled out of the environment, otherwise it can be nil.

func EncryptSubscriptionAsJSON 

func EncryptSubscriptionAsJSON(sub *Subscription, pw []byte, w io.Writer) error

EncryptSubscriptionAsJSON writes the given Subscription as an encrypted JSON to the given writer. This uses inzure's encryption format defined as follows:

1. PBKDF2 is used on the given password with inzure.PBKDF2Rounds number of rounds and an 8 byte salt from crypto/rand. Note that this salt is merely writen to the writer as the first 8 bytes and is not a secret.

2. AES256 is used in CBC mode to encrypt the output marshaled JSON with the IV as the first block.

3. An HMAC with SHA256 is taken of the entire cipher text (including the IV) and written to the writer after the salt.

Note that this method is intended to make people actually use encryption for this data and is not intended to be the most secure possible way to encrypt this data. If you have a better tool it is recommended that you use it.

If pw is nil this function checks the KeyEnvironmentalVariableName environmental variable.

func FirewallAllowsIPFromString 

func FirewallAllowsIPFromString(f Firewall, ip string) (UnknownBool, []PacketRoute, error)

FirewallAllowsIPFromString is a convenience method for calling a Firewalls AllowsIP method with a string input. This can be used to trivially implement the AllowsIPString methods on the firewall interface.

func FirewallAllowsIPToIP 

func FirewallAllowsIPToIP(f Firewall, src, dst AzureIPv4) (UnknownBool, []PacketRoute, error)

FirewallAllowsIPToIP is a convenience function for filtering the results of the Firewall's AllowsIP method for a specific destination. The returned slice of PacketRoutes will have the IP of every PacketRoute populated with

func FirewallAllowsIPToIPPort 

func FirewallAllowsIPToIPPort(f Firewall, src, dst AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

FirewallAllowsIPToIPPort is a convenience wrapper for checking if a given IP is allowed to a given IP:Port combination.

func FirewallAllowsIPToPortFromString 

func FirewallAllowsIPToPortFromString(f Firewall, ip, port string) (UnknownBool, []PacketRoute, error)

FirewallAllowsIPToPortFromString is a convenience method for calling a Firewalls AllowsIPToPort method with a string input. This can be used to trivially implement the AllowsIPToPortString methods on the firewall interface.

func GetQSFillableValue 

func GetQSFillableValue(qs *QueryString) reflect.Value

func GetQSFillableValueForString 

func GetQSFillableValueForString(qs string) reflect.Value

GetQSFillableValueForString returns a reflect.Value that can be filled by the *QueryString methods on a Subscription. You can either give this a full QueryString or the name of a field in a ResourceGroup.

func IPIsRFC1918Private 

func IPIsRFC1918Private(ip AzureIPv4) bool

func NewError 

func NewError(msg string, ty ErrorType) error

func NewGenericError 

func NewGenericError(err error) error

func NewLineCommentScanner 

func NewLineCommentScanner(r io.Reader) *bufio.Scanner

NewLineCommentScanner returns a bufio.Scanner that reads a line at a time and ignores ones that start with \s*#.

func NewMalformedIPv4Error 

func NewMalformedIPv4Error(ip string) error

func PortContains 

func PortContains(in AzurePort, find AzurePort) bool

func PortsEqual 

func PortsEqual(a AzurePort, b AzurePort) bool

PortsEqual compares two ports. If the underlying types are they same then reflect.DeepEqual is used. Otherwise it will try to compare using the interface methods. If a long noncontinuous port range is used this could be a very slow function.

func StringLooksLikeResourceID 

func StringLooksLikeResourceID(s string) bool

TODO This could be better.

func ToQueryString 

func ToQueryString(i interface{}) (string, error)

ToQueryString accepts an interface struct and attempts to turn it in to a valid query string. This is not always successful and it isn't always easy to detect when it is unsuccessful and return an error, so YMMV.

Types

type API 

type API struct {
	Meta         ResourceID
	ServiceURL   string
	Path         string
	Revision     string
	Online       UnknownBool
	SubKeyHeader string
	SubKeyQuery  string
	Schemas      []*APISchema
	Protocols    []string
	Operations   []*APIOperation
}

API is an Azure managed API

func NewEmptyAPI 

func NewEmptyAPI() *API

func (*API) FromAzure 

func (a *API) FromAzure(az *armapimanagement.APIContract)

type APIBackend 

type APIBackend struct {
	Meta                  ResourceID
	Protocol              string
	URL                   string
	ClientCertThumbprints []string
	AuthQuery             map[string][]string
	AuthHeader            map[string][]string
	AuthHeaderScheme      string
	AuthHeaderParam       string
	ValidateCertChain     UnknownBool
	ValidateCertName      UnknownBool
	ProxyURL              string
	ProxyUser             string
	ProxyPass             string
}

func NewEmptyAPIBackend 

func NewEmptyAPIBackend() *APIBackend

func (*APIBackend) FromAzure 

func (b *APIBackend) FromAzure(az *armapimanagement.BackendContract)

type APIOpParameter 

type APIOpParameter struct {
	Name         string
	Required     UnknownBool
	Desc         string
	Type         string
	DefaultValue string
	Values       []string
}

func (*APIOpParameter) FromAzure 

func (p *APIOpParameter) FromAzure(az *armapimanagement.ParameterContract)

type APIOperation 

type APIOperation struct {
	Meta            ResourceID
	Method          string
	URL             string
	URLParamaters   []APIOpParameter
	QueryParameters []APIOpParameter
	Headers         []APIOpParameter
	Representations []APIRepresentation
}

func NewEmptyAPIOperation 

func NewEmptyAPIOperation() *APIOperation

func (*APIOperation) FromAzure 

func (op *APIOperation) FromAzure(az *armapimanagement.OperationContract)

type APIRepresentation 

type APIRepresentation struct {
	ContentType string
	// SchemaID is not set when the content type isn't form data
	SchemaID string
	// TypeName
	TypeName string
	// FormParameters is required if we have form data as the content type
	FormParameters []APIOpParameter
}

APIRepresentations are examples of legitmate body data that can be sent to the API. There is

func (*APIRepresentation) FromAzure 

func (r *APIRepresentation) FromAzure(az *armapimanagement.RepresentationContract)

type APISchema 

type APISchema struct {
	Meta        ResourceID
	ContentType string
	JSON        string
}

func NewEmptyAPISchema 

func NewEmptyAPISchema() *APISchema

func (*APISchema) FromAzure 

func (s *APISchema) FromAzure(az *armapimanagement.SchemaContract)

type APIService 

type APIService struct {
	Meta               ResourceID
	GatewayURL         string
	DeveloperPortalURL string
	PortalURL          string
	ManagementAPIURL   string
	SCMURL             string
	StaticIPs          []AzureIPv4
	CustomProperties   map[string]string
	HostnameConfigs    []APIServiceHostnameConfig
	VNetType           APIServiceVNetType
	SubnetRef          ResourceID
	APIs               []*API
	Users              []*APIServiceUser
	//PrimaryKey         string
	//SecondaryKey       string
	//AccessEnabled      UnknownBool
	SignupEnabled UnknownBool
	Backends      []*APIBackend
	Products      []*APIServiceProduct
}

func NewEmptyAPIService 

func NewEmptyAPIService() *APIService

func (*APIService) FromAzure 

func (as *APIService) FromAzure(az *armapimanagement.ServiceResource)

type APIServiceAttackSurface 

type APIServiceAttackSurface struct {
	ManagedEndpoints []string
	BackendEndpoints []string
}

APIServiceAttackSurface is the attack surface presented by managed APIs. Note that, since we have read access to all API Management Services, we can sometimes even get direct backend URLs as well.

type APIServiceHostnameConfig 

type APIServiceHostnameConfig struct {
	Hostname string
}

func (*APIServiceHostnameConfig) FromAzure 

func (hc *APIServiceHostnameConfig) FromAzure(az *armapimanagement.HostnameConfiguration)

type APIServiceProduct 

type APIServiceProduct struct {
	Meta                 ResourceID
	DisplayName          string
	SubscriptionRequired UnknownBool
	ApprovalRequired     UnknownBool
	IsPublished          UnknownBool
}

func NewEmptyAPIServiceProduct 

func NewEmptyAPIServiceProduct() *APIServiceProduct

func (*APIServiceProduct) FromAzure 

func (p *APIServiceProduct) FromAzure(az *armapimanagement.ProductContract)

type APIServiceUser 

type APIServiceUser struct {
	FirstName    string
	LastName     string
	Email        string
	RegisteredAt time.Time
	State        APIUserActivationState
	Groups       []string
	Identities   []APIServiceUserIdentity
}

func NewAPIServiceUser 

func NewAPIServiceUser() *APIServiceUser

func (*APIServiceUser) FromAzure 

func (asu *APIServiceUser) FromAzure(az *armapimanagement.UserContract)

type APIServiceUserIdentity 

type APIServiceUserIdentity struct {
	Provider string
	ID       string
}

type APIServiceVNetType added in v0.1.0 

type APIServiceVNetType int
const (
	APIServiceVNetTypeNone     APIServiceVNetType = 0
	APIServiceVNetTypeExternal APIServiceVNetType = 1
	APIServiceVNetTypeInternal APIServiceVNetType = 2
)

func (*APIServiceVNetType) FromAzure added in v0.1.0 

func (it *APIServiceVNetType) FromAzure(az *azpkg.VirtualNetworkType)

func (APIServiceVNetType) IsExternal added in v0.1.0 

func (it APIServiceVNetType) IsExternal() bool

func (APIServiceVNetType) IsInternal added in v0.1.0 

func (it APIServiceVNetType) IsInternal() bool

func (APIServiceVNetType) IsNone added in v0.1.0 

func (it APIServiceVNetType) IsNone() bool

func (APIServiceVNetType) String added in v0.1.0 

func (it APIServiceVNetType) String() string

type APIUserActivationState 

type APIUserActivationState int
const (
	APIUserStateUnknown APIUserActivationState = 0
	APIUserStateActive  APIUserActivationState = 1
	APIUserStatePending APIUserActivationState = 2
	APIUserStateBlocked APIUserActivationState = 3
	APIUserStateDeleted APIUserActivationState = 4
)

func (*APIUserActivationState) FromAzure 

func (it *APIUserActivationState) FromAzure(az *azpkg.UserState)

func (APIUserActivationState) IsActive added in v0.1.0 

func (it APIUserActivationState) IsActive() UnknownBool

func (APIUserActivationState) IsBlocked added in v0.1.0 

func (it APIUserActivationState) IsBlocked() UnknownBool

func (APIUserActivationState) IsDeleted added in v0.1.0 

func (it APIUserActivationState) IsDeleted() UnknownBool

func (APIUserActivationState) IsKnown added in v0.1.0 

func (it APIUserActivationState) IsKnown() bool

func (APIUserActivationState) IsPending added in v0.1.0 

func (it APIUserActivationState) IsPending() UnknownBool

func (APIUserActivationState) IsUnknown added in v0.1.0 

func (it APIUserActivationState) IsUnknown() bool

func (APIUserActivationState) String added in v0.1.0 

func (it APIUserActivationState) String() string

type AppLanguage 

type AppLanguage int
const (
	LanguageUnknown    AppLanguage = 0
	LanguageNode       AppLanguage = 1
	LanguagePHP        AppLanguage = 2
	LanguageJava       AppLanguage = 3
	LanguageDotNet     AppLanguage = 4
	LanguageRuby       AppLanguage = 5
	LanguagePython     AppLanguage = 6
	LanguageDocker     AppLanguage = 7
	LanguagePowerShell AppLanguage = 8
	LanguageFSharp     AppLanguage = 9
	LanguageCSharp     AppLanguage = 10
)

func (AppLanguage) IsCSharp added in v0.1.0 

func (it AppLanguage) IsCSharp() UnknownBool

func (AppLanguage) IsDocker added in v0.1.0 

func (it AppLanguage) IsDocker() UnknownBool

func (AppLanguage) IsDotNet added in v0.1.0 

func (it AppLanguage) IsDotNet() UnknownBool

func (AppLanguage) IsFSharp added in v0.1.0 

func (it AppLanguage) IsFSharp() UnknownBool

func (AppLanguage) IsJava added in v0.1.0 

func (it AppLanguage) IsJava() UnknownBool

func (AppLanguage) IsKnown added in v0.1.0 

func (it AppLanguage) IsKnown() bool

func (AppLanguage) IsNode added in v0.1.0 

func (it AppLanguage) IsNode() UnknownBool

func (AppLanguage) IsPHP added in v0.1.0 

func (it AppLanguage) IsPHP() UnknownBool

func (AppLanguage) IsPowerShell added in v0.1.0 

func (it AppLanguage) IsPowerShell() UnknownBool

func (AppLanguage) IsPython added in v0.1.0 

func (it AppLanguage) IsPython() UnknownBool

func (AppLanguage) IsRuby added in v0.1.0 

func (it AppLanguage) IsRuby() UnknownBool

func (AppLanguage) IsUnknown added in v0.1.0 

func (it AppLanguage) IsUnknown() bool

func (AppLanguage) String 

func (it AppLanguage) String() string

type AppServiceEnvironment 

type AppServiceEnvironment struct {
	Meta ResourceID
}

type ApplicationSecurityGroup 

type ApplicationSecurityGroup struct {
	Meta ResourceID
}

func NewEmptyASG 

func NewEmptyASG() *ApplicationSecurityGroup

func (*ApplicationSecurityGroup) FromAzure 

func (asg *ApplicationSecurityGroup) FromAzure(az *armnetwork.ApplicationSecurityGroup)

type AttackSurface 

type AttackSurface struct {
	WebApps           []string
	Functions         []string
	LoadBalancers     []LoadBalancerAttackSurface
	VirtualMachines   []string
	MSQL              []string
	Redis             []string
	PostgreSQL        []string
	CosmosDBs         []string
	DataLakeAnalytics []string
	DataLakeStores    []string
	KeyVaults         []string
	PublicContainers  []string
	APIServices       []APIServiceAttackSurface
}

AttackSurface contains a collection of IP addresses and domain names that may POTENTIALLY be exposed. Note that there is no evaluation of firewalls at this point!

func NewEmptyAttackSurface 

func NewEmptyAttackSurface() AttackSurface

type AzureAPI 

type AzureAPI interface {
	// SetProxy sets a custom proxy.Dialer for the client. Note that by default
	// the HTTP_PROXY and HTTPS_PROXY environmental variables should be supported.
	// This can also use proxy.Direct{} to completely bypass the proxy for some
	// calls.
	//
	// Note that this can't be used in combination with `SetClient`
	SetProxy(proxy proxy.Dialer)

	// ClearProxy resets the proxy to the default configuration. The default proxy
	// configuration supports the HTTP_PROXY and HTTPS_PROXY environmental
	// variables.
	ClearProxy()

	// Setclient allows to completely customize the http.Client in use. Note that
	// this can't be used in combination with `SetProxy`
	SetClient(client *http.Client)

	// GetResourceGroups gets all resource groups for the given subscription
	// ResourceGroups are returned on the provided channel. They are empty
	// except for basic identifying data. You can send those resource groups
	// to other methods to get resources for that group.
	//
	// Note that, even though other methods take a pointer to the ResourceGroup,
	// no method modifies the resource group itself.
	GetResourceGroups(ctx context.Context, sub string, ec chan<- error) <-chan *ResourceGroup
	// GetNetworks gets the virtual networks on the subscription. VirtualNetwork
	// objects returned from this are not fully populated. Information about
	// VirtualMachines and NetworkInterfaces needs to come from the
	// GetVirtualMachines method.
	GetNetworks(ctx context.Context, sub string, ec chan<- error) <-chan *VirtualNetwork
	// GetVirtualMachines gets the virtual machines in the subscription. The
	// VirtualMachine data struct contains information about VM configurations
	// as well as references to NetworkInterfaces. Note that these
	// NetworkInterface structs only contain the ResourceID and need to be
	// fully populated via results from other API calls.
	GetVirtualMachines(ctx context.Context, sub string, ec chan<- error) <-chan *VirtualMachine
	// GetLoadBalancers gets all LoadBalancers in a given resource group. If rg
	// is an empty string, it gets all of them regardless of resource group.
	GetLoadBalancers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *LoadBalancer
	GetDataLakeStores(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *DataLakeStore
	GetDataLakeAnalytics(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *DataLakeAnalytics
	GetPostgresServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *PostgresServer
	GetSQLServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *SQLServer
	GetCosmosDBs(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *CosmosDB
	GetNetworkInterfaces(ctx context.Context, sub string, ec chan<- error) <-chan *NetworkInterface
	// GetNetworkSecurityGroups gets all of the NetworkSecurityGroups in the
	// subscription. This gathers firewall rules and associated subnet and
	// interface ResourceIDs. Note that this does not gather information
	// specifically about those network interfaces and subnets, that info can
	// be gathered from the VirtualNetworks structs.
	GetNetworkSecurityGroups(ctx context.Context, sub string, ec chan<- error) <-chan *NetworkSecurityGroup
	GetApplicationSecurityGroups(ctx context.Context, sub string, ec chan<- error) <-chan *ApplicationSecurityGroup
	GetWebApps(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *WebApp
	GetAPIs(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *APIService
	GetStorageAccounts(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *StorageAccount
	GetRedisServers(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *RedisServer
	GetKeyVaults(ctx context.Context, sub string, rg string, ec chan<- error) <-chan *KeyVault

	// EnableClassic enables the classic management API and uses the passed
	// management certificate. For more information see the README.
	EnableClassic([]byte, string) error
	// GetClassicStorageAccounts gets all classic storage accounts from the
	// subscription set with EnableClassic. If EnableClassic isn't called
	// beforehand this returns an immediately closed channel.
	GetClassicStorageAccounts(context.Context, chan<- error) <-chan *StorageAccount
}

AzureAPI is an interface wrapper for the Azure API itself. Interaction with the API only happens through this interface.

The interface is intended to act solely based on channels and streaming. The goal is to have all requests essentially be async since we don't actually care about the order of responses for _most_ cases.

Errors are only handled if necessary otherwise they are simply reported on the past error channel. The error _should_ be AzureAPIError pointers, but that isn't currently guaranteed.

To ignore direct usage of the API you can set up a Subscription to gather the data you want and then pass it an API.

func NewAzureAPI 

func NewAzureAPI() (AzureAPI, error)

NewAzureAPI returns an AzureAPI instance taking the credentials it needs from the environment.

In general if you're using the provided tool setting this up is just as mentioned in the documentation there. That is, the following environmental variables need to be set:

  • AZURE_TENANT_ID - This always needs to be set.

Then you can either log in as the previously created application with:

  • AZURE_CLIENT_ID - This is the Inzure Tool client ID setup before
  • AZURE_CLIENT_SECRET - This is the tool's secret

Or login with your username and password with just:

  • AZURE_CLIENT_ID

This triggers the device login flow you should be familiar with from the Azure CLI.

Note that AZURE_ENVIRONMENT can also be set to change the environment. Valid values are:

  • AZURECHINACLOUD
  • AZUREGERMANCLOUD
  • AZUREPUBLICCLOUD
  • AZUREUSGOVERNMENTCLOUD

type AzureAPIError 

type AzureAPIError struct {
	Err        error
	Action     string
	ResourceID ResourceID
}

AzureAPIError is an error associated with an action on the Azure API.

In many cases only the Subscription and Tag fields of the ResourceID will be populated.

func (*AzureAPIError) Error 

func (e *AzureAPIError) Error() string

func (*AzureAPIError) Unwrap added in v0.1.0 

func (e *AzureAPIError) Unwrap() error

type AzureAbstractIPType 

type AzureAbstractIPType uint8
const (
	AzureAbstractIPUnknown AzureAbstractIPType = iota
	AzureAbstractIPVirtualNetwork
	AzureAbstractIPAzureLoadBalancer
	AzureAbstractIPInternet
	AzureAbstractIPNormal
	AzureAbstractIPEmpty
)

type AzureIPv4 

type AzureIPv4 interface {
	// IsSpecial returns whether or not this is a special definition within
	// Azure. If it is, there isn't much we can do with it without other
	// information.
	IsSpecial() bool
	// GetType returns the abstract IP type. This is typically useful only
	// when IsSpecial returns true
	GetType() AzureAbstractIPType
	// AsUint32 will return the single IP as a uint32. This function is
	// undefined if size != 1.
	AsUint32() uint32
	// FromAzure loads an Azure IP into the instance of this interface type.
	// There are no guarantees about continuity of state before and after this
	// call. If you call this you should view the given underlying value to
	// be completely unrelated to its previous value.
	FromAzure(string)
	// Contains tells us if this rule contains the given IPv4 given as a string.
	// Contains has undefined behavior if the given string is not a dot notation
	// IPv4 address.
	Contains(string) UnknownBool
	// ContainsUint32 is the same as Contains except for a uint32 representation
	// of the IPv4 address
	ContainsUint32(uint32) UnknownBool
	// ContainsRange is the same as Contains except with a range.
	ContainsRange(string, string) UnknownBool
	// ContainsRangeUint32 is the same as ContainsUint32 except with a range.
	ContainsRangeUint32(uint32, uint32) UnknownBool
	// ContinuousRange returns whether or not the IP address is a continuous
	// range. If it is the beginning and end of that range are returned as
	// strings. Note that a single IP address is a continuous range ending
	// and begining with itself.
	ContinuousRange() (UnknownBool, string, string)
	// ContinuousRangeUint32 does the same as continuous range but instead
	// returns uint32 vales of the IPv4 address.
	ContinuousRangeUint32() (UnknownBool, uint32, uint32)
	// Size returns how many IPs this AzureIPv4 contains. If this cannot be
	// determined 0 is returned. Note that this is a uint64 because the range
	// [0, ^uint32(0)] is "*" and overflows an uint32
	Size() uint64
	// AllIPsGen is a generator function that returns all of the ips on the
	// return channel. If the passed buffer parameter is <=0 then there is
	// no buffering on the returned channel.
	AllIPsGen(ctx context.Context, buffer int) <-chan string
	// AllIPsUint32Gen is the uint32 equivalent of AllIPsGen
	AllIPsUint32Gen(ctx context.Context, buffer int) <-chan uint32
	// AllIPs returns string reprsentations of every IP contained in this
	// AzureIPv4. Note that this could be a lot of IPs.
	AllIPs() []string
	// AllIPsUint32 is the same as AllIPs except it returns uint32
	// representations
	AllIPsUint32() []uint32
	String() string
	json.Marshaler
	json.Unmarshaler
}

AzureIPv4 manages the complex type that is a security rule IP. Azure allows CIDR notation, single IPs, IP ranges, and a "*" type. We need to encapsulate all of those in one type to accurately work with them. This interface ensures that these types are not misused.

Allowed formats:

func NewAzureIPv4FromAzure 

func NewAzureIPv4FromAzure(s string) AzureIPv4

NewAzureIPv4FromAzure makes a default implementation AzureIPv4 from an Azure string

func NewAzureIPv4FromRange 

func NewAzureIPv4FromRange(begin string, end string) AzureIPv4

NewAzureIPv4FromRange creates a new AzureIPv4 from a range of IPs

func NewCheckedAzureIPv4FromAzure 

func NewCheckedAzureIPv4FromAzure(s string) (AzureIPv4, error)

func NewEmptyAzureIPv4 

func NewEmptyAzureIPv4() AzureIPv4

type AzurePort 

type AzurePort interface {
	// FromAzure loads an Azure port into the instance of this interface type.
	// There are no guarantees about continuity of state before and after this
	// call. If you call this you should view the given underlying value to
	// be completely unrelated to its previous value.
	FromAzure(string)
	// AsUint16 should return the port as a uint16. The behavior of this
	// function is undefined if Size() != 1.
	AsUint16() uint16
	// Contains tells us if this rule contains the given port
	Contains(uint16) bool
	ContainsRange(uint16, uint16) bool
	ContinuousRange() (bool, uint16, uint16)
	Size() uint32
	AllPorts() []uint16
	AllPortsGen(ctx context.Context, buffer int) <-chan uint16
	IsStar() bool
	String() string
	UnmarshalJSON(b []byte) error
	MarshalJSON() ([]byte, error)
}

AzurePort manages the complex type that is a security rule port. Azure allows "*" for all ports, single ports, ranges of ports, and a combination of single and ranges

func NewCheckedPortFromAzure 

func NewCheckedPortFromAzure(az string) (AzurePort, error)

func NewEmptyPort 

func NewEmptyPort() AzurePort

func NewPortFromAzure 

func NewPortFromAzure(az string) AzurePort

NewPortFromAzure builds a default AzurePort implementation from the given Azure port string.

func NewPortFromUint16 

func NewPortFromUint16(p uint16) AzurePort

type AzureResourceTag 

type AzureResourceTag uint

AzureResourceTag is a tag given to a known Azure resource type for quick identification 

const (
	// ResourceUnsetT indicates that the resource was never set. If you see this
	// tag on any ResourceID struct, it means that any data in it should not be
	// trusted.
	ResourceUnsetT AzureResourceTag = iota
	ResourceUnknownT
	ResourceGroupT
	StorageAccountT
	ContainerT
	QueueT
	FileShareT
	TableT
	ProviderT
	NetworkSecurityGroupT
	VirtualNetworkT
	VirtualMachineT
	SubnetT
	NetworkInterfaceT
	IPConfigurationT
	PublicIPT
	WebAppT
	FunctionT
	DataLakeT
	DataLakeStoreT
	DataLakeAnalyticsT
	SQLServerT
	WebAppSlotT
	RedisServerT
	RecommendationT
	SQLDatabaseT
	VirtualMachineScaleSetT
	ApiT
	ApiServiceT
	ApiOperationT
	ApiBackendT
	ApiServiceProductT
	ServiceBusT
	ServiceFabricT
	ApiSchemaT
	LoadBalancerT
	FrontendIPConfigurationT
	ApplicationSecurityGroupT
	KeyVaultT
	CosmosDBT
	PostgresServerT
	PostgresDBT
)

func (AzureResourceTag) String 

func (i AzureResourceTag) String() string

type Container 

type Container struct {
	Name           string
	StorageAccount ResourceID
	URL            string
	Access         ContainerPermission
}

func (*Container) FromAzure 

func (c *Container) FromAzure(az *armstorage.ListContainerItem)

func (*Container) QueryString 

func (c *Container) QueryString() string

func (*Container) SetURL 

func (c *Container) SetURL(sa *StorageAccount)

SetURL sets the URL using the Container's name and the StorageAccount.

type ContainerPermission 

type ContainerPermission int
const (
	ContainerPermissionUnknown   ContainerPermission = 0
	ContainerPermissionPrivate   ContainerPermission = 1
	ContainerPermissionBlob      ContainerPermission = 2
	ContainerPermissionContainer ContainerPermission = 3
)

func (*ContainerPermission) FromAzure added in v0.1.0 

func (it *ContainerPermission) FromAzure(az *azpkg.PublicAccess)

func (ContainerPermission) IsBlob added in v0.1.0 

func (it ContainerPermission) IsBlob() UnknownBool

func (ContainerPermission) IsContainer added in v0.1.0 

func (it ContainerPermission) IsContainer() UnknownBool

func (ContainerPermission) IsKnown added in v0.1.0 

func (it ContainerPermission) IsKnown() bool

func (ContainerPermission) IsPrivate added in v0.1.0 

func (it ContainerPermission) IsPrivate() UnknownBool

func (ContainerPermission) IsUnknown added in v0.1.0 

func (it ContainerPermission) IsUnknown() bool

func (ContainerPermission) String 

func (it ContainerPermission) String() string

type CosmosDB 

type CosmosDB struct {
	Meta     ResourceID
	Endpoint string
	Firewall CosmosDBFirewall
}

func NewEmptyCosmosDB 

func NewEmptyCosmosDB() *CosmosDB

func (*CosmosDB) FromAzure 

func (c *CosmosDB) FromAzure(az *armcosmos.DatabaseAccountGetResults)

type CosmosDBFirewall 

type CosmosDBFirewall struct {
	IPs IPCollection

	PublicNetworkAllowed UnknownBool

	AzureCanBypass   UnknownBool
	AllowedResources []ResourceID

	VNetEnabled UnknownBool
	VNetRules   []ResourceID
}

func (CosmosDBFirewall) AllowsIP 

func (f CosmosDBFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

func (CosmosDBFirewall) AllowsIPString 

func (f CosmosDBFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (CosmosDBFirewall) AllowsIPToPort 

func (f CosmosDBFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

func (CosmosDBFirewall) AllowsIPToPortString 

func (f CosmosDBFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (CosmosDBFirewall) RespectsAllowlist added in v0.1.0 

func (f CosmosDBFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

type DataLakeAnalytics 

type DataLakeAnalytics struct {
	Meta     ResourceID
	Endpoint string
	Firewall DataLakeFirewall
}

DataLakeAnalytics holds the import information for a Data Lake analytics acount

func NewEmptyDataLakeAnalytics 

func NewEmptyDataLakeAnalytics() *DataLakeAnalytics

func (*DataLakeAnalytics) FromAzure 

func (dl *DataLakeAnalytics) FromAzure(az *armdatalakeanalytics.Account)

type DataLakeFirewall added in v0.1.0 

type DataLakeFirewall struct {
	Enabled    UnknownBool
	AllowAzure UnknownBool
	Rules      FirewallRules
}

func (*DataLakeFirewall) AllowsIP added in v0.1.0 

func (fw *DataLakeFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

func (*DataLakeFirewall) AllowsIPString added in v0.1.0 

func (fw *DataLakeFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (*DataLakeFirewall) AllowsIPToPort added in v0.1.0 

func (fw *DataLakeFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

func (*DataLakeFirewall) AllowsIPToPortString added in v0.1.0 

func (fw *DataLakeFirewall) AllowsIPToPortString(ip string, port string) (UnknownBool, []PacketRoute, error)

func (*DataLakeFirewall) RespectsAllowlist added in v0.1.0 

func (fw *DataLakeFirewall) RespectsAllowlist(allowlist FirewallAllowlist) (UnknownBool, []IPPort, error)

type DataLakeStore 

type DataLakeStore struct {
	Meta               ResourceID
	Endpoint           string
	Encrypted          UnknownBool
	Firewall           DataLakeFirewall
	TrustedIDProviders []string
	TrustIDProviders   UnknownBool
}

DataLakeStore holds the important information for a Data Lake store account

func NewEmptyDataLakeStore 

func NewEmptyDataLakeStore() *DataLakeStore

func (*DataLakeStore) FromAzure 

func (dl *DataLakeStore) FromAzure(az *armdatalakestore.Account)

type DiskEncryption 

type DiskEncryption struct {
	Enabled          UnknownBool
	EncryptionKey    string
	KeyEncryptionKey string
}

DiskEncryption holds the location of an encryption key and whether that key is enabled for the given disk

type Error 

type Error struct {
	Wrapped error
	Msg     string
	Type    ErrorType
}

Error is inzure's generic error type. These should give slightly more information specific to inzure functionality, but in some cases they may just be wrapping a generic error.

func (*Error) Error 

func (e *Error) Error() string

type ErrorType 

type ErrorType uint32
const (
	UnknownError ErrorType = iota
	MalformedIPv4Error
	NilFirewall
)

type FTPState 

type FTPState int
const (
	FTPStateUnknown  FTPState = 0
	FTPStateDisabled FTPState = 1
	FTPStateFTPSOnly FTPState = 2
	FTPStateAll      FTPState = 3
)

func (*FTPState) FromAzure added in v0.1.0 

func (it *FTPState) FromAzure(az *azpkg.FtpsState)

func (FTPState) IsAll added in v0.1.0 

func (it FTPState) IsAll() UnknownBool

func (FTPState) IsDisabled added in v0.1.0 

func (it FTPState) IsDisabled() UnknownBool

func (FTPState) IsFTPSOnly added in v0.1.0 

func (it FTPState) IsFTPSOnly() UnknownBool

func (FTPState) IsKnown added in v0.1.0 

func (it FTPState) IsKnown() bool

func (FTPState) IsUnknown added in v0.1.0 

func (it FTPState) IsUnknown() bool

func (FTPState) String 

func (f FTPState) String() string

type FileShare added in v0.1.0 

type FileShare struct {
	Name           string
	StorageAccount ResourceID
	Type           string
	Protocol       FileShareProtocol
	Deleted        UnknownBool
	AccessPolicies []FileShareAccessPolicy
}

func (*FileShare) FromAzure added in v0.1.0 

func (f *FileShare) FromAzure(az *armstorage.FileShareItem)

func (*FileShare) QueryString added in v0.1.0 

func (f *FileShare) QueryString() string

type FileShareAccessPolicy added in v0.1.0 

type FileShareAccessPolicy struct {
	ID          string
	StartTime   time.Time
	ExpiryTime  time.Time
	Permissions string
}

func (*FileShareAccessPolicy) FromAzure added in v0.1.0 

func (fsap *FileShareAccessPolicy) FromAzure(az *armstorage.SignedIdentifier)

type FileShareProtocol added in v0.1.0 

type FileShareProtocol int
const (
	FileShareProtocolUnknown FileShareProtocol = 0
	FileShareProtocolNFS     FileShareProtocol = 1
	FileShareProtocolSMB     FileShareProtocol = 2
)

func (*FileShareProtocol) FromAzure added in v0.1.0 

func (it *FileShareProtocol) FromAzure(az *azpkg.EnabledProtocols)

func (FileShareProtocol) IsKnown added in v0.1.0 

func (it FileShareProtocol) IsKnown() bool

func (FileShareProtocol) IsNFS added in v0.1.0 

func (it FileShareProtocol) IsNFS() UnknownBool

func (FileShareProtocol) IsSMB added in v0.1.0 

func (it FileShareProtocol) IsSMB() UnknownBool

func (FileShareProtocol) IsUnknown added in v0.1.0 

func (it FileShareProtocol) IsUnknown() bool

func (FileShareProtocol) String added in v0.1.0 

func (it FileShareProtocol) String() string

type Firewall 

type Firewall interface {
	// AllowsIP checks if the given IP is allowed through the firewall for any
	// potential source. If BoolTrue is returned, the PacketRoute slice gives
	// all of the known firewall protected targets that this IP is allowed to
	// access. If that can't be determined, it should be a single */* for
	// caution's sake.
	AllowsIP(AzureIPv4) (UnknownBool, []PacketRoute, error)
	AllowsIPString(string) (UnknownBool, []PacketRoute, error)
	// AllowsIPToPort checks if an IP can access the given port on any server
	// protected by the firewall. If BoolTrue is returned, the PacketRoute
	// slice gives IPs that can be reached at that port.
	AllowsIPToPort(AzureIPv4, AzurePort) (UnknownBool, []PacketRoute, error)
	AllowsIPToPortString(string, string) (UnknownBool, []PacketRoute, error)
	// RespectsAllowlist checks if the firewall respects a given allowlist.
	//
	// Note that blocking all traffic is considered respecting the allowlist
	// in this method. This keeps the complexity of implementation functions
	// lower. You can use the other Allows* methods to verify that it is
	// respecting a allowlist in a positive sense (ie it allows everything
	// in the allowlist through).
	//
	// A allowlist that is empty (this is dependent on the implementation's
	// definition of "empty") should cause this to return the BadAllowlist
	// error with a BoolUnknown.
	//
	// If this given firewall is port agnostic (SQL and Redis servers for
	// example) then this can return BoolNotApplicable for all ports that
	// are not supported by the service.
	//
	// On return, if BoolTrue/Unknown the []IPPort should specify which IPs
	// failed on which Ports. If port agnostic, the port should simply be "*"
	RespectsAllowlist(FirewallAllowlist) (UnknownBool, []IPPort, error)
}

Firewall represents anything that has rules to allow or disallow specific IPs to communicate with specific ports.

If any functions return BoolNotApplicable, the firewall is considered to have "no opinion" on the connection. In most cases, this will probably be treated as if it were BoolTrue.

type FirewallAllowlist added in v0.1.0 

type FirewallAllowlist struct {
	AllPorts []AzureIPv4

	PortMap map[string][]AzureIPv4
	// contains filtered or unexported fields
}

FirewallAllowlist defines a allowlist for inzure. These are intended to be ingested by Firewalls for validation.

func (FirewallAllowlist) AddPortEntry added in v0.1.0 

func (fw FirewallAllowlist) AddPortEntry(port string, ips []AzureIPv4)

func (*FirewallAllowlist) IPPassesAny added in v0.1.0 

func (fwl *FirewallAllowlist) IPPassesAny(port AzurePort, ip AzureIPv4) UnknownBool

IPPassesAny checks if the port/ip combo passes.

func (*FirewallAllowlist) IPPassesPort added in v0.1.0 

func (fwl *FirewallAllowlist) IPPassesPort(port AzurePort, ip AzureIPv4) UnknownBool

IPPassesPort does not check if the IP is in AllPorts, for that behavior use IPPassesAny.

func (*FirewallAllowlist) IPPassesStar added in v0.1.0 

func (fwl *FirewallAllowlist) IPPassesStar(ip AzureIPv4) UnknownBool

IPPassesStar ONLY checks AllPorts. If you need to also check for ports, use IPPassesAny

func (FirewallAllowlist) RemovePortEntry added in v0.1.0 

func (fw FirewallAllowlist) RemovePortEntry(port string)

func (*FirewallAllowlist) Reset added in v0.1.0 

func (fwl *FirewallAllowlist) Reset()

func (*FirewallAllowlist) UnmarshalJSON added in v0.1.0 

func (fwl *FirewallAllowlist) UnmarshalJSON(b []byte) error

type FirewallRule 

type FirewallRule struct {
	Name    string
	IPRange AzureIPv4
	// AllowsAllAzure is a special case when the start and end IP are both
	// 0.0.0.0 for certain resources. This means that _any_ Azure resource
	// has access to this service -- including other people's VMs.
	//
	// This is a very useful flag and actually a security issue in and of
	// itself.
	AllowsAllAzure UnknownBool
}

FirewallRule holds the information for a simple firewall rule that allows a range of IP addresses. It does not specify ports.

func (*FirewallRule) FromAzureDataLakeAnalytics 

func (fw *FirewallRule) FromAzureDataLakeAnalytics(az *armdatalakeanalytics.FirewallRule)

func (*FirewallRule) FromAzureDataLakeStore 

func (fw *FirewallRule) FromAzureDataLakeStore(az *armdatalakestore.FirewallRule)

func (*FirewallRule) FromAzurePostgres 

func (fw *FirewallRule) FromAzurePostgres(az *armpostgresql.FirewallRule)

func (*FirewallRule) FromAzureRedis 

func (fw *FirewallRule) FromAzureRedis(az *armredis.FirewallRule)

func (*FirewallRule) FromAzureSQL 

func (fw *FirewallRule) FromAzureSQL(az *armsql.FirewallRule)

func (FirewallRule) SetupEmpty 

func (f FirewallRule) SetupEmpty()

SetupEmpty initializes a FirewallRule to not contain nulls.

func (*FirewallRule) UnmarshalJSON 

func (fw *FirewallRule) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for the IP

type FirewallRules 

type FirewallRules []FirewallRule

func (FirewallRules) AllowsIP 

func (f FirewallRules) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

func (FirewallRules) AllowsIPString 

func (f FirewallRules) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (FirewallRules) AllowsIPToPort 

func (f FirewallRules) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

func (FirewallRules) AllowsIPToPortString 

func (f FirewallRules) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (FirewallRules) RespectsAllowlist added in v0.1.0 

func (f FirewallRules) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

RespectsAllowlist for the general FirewallRules type is port agnostic. This means that if the given list has a PortMap specified, this immediately returns BoolNotApplicable. This also means that a allowlist without AllPorts defined is an error.

type FromAzurer added in v0.1.0 

type FromAzurer[T any] interface {
	FromAzure(T)
}

type Function 

type Function struct {
	Meta           ResourceID
	Config         FunctionConfig
	IsDisabled     UnknownBool
	Language       AppLanguage
	ScriptRootPath string
	ScriptURL      string
	ConfigURL      string
	SecretsURL     string
	URL            string
}

Function holds important information about a function associated with a webapp

func NewEmptyFunction 

func NewEmptyFunction() *Function

func (*Function) CanHttpTrigger added in v0.1.0 

func (f *Function) CanHttpTrigger() UnknownBool

func (*Function) FromAzure 

func (f *Function) FromAzure(fe *armappservice.FunctionEnvelope)

type FunctionConfig 

type FunctionConfig struct {
	Bindings []FunctionConfigBinding
}

FunctionConfig is just an `interface{}` type in the AzureAPI. There is some information we might want out of this though. When we try to get it, we'll just ignore the error since I can't be sure it'll always return the same data.

func NewEmtpyFunctionConfig 

func NewEmtpyFunctionConfig() FunctionConfig

type FunctionConfigBinding 

type FunctionConfigBinding struct {
	AuthLevel string
	Type      string
	Methods   []string
}

func NewEmptyFunctionConfigBinding 

func NewEmptyFunctionConfigBinding() FunctionConfigBinding

type IPCollection 

type IPCollection []AzureIPv4

func (IPCollection) AllowsIP 

func (ipc IPCollection) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

AllowsIP in the context of an IPCollection will return true if the collection is empty or the ip is in the list.

func (IPCollection) AllowsIPString 

func (ipc IPCollection) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (IPCollection) AllowsIPToPort 

func (ipc IPCollection) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

AllowsIPToPort is equivalent to AllowsIP in this case as there is no knowledge of ports.

func (IPCollection) AllowsIPToPortString 

func (ipc IPCollection) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (*IPCollection) MarshalJSON 

func (ipc *IPCollection) MarshalJSON() ([]byte, error)

func (IPCollection) RespectsAllowlist added in v0.1.0 

func (ipc IPCollection) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

RespectsAllowlist in the context of an IPCollection will return false if the collection is empty. Otherwise it checks if the list it has is a subset of the given list. If it is given a nil list it returns the same as it would an. empty list, which is BoolTrue

func (IPCollection) String 

func (ipc IPCollection) String() string

func (*IPCollection) UnmarshalJSON 

func (ipc *IPCollection) UnmarshalJSON(b []byte) error

type IPConfiguration 

type IPConfiguration struct {
	Meta      ResourceID
	PublicIP  PublicIP
	PrivateIP string
	SubnetRef ResourceID
	ASGRefs   []ResourceID
}

IPConfiguration is the IPConfiguration of a NetworkInterface.

func (*IPConfiguration) FromAzure 

func (ipc *IPConfiguration) FromAzure(azipc *armnetwork.InterfaceIPConfiguration)

type IPPort 

type IPPort struct {
	IP   AzureIPv4
	Port AzurePort
}

func AllIPPort added in v0.1.0 

func AllIPPort() IPPort

func AllIPPorts added in v0.1.0 

func AllIPPorts() []IPPort

func (IPPort) String 

func (ipp IPPort) String() string

type IPPortCollection 

type IPPortCollection []IPPort

func (IPPortCollection) Len 

func (ippc IPPortCollection) Len() int

func (IPPortCollection) Less 

func (ippc IPPortCollection) Less(i, j int) bool

func (IPPortCollection) Swap 

func (ippc IPPortCollection) Swap(i, j int)

type IQSComparer 

type IQSComparer interface {
	Compare(reflect.Value) (bool, error)
}

type KeyVault 

type KeyVault struct {
	Meta                         ResourceID
	URL                          string
	EnabledForDeployment         UnknownBool
	EnabledForDiskEncryption     UnknownBool
	EnabledForTemplateDeployment UnknownBool
	AccessPolicies               []KeyVaultAccessPolicy
	Firewall                     KeyVaultFirewall
}

func NewEmptyKeyVault 

func NewEmptyKeyVault() *KeyVault

func (*KeyVault) FromAzure 

func (kv *KeyVault) FromAzure(az *armkeyvault.Vault)

type KeyVaultAccessPolicy 

type KeyVaultAccessPolicy struct {
	TenantID      string
	ObjectID      string
	ApplicationID string
	Storage       KeyVaultStoragePermission
	Secret        KeyVaultSecretsPermission
	Cert          KeyVaultCertificatesPermission
	Key           KeyVaultKeysPermission
}

func (*KeyVaultAccessPolicy) FromAzure 

func (kva *KeyVaultAccessPolicy) FromAzure(az *armkeyvault.AccessPolicyEntry)

type KeyVaultCertificatesPermission 

type KeyVaultCertificatesPermission uint64
const KeyVaultCertificatesPermissionNone KeyVaultCertificatesPermission = 0

func (*KeyVaultCertificatesPermission) FromAzure 

func (p *KeyVaultCertificatesPermission) FromAzure(az []*armkeyvault.CertificatePermissions)

type KeyVaultFirewall 

type KeyVaultFirewall struct {
	IPRules      IPCollection
	DefaultAllow UnknownBool
	VNetRules    []ResourceID
}

func (KeyVaultFirewall) AllowsIP 

func (kvf KeyVaultFirewall) AllowsIP(chk AzureIPv4) (UnknownBool, []PacketRoute, error)

func (KeyVaultFirewall) AllowsIPString 

func (kvf KeyVaultFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (KeyVaultFirewall) AllowsIPToPort 

func (kvf KeyVaultFirewall) AllowsIPToPort(ip AzureIPv4, _ AzurePort) (UnknownBool, []PacketRoute, error)

func (KeyVaultFirewall) AllowsIPToPortString 

func (kvf KeyVaultFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (*KeyVaultFirewall) FromAzure 

func (kvf *KeyVaultFirewall) FromAzure(az *armkeyvault.NetworkRuleSet)

func (KeyVaultFirewall) RespectsAllowlist added in v0.1.0 

func (kvf KeyVaultFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

type KeyVaultKeysPermission 

type KeyVaultKeysPermission uint64
const KeyVaultKeyPermissionsNone KeyVaultKeysPermission = 0

func (*KeyVaultKeysPermission) FromAzure 

func (p *KeyVaultKeysPermission) FromAzure(az []*armkeyvault.KeyPermissions)

type KeyVaultSecretsPermission 

type KeyVaultSecretsPermission uint64
const KeyVaultSecretPermissionsNone KeyVaultSecretsPermission = 0

func (*KeyVaultSecretsPermission) FromAzure 

func (p *KeyVaultSecretsPermission) FromAzure(az []*armkeyvault.SecretPermissions)

type KeyVaultStoragePermission 

type KeyVaultStoragePermission uint32
const KeyVaultStoragePermissionNone KeyVaultStoragePermission = 0

func (*KeyVaultStoragePermission) FromAzure 

func (p *KeyVaultStoragePermission) FromAzure(az []*armkeyvault.StoragePermissions)

type LexError 

type LexError struct {
	Source   string
	Location int
	Message  string
}

func (LexError) Error 

func (le LexError) Error() string

func (LexError) ErrorWithHint 

func (le LexError) ErrorWithHint() string

type LoadBalancer 

type LoadBalancer struct {
	Meta        ResourceID
	FrontendIPs []LoadBalancerFrontendIPConfiguration
	Backends    []LoadBalancerBackend
	Rules       []LoadBalancerRule
}

func NewEmptyLoadBalancer 

func NewEmptyLoadBalancer() *LoadBalancer

func (*LoadBalancer) AddAzureBackendConfiguration 

func (lb *LoadBalancer) AddAzureBackendConfiguration(azConf *armnetwork.BackendAddressPool)

func (*LoadBalancer) AddAzureFrontendIPConfiguration 

func (lb *LoadBalancer) AddAzureFrontendIPConfiguration(azConf *armnetwork.FrontendIPConfiguration)

func (*LoadBalancer) AddLoadBalancerRule 

func (lb *LoadBalancer) AddLoadBalancerRule(azRule *armnetwork.LoadBalancingRule)

func (*LoadBalancer) FromAzure 

func (lb *LoadBalancer) FromAzure(az *armnetwork.LoadBalancer)

type LoadBalancerAttackSurface 

type LoadBalancerAttackSurface struct {
	Frontends []string
	Backends  []string
	Paths     map[string]string
}

LoadBalancerAttackSurface provides both a list of frontend IPs, backend IPs, and an association of frontend to backend ips

type LoadBalancerBackend 

type LoadBalancerBackend struct {
	Meta             ResourceID
	IPConfigurations []IPConfiguration
}

func (*LoadBalancerBackend) FromAzure 

func (lbb *LoadBalancerBackend) FromAzure(az *armnetwork.BackendAddressPool)

type LoadBalancerFrontendIPConfiguration 

type LoadBalancerFrontendIPConfiguration struct {
	Meta      ResourceID
	PublicIP  PublicIP
	Subnet    ResourceID
	PrivateIP AzureIPv4
}

func (*LoadBalancerFrontendIPConfiguration) FromAzure 

func (lbf *LoadBalancerFrontendIPConfiguration) FromAzure(az *armnetwork.FrontendIPConfiguration)

func (*LoadBalancerFrontendIPConfiguration) SetupEmpty 

func (lbf *LoadBalancerFrontendIPConfiguration) SetupEmpty()

func (*LoadBalancerFrontendIPConfiguration) UnmarshalJSON 

func (lbf *LoadBalancerFrontendIPConfiguration) UnmarshalJSON(b []byte) error

type LoadBalancerProtocol 

type LoadBalancerProtocol = SecurityRuleProtocol

type LoadBalancerRule 

type LoadBalancerRule struct {
	Meta         ResourceID
	FrontendIP   AzureIPv4
	FrontendPort AzurePort
	BackendIP    AzureIPv4
	BackendPort  AzurePort
	Protocol     LoadBalancerProtocol
}

func (*LoadBalancerRule) SetupEmpty 

func (lbr *LoadBalancerRule) SetupEmpty()

func (*LoadBalancerRule) UnmarshalJSON 

func (lbr *LoadBalancerRule) UnmarshalJSON(js []byte) error

type NetworkInterface 

type NetworkInterface struct {
	Meta             ResourceID
	IPConfigurations []IPConfiguration
}

A NetworkInterface enables Virtual Machine's to communicate with the internet. They are a link between NSGs and VMs. They also optionally have a public IP address.

func NewEmptyNetworkInterface 

func NewEmptyNetworkInterface() *NetworkInterface

func (*NetworkInterface) FromAzure 

func (n *NetworkInterface) FromAzure(az *armnetwork.Interface)

type NetworkSecurityGroup 

type NetworkSecurityGroup struct {
	Meta              ResourceID
	InboundRules      []SecurityRule
	OutboundRules     []SecurityRule
	Subnets           []ResourceID
	NetworkInterfaces []ResourceID
}

NetworkSecurityGroup holds all necessary information for an automatic analysis of network security groups.

NetworkSecurityGroups are big. They have inbound/outbound firewall rules and are associated with both subnets and network interfaces. Network interfaces and subnets can be used to associate them with virtual machines. The data contained here needs to be complemented with the data in a VirtualNetwork to get a full picture of the subscription's compute networking.

NetworkSecurityGroups do belong to a resource group, but they can be applied to resources in different resource groups.

func NewEmptyNSG 

func NewEmptyNSG() *NetworkSecurityGroup

func (*NetworkSecurityGroup) AllowsIP 

func (nsg *NetworkSecurityGroup) AllowsIP(checkIP AzureIPv4) (UnknownBool, []PacketRoute, error)

AllowsIP is implementing Firewall for NetworkSecurityGroup

func (*NetworkSecurityGroup) AllowsIPString 

func (nsg *NetworkSecurityGroup) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (*NetworkSecurityGroup) AllowsIPToPort 

func (nsg *NetworkSecurityGroup) AllowsIPToPort(checkIP AzureIPv4, checkPort AzurePort) (UnknownBool, []PacketRoute, error)

AllowsIPToPort is implementing Firewall for NetworkSecurityGroup

func (*NetworkSecurityGroup) AllowsIPToPortString 

func (nsg *NetworkSecurityGroup) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (*NetworkSecurityGroup) DeepCopySetVNet 

func (nsg *NetworkSecurityGroup) DeepCopySetVNet(vnet string) (*NetworkSecurityGroup, error)

DeepCopySetVNet returns a deep copy of the NetworkSecurityGroup with the VirtualNetwork set. This can be very helpful when trying to get good results from firewall tests. Note that the original NSG is unchanged.

Note that "DeepCopy" is currently implemented as a JSON conversion.

func (*NetworkSecurityGroup) FromAzure 

func (nsg *NetworkSecurityGroup) FromAzure(aznsg *armnetwork.SecurityGroup)

func (*NetworkSecurityGroup) RespectsAllowlist added in v0.1.0 

func (nsg *NetworkSecurityGroup) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

RespectsAllowlist for a NetworkSecurityGroup is NOT port agnostic. This means you'll never get a BoolNotApplicable from this and the only time an error is returned is when both AllPorts and PortMap are not defined.

type OsType 

type OsType int
const (
	OsTypeUnknown OsType = 0
	OsTypeLinux   OsType = 1
	OsTypeWindows OsType = 2
)

func (*OsType) FromAzure added in v0.1.0 

func (it *OsType) FromAzure(az *azpkg.OperatingSystemTypes)

func (OsType) IsKnown added in v0.1.0 

func (it OsType) IsKnown() bool

func (OsType) IsLinux added in v0.1.0 

func (it OsType) IsLinux() UnknownBool

func (OsType) IsUnknown added in v0.1.0 

func (it OsType) IsUnknown() bool

func (OsType) IsWindows added in v0.1.0 

func (it OsType) IsWindows() UnknownBool

func (OsType) String added in v0.1.0 

func (it OsType) String() string

type PacketRoute 

type PacketRoute struct {
	IPs      IPCollection
	Ports    PortCollection
	Protocol SecurityRuleProtocol
}

PacketRoute holds a potential inbound route on a firewall.

func AllowsAllPacketRoute 

func AllowsAllPacketRoute() PacketRoute

func AllowsAllPacketRoutes added in v0.1.0 

func AllowsAllPacketRoutes() []PacketRoute

func PacketRouteFromSecurityRuleDests 

func PacketRouteFromSecurityRuleDests(s SecurityRule) PacketRoute

PacketRouteFromSecurityRuleDests creates a PacketRoute from the destination portions of a security rule. It safely copies the IPv4 and Port interfaces.

func (*PacketRoute) Equals 

func (p *PacketRoute) Equals(o *PacketRoute) bool

Equals tests for equality of two packet routes. Equality is defined as:

  1. Same protocol
  2. Same IPs
  3. Same ports

Note that one PacketRoute can be a subset of another PacketRoute, but that is different from equality.

type ParentResource 

type ParentResource struct {
	Name string
	Tag  AzureResourceTag
}

ParentResource is an intermediate piece of the resource ID string. For example almost everything has a subscription and resource group, but some things have a NSG as a parent or something like that. This is some basic metadata about that item.

func (*ParentResource) Equals 

func (r *ParentResource) Equals(o *ParentResource) bool

Equals tests two ParentResources for equality

type PortCollection 

type PortCollection []AzurePort

func (*PortCollection) MarshalJSON 

func (pc *PortCollection) MarshalJSON() ([]byte, error)

func (*PortCollection) UnmarshalJSON 

func (pc *PortCollection) UnmarshalJSON(b []byte) error

type PostgresDB 

type PostgresDB struct {
	Meta ResourceID
}

func (*PostgresDB) FromAzure 

func (psd *PostgresDB) FromAzure(az *armpostgresql.Database)

type PostgresServer 

type PostgresServer struct {
	Meta        ResourceID
	Version     string
	FQDN        string
	AdminUser   string
	Databases   []PostgresDB
	SSLEnforced UnknownBool
	Firewall    FirewallRules
	Subnets     []ResourceID
}

func NewEmptyPostgresServer 

func NewEmptyPostgresServer() *PostgresServer

func (*PostgresServer) FromAzure 

func (ps *PostgresServer) FromAzure(az *armpostgresql.Server)

type PublicIP 

type PublicIP struct {
	Meta ResourceID
	FQDN string
	IP   string
}

PublicIP wrap the Azure public IP type which is the actual address and some pertinent metadata.

From the Azure structure we can actually get a FQDN.

func (*PublicIP) FromAzure 

func (p *PublicIP) FromAzure(ap *armnetwork.PublicIPAddress)

type QSArraySelT 

type QSArraySelT int
const (
	QSArraySelUk  QSArraySelT = -4
	QSArraySelAny QSArraySelT = -3
	QSArraySelAll QSArraySelT = -2
	QSArraySelLen QSArraySelT = -1
)

func (QSArraySelT) String 

func (qsa QSArraySelT) String() string

type QSComparer 

type QSComparer struct {
	Fields QSField
	Op     QSOpT
	To     interface{}
	// contains filtered or unexported fields
}

func (*QSComparer) Compare 

func (qsc *QSComparer) Compare(base reflect.Value) (bool, error)

func (*QSComparer) String 

func (qsc *QSComparer) String() string

type QSCondition 

type QSCondition struct {
	Raw string
	Cmp IQSComparer
	And *QSCondition
	Or  *QSCondition
}

func (*QSCondition) Compare 

func (qsc *QSCondition) Compare(v reflect.Value) (bool, error)

func (*QSCondition) Equals 

func (qsc *QSCondition) Equals(o *QSCondition) bool

func (*QSCondition) FilterValue 

func (qsc *QSCondition) FilterValue(v reflect.Value) (reflect.Value, error)

func (*QSCondition) PushAnd 

func (qsc *QSCondition) PushAnd(ic *QSCondition)

func (*QSCondition) PushOr 

func (qsc *QSCondition) PushOr(ic *QSCondition)

func (*QSCondition) String 

func (qsc *QSCondition) String() string

type QSField 

type QSField struct {
	Name string

	IsArray  bool
	ArraySel QSArraySelT

	IsMethod          bool
	MethodNeedsPtr    bool
	MethodReturnIndex int
	MethodArgs        []reflect.Value

	Next *QSField
}

func (*QSField) String 

func (f *QSField) String() string

type QSOpT 

type QSOpT uint8

QSOpT is an operation for a query string 

const (
	QSOpUk QSOpT = iota
	QSOpEq
	QSOpNe
	QSOpGt
	QSOpGte
	QSOpLt
	QSOpLte
	QSOpLike
	QSOpNotLike
)

func (QSOpT) String 

func (op QSOpT) String() string

type QSSelector 

type QSSelector struct {
	Resource  string
	Condition *QSCondition
}

func (*QSSelector) Contains 

func (qss *QSSelector) Contains(o *QSSelector) bool

func (*QSSelector) Equals 

func (qss *QSSelector) Equals(o *QSSelector) bool

func (*QSSelector) String 

func (qss *QSSelector) String() string

type QueryString 

type QueryString struct {
	Raw           string
	Sel           QSSelector
	ResourceGroup string
	Name          string
	Subresource   *QueryString
	// contains filtered or unexported fields
}

func (*QueryString) BaseString 

func (qs *QueryString) BaseString() string

func (*QueryString) ContainsIQS 

func (p *QueryString) ContainsIQS(oqs *QueryString) bool

func (*QueryString) ContainsString 

func (p *QueryString) ContainsString(s string) bool

ContainsString checks if a query string is a superset of, or equal to, a given query string. Without context this can be difficult, so this function could potentially return a false negative.

func (*QueryString) GetReturnType 

func (qs *QueryString) GetReturnType() (reflect.Type, bool)

GetReturnType returns the reflect.Type that should be returned by this query string when used with a Subscription.

func (*QueryString) Parse 

func (qs *QueryString) Parse(s string) error

Parse takes an IQS and fills the given QueryString struct with the data it represents.

func (*QueryString) String 

func (qs *QueryString) String() string

func (*QueryString) Validate added in v0.1.0 

func (qs *QueryString) Validate() error

Validate ensures that the query string is actually valid.

type RedisFirewall 

type RedisFirewall []FirewallRule

func (RedisFirewall) AllowsIP 

func (f RedisFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

AllowsIP for RedisFirewalls is different in that traffic is allowed by default from everywhere when no rules are present

func (RedisFirewall) AllowsIPString 

func (f RedisFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (RedisFirewall) AllowsIPToPort 

func (f RedisFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

func (RedisFirewall) AllowsIPToPortString 

func (f RedisFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (RedisFirewall) RespectsAllowlist added in v0.1.0 

func (f RedisFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

RespectsAllowlist for a RedisFirewall is port agnostic, but it has a slight difference compared to FirewallRules: if it is empty it allows everything.

type RedisServer 

type RedisServer struct {
	Meta              ResourceID
	Version           string
	Host              string
	Port              int
	SSLPort           int
	NonSSLPortEnabled UnknownBool
	StaticIP          string
	Configuration     map[string]string
	Firewall          RedisFirewall
	Subnet            ResourceID
	MinimumTLSVersion TLSVersion
}

RedisServer holds all of the information pertinent to Azure redis servers.

If the ports cannot be found their value is -1

func NewEmptyRedisServer 

func NewEmptyRedisServer() *RedisServer

func (*RedisServer) FromAzure 

func (r *RedisServer) FromAzure(az *armredis.ResourceInfo)

type ResourceGroup 

type ResourceGroup struct {
	Meta                      ResourceID
	StorageAccounts           []*StorageAccount
	NetworkSecurityGroups     []*NetworkSecurityGroup
	VirtualNetworks           []*VirtualNetwork
	VirtualMachines           []*VirtualMachine
	WebApps                   []*WebApp
	DataLakeStores            []*DataLakeStore
	DataLakeAnalytics         []*DataLakeAnalytics
	SQLServers                []*SQLServer
	RedisServers              []*RedisServer
	APIServices               []*APIService
	NetworkInterfaces         []*NetworkInterface
	ApplicationSecurityGroups []*ApplicationSecurityGroup
	KeyVaults                 []*KeyVault
	LoadBalancers             []*LoadBalancer
	CosmosDBs                 []*CosmosDB
	PostgresServers           []*PostgresServer
}

ResourceGroup is a way of diving up resources in a Subscription. Each Azure object belongs to a ResourceGroup. ResourceGroups can be retrieved from the main Subscription struct via their name.

func NewEmptyResourceGroup 

func NewEmptyResourceGroup() *ResourceGroup

func (*ResourceGroup) FromAzure 

func (rg *ResourceGroup) FromAzure(res *armresources.ResourceGroup)

type ResourceID 

type ResourceID struct {
	RawID             string
	Subscription      string
	ResourceGroupName string
	//Parents           []ParentResource
	Name string
	Tag  AzureResourceTag
}

ResourceID is a normalized version of the longform resource string provided by Azure. Not every field is guaranteed to be populated.

func (*ResourceID) Equals 

func (r *ResourceID) Equals(o *ResourceID) bool

Equals tests two ResourceIDs for equality

func (*ResourceID) ExtractValueForTag 

func (r *ResourceID) ExtractValueForTag(tag string, caseInsensitive bool) string

ExtractValueForTag parses the RawID for something like `.../tag/value...` and returns value. Matches case insensitively if case insensitive is true. Returns the empty string if the tag is not found.

func (*ResourceID) FromID 

func (r *ResourceID) FromID(id string)

func (*ResourceID) MarshalJSON 

func (r *ResourceID) MarshalJSON() ([]byte, error)

func (*ResourceID) QueryString 

func (r *ResourceID) QueryString() (string, error)

func (*ResourceID) SetupEmpty 

func (r *ResourceID) SetupEmpty()

func (*ResourceID) UnmarshalJSON 

func (r *ResourceID) UnmarshalJSON(b []byte) error

type SQLDatabase 

type SQLDatabase struct {
	Meta       ResourceID
	DatabaseID string
	Encrypted  UnknownBool
}

func NewEmptySQLDatabase 

func NewEmptySQLDatabase() *SQLDatabase

func (*SQLDatabase) FromAzure 

func (db *SQLDatabase) FromAzure(az *armsql.Database)

func (*SQLDatabase) QueryString 

func (db *SQLDatabase) QueryString() string

type SQLServer 

type SQLServer struct {
	Meta      ResourceID
	AdminUser string
	FQDN      string
	Version   string
	Firewall  FirewallRules
	Databases []*SQLDatabase
	Subnets   []ResourceID
}

SQLServer holds all information for a Microsoft SQL server

func NewEmptySQLServer 

func NewEmptySQLServer() *SQLServer

func (*SQLServer) FromAzure 

func (s *SQLServer) FromAzure(az *armsql.Server)

type SSHPublicKey 

type SSHPublicKey struct {
	Path      string
	PublicKey string
}

SSHPublicKey contains the key itself as a string and the location on the VM

type SearchTarget 

type SearchTarget uint

SearchTarget is a target available for searching through this package 

const (
	// TargetSearchUnset is present to make the zero value of a SearchTarget
	// indicate it wasn't set
	TargetSearchUnset SearchTarget = iota
	TargetStorageAccounts
	TargetNetwork
	TargetAppService
	TargetDataLakes
	TargetSQL
	TargetRedis
	TargetAPIs
	TargetKeyVaults
	TargetCosmosDBs
	TargetLoadBalancers
	TargetPostgres
)

type SecurityRule 

type SecurityRule struct {
	Name        string
	Allows      bool
	Inbound     bool
	Priority    int32
	Description string
	Protocol    SecurityRuleProtocol
	SourceIPs   IPCollection
	DestIPs     IPCollection
	SourcePorts PortCollection
	DestPorts   PortCollection
}

SecurityRule represents a single rule in a NetworkSecurityGroup

func (*SecurityRule) FromAzure 

func (s *SecurityRule) FromAzure(az *armnetwork.SecurityRule)

type SecurityRuleProtocol 

type SecurityRuleProtocol int
const (
	ProtocolUnknown SecurityRuleProtocol = 0
	ProtocolAll     SecurityRuleProtocol = 1
	ProtocolTCP     SecurityRuleProtocol = 2
	ProtocolUDP     SecurityRuleProtocol = 3
)

func (*SecurityRuleProtocol) FromAzure 

func (it *SecurityRuleProtocol) FromAzure(az *azpkg.SecurityRuleProtocol)

func (SecurityRuleProtocol) IsAll added in v0.1.0 

func (it SecurityRuleProtocol) IsAll() UnknownBool

func (SecurityRuleProtocol) IsKnown added in v0.1.0 

func (it SecurityRuleProtocol) IsKnown() bool

func (SecurityRuleProtocol) IsTCP added in v0.1.0 

func (it SecurityRuleProtocol) IsTCP() UnknownBool

func (SecurityRuleProtocol) IsUDP added in v0.1.0 

func (it SecurityRuleProtocol) IsUDP() UnknownBool

func (SecurityRuleProtocol) IsUnknown added in v0.1.0 

func (it SecurityRuleProtocol) IsUnknown() bool

func (*SecurityRuleProtocol) MarshalJSON 

func (p *SecurityRuleProtocol) MarshalJSON() ([]byte, error)

func (SecurityRuleProtocol) String 

func (p SecurityRuleProtocol) String() string

func (*SecurityRuleProtocol) UnmarshalJSON 

func (p *SecurityRuleProtocol) UnmarshalJSON(b []byte) error

type SecurityRules 

type SecurityRules []SecurityRule

func (SecurityRules) Len 

func (s SecurityRules) Len() int

func (SecurityRules) Less 

func (s SecurityRules) Less(i, j int) bool

func (SecurityRules) Swap 

func (s SecurityRules) Swap(i, j int)

type StorageAccount 

type StorageAccount struct {
	Meta          ResourceID
	Kind          StorageAccountKind
	IsClassic     bool
	CustomDomain  string
	Encryption    StorageEncryption
	HTTPSOnly     UnknownBool
	MinTLSVersion TLSVersion

	Containers []Container
	FileShares []FileShare
	// contains filtered or unexported fields
}

StorageAccount contains the Container, Queue, and File types associated with the given account.

This type is intended to contain information about both classical and managed storage accounts. Classical storage accounts may have less information and they've been deprecated by Azure for a LONG time.

func NewEmptyStorageAccount added in v0.1.0 

func NewEmptyStorageAccount() *StorageAccount

func (*StorageAccount) FromAzure 

func (sa *StorageAccount) FromAzure(acc *armstorage.Account)

func (*StorageAccount) FromAzureClassic 

func (sa *StorageAccount) FromAzureClassic(acc *storageservice.StorageServiceResponse)

TODO: I don't think classic has any way to check for encryption, we might 

need to use the more recent service for this?

type StorageAccountKind added in v0.1.0 

type StorageAccountKind int
const (
	StorageAccountKindUnknown          StorageAccountKind = 0
	StorageAccountKindBlobStorage      StorageAccountKind = 1
	StorageAccountKindBlockBlobStorage StorageAccountKind = 2
	StorageAccountKindFileStorage      StorageAccountKind = 3
	StorageAccountKindStorage          StorageAccountKind = 4
	StorageAccountKindStorageV2        StorageAccountKind = 5
)

func (*StorageAccountKind) FromAzure added in v0.1.0 

func (it *StorageAccountKind) FromAzure(az *azpkg.Kind)

func (StorageAccountKind) IsBlobStorage added in v0.1.0 

func (it StorageAccountKind) IsBlobStorage() UnknownBool

func (StorageAccountKind) IsBlockBlobStorage added in v0.1.0 

func (it StorageAccountKind) IsBlockBlobStorage() UnknownBool

func (StorageAccountKind) IsFileStorage added in v0.1.0 

func (it StorageAccountKind) IsFileStorage() UnknownBool

func (StorageAccountKind) IsKnown added in v0.1.0 

func (it StorageAccountKind) IsKnown() bool

func (StorageAccountKind) IsStorage added in v0.1.0 

func (it StorageAccountKind) IsStorage() UnknownBool

func (StorageAccountKind) IsStorageV2 added in v0.1.0 

func (it StorageAccountKind) IsStorageV2() UnknownBool

func (StorageAccountKind) IsUnknown added in v0.1.0 

func (it StorageAccountKind) IsUnknown() bool

func (StorageAccountKind) String added in v0.1.0 

func (it StorageAccountKind) String() string

type StorageEncryption 

type StorageEncryption struct {
	KeySource StorageKeySource
	Queue     UnknownBool
	File      UnknownBool
	Blob      UnknownBool
	Table     UnknownBool
}

StorageEncryption specifies which services are encrypted in the storage account

func (*StorageEncryption) FromAzure 

func (se *StorageEncryption) FromAzure(enc *armstorage.Encryption)

type StorageKeySource added in v0.1.0 

type StorageKeySource int
const (
	StorageKeySourceUnknown  StorageKeySource = 0
	StorageKeySourceStorage  StorageKeySource = 1
	StorageKeySourceKeyVault StorageKeySource = 2
)

func (*StorageKeySource) FromAzure added in v0.1.0 

func (it *StorageKeySource) FromAzure(az *azpkg.KeySource)

func (StorageKeySource) IsKeyVault added in v0.1.0 

func (it StorageKeySource) IsKeyVault() UnknownBool

func (StorageKeySource) IsKnown added in v0.1.0 

func (it StorageKeySource) IsKnown() bool

func (StorageKeySource) IsStorage added in v0.1.0 

func (it StorageKeySource) IsStorage() UnknownBool

func (StorageKeySource) IsUnknown added in v0.1.0 

func (it StorageKeySource) IsUnknown() bool

func (StorageKeySource) String added in v0.1.0 

func (it StorageKeySource) String() string

type Subnet 

type Subnet struct {
	Meta         ResourceID
	AddressRange string
	//VirtualNetwork string
	IPConfigurationRefs []ResourceID
}

func (*Subnet) FromAzure 

func (s *Subnet) FromAzure(as *armnetwork.Subnet)

type Subscription 

type Subscription struct {
	ID             string
	Alias          string
	ResourceGroups map[string]*ResourceGroup
	AuditDate      time.Time

	ClassicStorageAccounts []*StorageAccount
	// contains filtered or unexported fields
}

Subscription is an entire Azure subscription. This struct can be used as the entrypoint for the entire analysis.

Subscriptions should not be instantiated directly, use the NewSubscription function.

func BatchSubscriptionsFromEnv 

func BatchSubscriptionsFromEnv(pw []byte) ([]*Subscription, error)

BatchSubscriptionsFromEnv will use the EnvSubscriptionBatchFiles environmental variable to load subscriptions into a slice. The passed password can be null if the files are unencrypted or the password can be pulled from the environment.

func NewSubscription 

func NewSubscription(id string) Subscription

NewSubscription is used to create a Subscription that is ready to be used.

func NewSubscriptionFromID 

func NewSubscriptionFromID(id SubscriptionID) Subscription

NewSubscriptionFromID creates a usable new Subscription from a SubscriptionID.

func NewSubscriptionWithAlias 

func NewSubscriptionWithAlias(id, alias string) Subscription

NewSubscriptionWithAlias creates a usable new Subscription with an alias.

func SubscriptionFromEncryptedJSON 

func SubscriptionFromEncryptedJSON(pw []byte, r io.Reader) (*Subscription, error)

SubscriptionFromEncryptedJSON is the counterpart decryption function.

If pw is nil this function checks the KeyEnvironmentalVariableName environmental variable.

func SubscriptionFromFile 

func SubscriptionFromFile(fname string) (sub *Subscription, err error)

SubscriptionFromFile will load a subscription from a file. This handles both encrypted and unencrypted files.

func SubscriptionFromFilePassword 

func SubscriptionFromFilePassword(fname string, pw []byte) (sub *Subscription, err error)

SubscriptionFromFilePassword will load a Subscription from the given encrypted JSON (must have the .enc extension)

func (*Subscription) AddTarget 

func (s *Subscription) AddTarget(tag SearchTarget) *Subscription

AddTarget sets the given SearchTarget to be searched.

func (*Subscription) Diff 

func (s *Subscription) Diff(o *Subscription) (*SubscriptionDiff, error)

Diff will diff two subscriptions

func (*Subscription) FromQueryString 

func (s *Subscription) FromQueryString(qs string, into interface{}) error

FromQueryString loads the item[s] identified by the query string into the passed interface.

`into` needs to be a pointer to the expected type. For instance, if '/SQLServers` is given, `into` needs to be `*[]*SQLServer`. Note that you are given the actual pointers so modifying what you get modifies the Subscription as well.

query strings are really just Go struct field selectors with a little more functionality. Everything starts on a ResourceGroup struct, so for VMs you'd start with `/VirtualMachines` for example. You can add conditions onto a query string type by putting it in brackets `[]`. For example, to get all virtual machines that might allow password auth, you'd use `/VirtualMachines[.DisablePasswordAuth != BoolTrue]`. You can also specify this on sub resources. To get all Containers in the subscription with public read access you could use `/StorageAccounts/*/*/Containers[.Access == 3]`

This makes dealing with inzure data significanly easier, and the accompanying `inzure search` command can be used to access this interface.

func (*Subscription) GetAttackSurface 

func (s *Subscription) GetAttackSurface() AttackSurface

func (*Subscription) ReflectFromParsedQueryString 

func (s *Subscription) ReflectFromParsedQueryString(p *QueryString) (reflect.Value, error)

func (*Subscription) ReflectFromQueryString 

func (s *Subscription) ReflectFromQueryString(qs string) (reflect.Value, error)

func (*Subscription) SearchAllTargets 

func (s *Subscription) SearchAllTargets(ctx context.Context, ec chan<- error)

SearchAllTargets searches all targets that are set with the AddTarget method The passed error channel is closed when this method is complete. If a classic key was given to this Subscription then this function also searches for classic items (StorageAccounts, VirtualMachines, NSGs, etc)

The returned errors are not guaranteed to be AzureAPIError pointers.

Note: At the moment the passed context is only useful for Azure SDK methods and has no direct effect on this method.

func (*Subscription) SetClassicKey 

func (s *Subscription) SetClassicKey(key []byte)

SetClassicKey sets the key to use for classic accounts. If this is non nil classic counts will also be searched.

func (*Subscription) SetProxy added in v0.1.0 

func (s *Subscription) SetProxy(dialer proxy.Dialer)

func (*Subscription) SetQuiet 

func (s *Subscription) SetQuiet(quiet bool)

SetQuiet sets whether to log progress or not. Typically the SearchAllTargets method will give you some info that it is actually doing some work. To disable this use SetQuiet(true).

func (*Subscription) String 

func (s *Subscription) String() string

func (*Subscription) UnsetTarget 

func (s *Subscription) UnsetTarget(tag SearchTarget) *Subscription

UnsetTarget removes a SearchTarget

func (*Subscription) ValueFromQueryString 

func (s *Subscription) ValueFromQueryString(qs string, v reflect.Value) error

ValueFromQueryString is the same as FromQueryString except it accepts a reflect.Value

type SubscriptionDiff 

type SubscriptionDiff struct {
	Added    []string
	Removed  []string
	Modified []string
}

SubscriptionDiff holds the diff of two subscriptions as slices of inzure query strings.

type SubscriptionID 

type SubscriptionID struct {
	ID    string
	Alias string
}

SubscriptionID is just a combined UUID and optional Alias for a subscription. Aliases can be useful for human readable contexts.

func SubIDFromString 

func SubIDFromString(s string) SubscriptionID

SubIDFromString is a helper function for getting SubscriptionIDs from plain strings. This allows for optional aliasing with the `{UUID}={ALIAS}` syntax.

func SubIDsFromStrings 

func SubIDsFromStrings(ss []string) []SubscriptionID

SubIDsFromStrings just warap SubIDFromString with multiple strings.

func SubscriptionIDsFromEnv 

func SubscriptionIDsFromEnv() ([]SubscriptionID, error)

SubscriptionIDsFromEnv will read the EnvSubscriptionFile and return a slice of SubscriptionIDs

type TLSVersion 

type TLSVersion int
const (
	TLSVersionUnknown TLSVersion = 0
	TLSVersionOneZero TLSVersion = 1
	TLSVersionOneOne  TLSVersion = 2
	TLSVersionOneTwo  TLSVersion = 3
)

func TLSVersionFromString 

func TLSVersionFromString(s string) TLSVersion

func (*TLSVersion) FromAzureRedis 

func (t *TLSVersion) FromAzureRedis(az *armredis.TLSVersion)

func (*TLSVersion) FromAzureStorage added in v0.1.0 

func (t *TLSVersion) FromAzureStorage(az *armstorage.MinimumTLSVersion)

func (*TLSVersion) FromAzureWeb 

func (t *TLSVersion) FromAzureWeb(az *armappservice.SupportedTLSVersions)

func (TLSVersion) IsKnown added in v0.1.0 

func (it TLSVersion) IsKnown() bool

func (TLSVersion) IsOneOne added in v0.1.0 

func (it TLSVersion) IsOneOne() UnknownBool

func (TLSVersion) IsOneTwo added in v0.1.0 

func (it TLSVersion) IsOneTwo() UnknownBool

func (TLSVersion) IsOneZero added in v0.1.0 

func (it TLSVersion) IsOneZero() UnknownBool

func (TLSVersion) IsUnknown added in v0.1.0 

func (it TLSVersion) IsUnknown() bool

func (TLSVersion) String 

func (t TLSVersion) String() string

type UnknownBool 

type UnknownBool int8

UnknownBool is a true or false value that also includes an unknown or N/A state.

In integer forms these are: 

BoolUnknown == 0
BoolTrue == 1
BoolFalse == -1
BoolNotApplicable == -2

There are some convenience methods defined on this type to make it easier to use in if statements directly, ie use `val.True()` where you'd just use `val` for a normal bool.

func IPContains 

func IPContains(in AzureIPv4, find AzureIPv4) UnknownBool

IPContains is a convience wrapper around checking for an IP containing another one using only the known methods.

func IPInList 

func IPInList(chk AzureIPv4, list []AzureIPv4) UnknownBool

func IPsEqual 

func IPsEqual(a AzureIPv4, b AzureIPv4) UnknownBool

IPsEqual compares two AzureIPv4 types. If the IPs are very large noncontinuous ranges this function will actually take a fairly long time since it doesn't want to allocate large slices.

func UnknownFromBool 

func UnknownFromBool(b bool) UnknownBool

UnknownFromBool is a convenience function for turning a bool into an UnknownBool.

func (UnknownBool) Applicable 

func (ub UnknownBool) Applicable() bool

Applicable returns true if the UnknownBool is anything other than NotApplicable

func (UnknownBool) False 

func (ub UnknownBool) False() bool

False returns true if the UnknownBool is BoolFalse

func (UnknownBool) FalseOrUnknown added in v0.1.0 

func (ub UnknownBool) FalseOrUnknown() bool

func (*UnknownBool) FromBool 

func (ub *UnknownBool) FromBool(b bool)

FromBool loads a boal into an UnknownBool

func (*UnknownBool) FromBoolPtr 

func (ub *UnknownBool) FromBoolPtr(b *bool)

FromBoolPtr creates an UnknownBool from the 3 potential states of the pointer: 

	p == nil -> BoolUnkown
 *p == true -> BoolTrue
 *p == false -> BoolFalse

func (*UnknownBool) FromStringPtrEq added in v0.1.0 

func (ub *UnknownBool) FromStringPtrEq(lhs string, rhs *string)

func (UnknownBool) Known 

func (ub UnknownBool) Known() bool

Known returns true if the UnknownBool is anything other than Unknown

func (UnknownBool) NA 

func (ub UnknownBool) NA() bool

NA returns true if the UnknownBool is BoolNotApplicable

func (UnknownBool) String 

func (ub UnknownBool) String() string

func (UnknownBool) True 

func (ub UnknownBool) True() bool

True returns true if the UnknownBool is BoolTrue

func (UnknownBool) TrueOrUnknown added in v0.1.0 

func (ub UnknownBool) TrueOrUnknown() bool

func (UnknownBool) Unknown 

func (ub UnknownBool) Unknown() bool

Unknown returns true if the UnknownBool is BoolUnknown

type VMDisk 

type VMDisk struct {
	Name               string
	EncryptionSettings []DiskEncryption
}

VMDisk contains the name and encryption information for the disk

func NewEmptyVMDisk 

func NewEmptyVMDisk() VMDisk

type VirtualMachine 

type VirtualMachine struct {
	Meta                    ResourceID
	ComputerName            string
	IsClassic               bool
	AdminUser               string
	DisablePasswordAuth     UnknownBool
	SSHKeys                 []SSHPublicKey
	AutomaticUpdates        UnknownBool
	WindowsRMListeners      []WindowsRMListener
	NetworkInterfaces       []NetworkInterface
	PrimaryNetworkInterface ResourceID
	OsName                  string
	OsVersion               string
	CustomData              string
	OsType                  OsType
	Disks                   []VMDisk
}

VirtualMachine holds the data for a given Virtual Machine. note that this type is intended to collect information about both new and classical VMs.

func NewEmptyVirtualMachine 

func NewEmptyVirtualMachine() *VirtualMachine

func (*VirtualMachine) FromAzure 

func (vm *VirtualMachine) FromAzure(az *armcompute.VirtualMachine)

type VirtualNetwork 

type VirtualNetwork struct {
	Meta                  ResourceID
	AddressSpaces         IPCollection
	VMProtectionEnabled   UnknownBool
	DDoSProtectionEnabled UnknownBool
	Subnets               []Subnet
}

A VirtualNetwork holds all networking information about the subscription.

func NewEmptyVirtualNetwork 

func NewEmptyVirtualNetwork() *VirtualNetwork

func (*VirtualNetwork) FromAzure 

func (v *VirtualNetwork) FromAzure(az *armnetwork.VirtualNetwork)

func (*VirtualNetwork) UnmarshalJSON 

func (v *VirtualNetwork) UnmarshalJSON(b []byte) error

UnmarshalJSON is used to deal with AzureIPv4s

type WebApp 

type WebApp struct {
	Meta                     ResourceID
	Slot                     string
	Enabled                  UnknownBool
	RemoteDebuggingEnabled   UnknownBool
	HasLocalSQL              UnknownBool
	RemoteDebuggingVersion   string
	FTPState                 FTPState
	HTTPLogging              UnknownBool
	HostnamesDisabled        UnknownBool
	HTTP2Enabled             UnknownBool
	HTTPSOnly                UnknownBool
	MinTLSVersion            TLSVersion
	SCMMinTLSVersion         TLSVersion
	Language                 WebAppLanguage
	CommandLine              string
	VirtualNetworkName       string
	APIDefinitionURL         string
	UsesLocalSQL             UnknownBool
	DocumentRoot             string
	DefaultHostname          string
	ClientCertEnabled        UnknownBool
	ClientCertMode           WebAppClientCertMode
	ClientCertExclusionPaths []string
	OutboundIPAddresses      IPCollection
	HandlerMappings          []WebAppHandlerMapping
	EnabledHosts             []WebHost
	Functions                []Function
	Firewall                 WebAppIPFirewall
	SCMFirewall              WebAppIPFirewall
}

WebApp holds all of the required information for an Azure mananged web app.

func NewEmptyWebApp 

func NewEmptyWebApp() *WebApp

func (*WebApp) FromAzure 

func (w *WebApp) FromAzure(aw *armappservice.Site)

type WebAppClientCertMode added in v0.1.0 

type WebAppClientCertMode int
const (
	WebAppClientCertModeUnknown                 WebAppClientCertMode = 0
	WebAppClientCertModeRequired                WebAppClientCertMode = 1
	WebAppClientCertModeOptional                WebAppClientCertMode = 2
	WebAppClientCertModeOptionalInteractiveUser WebAppClientCertMode = 3
)

func (*WebAppClientCertMode) FromAzure added in v0.1.0 

func (it *WebAppClientCertMode) FromAzure(az *azpkg.ClientCertMode)

func (WebAppClientCertMode) IsKnown added in v0.1.0 

func (it WebAppClientCertMode) IsKnown() bool

func (WebAppClientCertMode) IsOptional added in v0.1.0 

func (it WebAppClientCertMode) IsOptional() UnknownBool

func (WebAppClientCertMode) IsOptionalInteractiveUser added in v0.1.0 

func (it WebAppClientCertMode) IsOptionalInteractiveUser() UnknownBool

func (WebAppClientCertMode) IsRequired added in v0.1.0 

func (it WebAppClientCertMode) IsRequired() UnknownBool

func (WebAppClientCertMode) IsUnknown added in v0.1.0 

func (it WebAppClientCertMode) IsUnknown() bool

func (WebAppClientCertMode) String added in v0.1.0 

func (it WebAppClientCertMode) String() string

type WebAppHandlerMapping added in v0.1.0 

type WebAppHandlerMapping struct {
	Extension       string
	Arguments       string
	ScriptProcessor string
}

func (*WebAppHandlerMapping) FromAzure added in v0.1.0 

func (m *WebAppHandlerMapping) FromAzure(az *armappservice.HandlerMapping)

type WebAppIPFirewall 

type WebAppIPFirewall []WebAppIPRestriction

WebAppIPFirewall is a collection of WebAppIPRestrictions that will fullfill the Firewall interface.

func (WebAppIPFirewall) AllowsIP 

func (waf WebAppIPFirewall) AllowsIP(ip AzureIPv4) (UnknownBool, []PacketRoute, error)

AllowsIP in this case needs to take priority into account. This means that every rule has to be searched before we can make a valid decision. If any uncertainty is discovered in this process, it is returned as an Unknown immediately.

The returned []PacketRoute is not too helpful in this instance either since it will just be a single */* element. This is a little deceptive because in reality this is just protecting a single web app which has a well defined IP space usually.

TODO: Maybe the Web App IP space can actually be put into the firewall here

func (WebAppIPFirewall) AllowsIPString 

func (waf WebAppIPFirewall) AllowsIPString(ip string) (UnknownBool, []PacketRoute, error)

func (WebAppIPFirewall) AllowsIPToPort 

func (waf WebAppIPFirewall) AllowsIPToPort(ip AzureIPv4, port AzurePort) (UnknownBool, []PacketRoute, error)

AllowsIPToPort in this case is just AllowsIP because we don't have port specifications.

func (WebAppIPFirewall) AllowsIPToPortString 

func (waf WebAppIPFirewall) AllowsIPToPortString(ip, port string) (UnknownBool, []PacketRoute, error)

func (WebAppIPFirewall) Len 

func (s WebAppIPFirewall) Len() int

func (WebAppIPFirewall) Less 

func (s WebAppIPFirewall) Less(i, j int) bool

func (WebAppIPFirewall) RespectsAllowlist added in v0.1.0 

func (waf WebAppIPFirewall) RespectsAllowlist(wl FirewallAllowlist) (UnknownBool, []IPPort, error)

func (WebAppIPFirewall) Swap 

func (s WebAppIPFirewall) Swap(i, j int)

type WebAppIPRestriction 

type WebAppIPRestriction struct {
	FirewallRule
	Priority int32
	Allow    UnknownBool
}

func (*WebAppIPRestriction) FromAzure 

func (ipr *WebAppIPRestriction) FromAzure(az *armappservice.IPSecurityRestriction)

func (*WebAppIPRestriction) UnmarshalJSON 

func (ipr *WebAppIPRestriction) UnmarshalJSON(b []byte) error

type WebAppLanguage 

type WebAppLanguage struct {
	Language AppLanguage
	Version  string
}

WebAppLanguage defines the language and version the web application backend is using.

func (*WebAppLanguage) FromAzureSiteConfig 

func (w *WebAppLanguage) FromAzureSiteConfig(az *armappservice.SiteConfig)

A few things on this:

  1. I couldn't make a Python app
  2. The SiteConfig struct doesn't mention Ruby at all

func (WebAppLanguage) String 

func (w WebAppLanguage) String() string

type WebHost 

type WebHost struct {
	Name       string
	SSLEnabled UnknownBool
}

WebHost is a host along with its SSL status

type WindowsRMListener 

type WindowsRMListener struct {
	IsHTTPS        UnknownBool
	CertificateURL string
}

WindowsRMListener is a listener for Windows VMs.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.