SpecterOps · irshadaj · Feb 5, 2024 · Jan 5, 2024 · Jan 8, 2024 · Jan 9, 2024
diff --git a/.github/config/integration.config.json b/.github/config/integration.config.json
@@ -7,6 +7,8 @@
     "collectors_base_path": "/tmp/collectors",
     "log_level": "ERROR",
     "log_path": "bhapi.log",
+    "enable_startup_wait_period": false,
+    "datapipe_interval": 1,
     "features": {
         "enable_auth": true
     },

diff --git a/cmd/api/src/api/middleware/auth.go b/cmd/api/src/api/middleware/auth.go
@@ -22,10 +22,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/specterops/bloodhound/src/ctx"
-
 	"github.com/gofrs/uuid"
 	"github.com/gorilla/mux"
+	"github.com/specterops/bloodhound/src/ctx"
 
 	"github.com/specterops/bloodhound/src/api"
 	"github.com/specterops/bloodhound/src/auth"
@@ -107,6 +106,7 @@ func PermissionsCheckAll(authorizer auth.Authorizer, permissions ...model.Permis
 			if bhCtx := ctx.FromRequest(request); !bhCtx.AuthCtx.Authenticated() {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusUnauthorized, "not authenticated", request), response)
 			} else if !authorizer.AllowsAllPermissions(bhCtx.AuthCtx, permissions) {
+				authorizer.AuditLogUnauthorizedAccess(request)
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusForbidden, "not authorized", request), response)
 			} else {
 				next.ServeHTTP(response, request)
@@ -123,6 +123,7 @@ func PermissionsCheckAtLeastOne(authorizer auth.Authorizer, permissions ...model
 			if bhCtx := ctx.FromRequest(request); !bhCtx.AuthCtx.Authenticated() {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusUnauthorized, "not authenticated", request), response)
 			} else if !authorizer.AllowsAtLeastOnePermission(bhCtx.AuthCtx, permissions) {
+				authorizer.AuditLogUnauthorizedAccess(request)
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusForbidden, "not authorized", request), response)
 			} else {
 				next.ServeHTTP(response, request)
@@ -188,6 +189,7 @@ func AuthorizeAuthManagementAccess(permissions auth.PermissionSet, authorizer au
 				}
 
 				if !authorized {
+					authorizer.AuditLogUnauthorizedAccess(request)
 					api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusUnauthorized, fmt.Sprintf("not authorized for %s", userID), request), response)
 				} else {
 					next.ServeHTTP(response, request)

diff --git a/cmd/api/src/api/middleware/auth_test.go b/cmd/api/src/api/middleware/auth_test.go
@@ -25,18 +25,20 @@ import (
 	"github.com/specterops/bloodhound/src/api"
 	"github.com/specterops/bloodhound/src/auth"
 	"github.com/specterops/bloodhound/src/ctx"
+	dbmocks "github.com/specterops/bloodhound/src/database/mocks"
 	"github.com/specterops/bloodhound/src/model"
 	"github.com/specterops/bloodhound/src/test/must"
 	"github.com/specterops/bloodhound/src/utils/test"
 	"github.com/stretchr/testify/require"
+	"go.uber.org/mock/gomock"
 )
 
-func permissionsCheckAllHandler(internalHandler http.HandlerFunc, permissions ...model.Permission) http.Handler {
-	return PermissionsCheckAll(auth.NewAuthorizer(), permissions...)(internalHandler)
+func permissionsCheckAllHandler(db *dbmocks.MockDatabase, internalHandler http.HandlerFunc, permissions ...model.Permission) http.Handler {
+	return PermissionsCheckAll(auth.NewAuthorizer(db), permissions...)(internalHandler)
 }
 
-func permissionsCheckAtLeastOneHandler(internalHandler http.HandlerFunc, permissions ...model.Permission) http.Handler {
-	return PermissionsCheckAtLeastOne(auth.NewAuthorizer(), permissions...)(internalHandler)
+func permissionsCheckAtLeastOneHandler(db *dbmocks.MockDatabase, internalHandler http.HandlerFunc, permissions ...model.Permission) http.Handler {
+	return PermissionsCheckAtLeastOne(auth.NewAuthorizer(db), permissions...)(internalHandler)
 }
 
 func Test_parseAuthorizationHeader(t *testing.T) {
@@ -61,13 +63,17 @@ func TestPermissionsCheckAll(t *testing.T) {
 		handlerReturn200 = func(response http.ResponseWriter, request *http.Request) {
 			response.WriteHeader(http.StatusOK)
 		}
+		mockCtrl = gomock.NewController(t)
+		mockDB   = dbmocks.NewMockDatabase(mockCtrl)
 	)
+	defer mockCtrl.Finish()
 
+	mockDB.EXPECT().AppendAuditLog(gomock.Any(), gomock.Any()).Return(nil).AnyTimes()
 	test.Request(t).
 		WithURL("http//example.com").
 		WithHeader(headers.RequestID.String(), "requestID").
 		WithContext(&ctx.Context{}).
-		OnHandler(permissionsCheckAllHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAllHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
 		ResponseStatusCode(http.StatusUnauthorized)
 
@@ -87,10 +93,11 @@ func TestPermissionsCheckAll(t *testing.T) {
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAllHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAllHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
 		ResponseStatusCode(http.StatusForbidden)
 
+	mockDB.EXPECT().AppendAuditLog(gomock.Any(), gomock.Any()).Return(nil).Times(0) // No audit logs should be created on successful login
 	test.Request(t).
 		WithURL("http//example.com").
 		WithHeader(headers.RequestID.String(), "requestID").
@@ -109,7 +116,7 @@ func TestPermissionsCheckAll(t *testing.T) {
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAllHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAllHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
 		ResponseStatusCode(http.StatusOK)
 }
@@ -119,8 +126,12 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 		handlerReturn200 = func(response http.ResponseWriter, request *http.Request) {
 			response.WriteHeader(http.StatusOK)
 		}
+		mockCtrl = gomock.NewController(t)
+		mockDB   = dbmocks.NewMockDatabase(mockCtrl)
 	)
+	defer mockCtrl.Finish()
 
+	mockDB.EXPECT().AppendAuditLog(gomock.Any(), gomock.Any()).Return(nil).Times(0)
 	test.Request(t).
 		WithURL("http//example.com").
 		WithContext(&ctx.Context{
@@ -138,7 +149,7 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAtLeastOneHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAtLeastOneHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
 		ResponseStatusCode(http.StatusOK)
 
@@ -159,7 +170,7 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAtLeastOneHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAtLeastOneHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
 		ResponseStatusCode(http.StatusOK)
 
@@ -180,12 +191,13 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAtLeastOneHandler(handlerReturn200, auth.Permissions().GraphDBRead)).
+		OnHandler(permissionsCheckAtLeastOneHandler(mockDB, handlerReturn200, auth.Permissions().GraphDBRead)).
 		Require().
 		ResponseStatusCode(http.StatusOK)
 
 	test.Request(t).
 		WithURL("http//example.com").
+		WithHeader(headers.RequestID.String(), "requestID").
 		WithContext(&ctx.Context{
 			AuthCtx: auth.Context{
 				PermissionOverrides: auth.PermissionOverrides{},
@@ -194,20 +206,20 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 						{
 							Name:        "Big Boy",
 							Description: "The big boy.",
-							Permissions: model.Permissions{auth.Permissions().AuthManageSelf, auth.Permissions().GraphDBRead},
+							Permissions: auth.Permissions().All(),
 						},
 					},
 				},
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAtLeastOneHandler(handlerReturn200, auth.Permissions().GraphDBWrite)).
+		OnHandler(permissionsCheckAtLeastOneHandler(mockDB, handlerReturn200, auth.Permissions().AuthManageSelf)).
 		Require().
-		ResponseStatusCode(http.StatusForbidden)
+		ResponseStatusCode(http.StatusOK)
 
+	mockDB.EXPECT().AppendAuditLog(gomock.Any(), gomock.Any()).Return(nil).Times(1)
 	test.Request(t).
 		WithURL("http//example.com").
-		WithHeader(headers.RequestID.String(), "requestID").
 		WithContext(&ctx.Context{
 			AuthCtx: auth.Context{
 				PermissionOverrides: auth.PermissionOverrides{},
@@ -216,14 +228,14 @@ func TestPermissionsCheckAtLeastOne(t *testing.T) {
 						{
 							Name:        "Big Boy",
 							Description: "The big boy.",
-							Permissions: auth.Permissions().All(),
+							Permissions: model.Permissions{auth.Permissions().AuthManageSelf, auth.Permissions().GraphDBRead},
 						},
 					},
 				},
 				Session: model.UserSession{},
 			},
 		}).
-		OnHandler(permissionsCheckAtLeastOneHandler(handlerReturn200, auth.Permissions().AuthManageSelf)).
+		OnHandler(permissionsCheckAtLeastOneHandler(mockDB, handlerReturn200, auth.Permissions().GraphDBWrite)).
 		Require().
-		ResponseStatusCode(http.StatusOK)
+		ResponseStatusCode(http.StatusForbidden)
 }
diff --git a/cmd/api/src/api/middleware/logging.go b/cmd/api/src/api/middleware/logging.go
@@ -29,6 +29,7 @@ import (
 	"github.com/specterops/bloodhound/src/auth"
 	"github.com/specterops/bloodhound/src/config"
 	"github.com/specterops/bloodhound/src/ctx"
+	"github.com/specterops/bloodhound/src/database"
 )
 
 // PanicHandler is a middleware func that sets up a defer-recovery trap to capture any unhandled panics that bubble
@@ -114,7 +115,7 @@ func setSignedRequestFields(request *http.Request, logEvent log.Event) {
 
 // LoggingMiddleware is a middleware func that outputs a log for each request-response lifecycle. It includes timestamped
 // information organized into fields suitable for searching or parsing.
-func LoggingMiddleware(cfg config.Configuration, idResolver auth.IdentityResolver) func(http.Handler) http.Handler {
+func LoggingMiddleware(cfg config.Configuration, idResolver auth.IdentityResolver, db *database.BloodhoundDB) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(response http.ResponseWriter, request *http.Request) {
 			var (

diff --git a/cmd/api/src/api/middleware/middleware.go b/cmd/api/src/api/middleware/middleware.go
@@ -129,8 +129,8 @@ func ContextMiddleware(next http.Handler) http.Handler {
 			// Create a new context with the timeout
 			requestCtx, cancel := context.WithTimeout(request.Context(), requestedWaitDuration.Value)
 			defer cancel()
-
 			// Insert the bh context
+
 			requestCtx = ctx.Set(requestCtx, &ctx.Context{
 				StartTime: startTime,
 				Timeout:   requestedWaitDuration,
@@ -139,6 +139,7 @@ func ContextMiddleware(next http.Handler) http.Handler {
 					Scheme: getScheme(request),
 					Host:   request.Host,
 				},
+				RequestIP: parseUserIP(request),
 			})
 
 			// Route the request with the embedded context
@@ -147,6 +148,16 @@ func ContextMiddleware(next http.Handler) http.Handler {
 	})
 }
 
+func parseUserIP(r *http.Request) string {
+	if result := r.Header.Get("X-Forwarded-For"); result == "" {
+		log.Warnf("No data found in X-Forwarded-For header")
+		return r.RemoteAddr
+	} else {
+		result += "," + r.RemoteAddr
+		return result
+	}
+}
+
 func ParseHeaderValues(values string) map[string]string {
 	parsed := map[string]string{}
 

diff --git a/cmd/api/src/api/middleware/middleware_internal_test.go b/cmd/api/src/api/middleware/middleware_internal_test.go
@@ -21,6 +21,7 @@ import (
 	"crypto/tls"
 	"net/http"
 	"net/url"
+	"strings"
 	"testing"
 	"time"
 
@@ -79,6 +80,27 @@ func TestRequestWaitDuration(t *testing.T) {
 	require.True(t, requestedWaitDuration.UserSet)
 }
 
+func TestParseUserIP_XForwardedFor_RemoteAddr(t *testing.T) {
+	req, err := http.NewRequest("GET", "/teapot", nil)
+	require.Nil(t, err)
+
+	ip1 := "192.168.1.1:8080"
+	ip2 := "192.168.1.2"
+	ip3 := "192.168.1.3"
+
+	req.Header.Set("X-Forwarded-For", strings.Join([]string{ip1, ip2, ip3}, ","))
+	req.RemoteAddr = "0.0.0.0:3000"
+
+	require.Equal(t, parseUserIP(req), strings.Join([]string{ip1, ip2, ip3, req.RemoteAddr}, ","))
+}
+
+func TestParseUserIP_RemoteAddrOnly(t *testing.T) {
+	req, err := http.NewRequest("GET", "/teapot", nil)
+	require.Nil(t, err)
+	req.RemoteAddr = "0.0.0.0:3000"
+	require.Equal(t, parseUserIP(req), req.RemoteAddr)
+}
+
 func TestParsePreferHeaderWait(t *testing.T) {
 	_, err := parsePreferHeaderWait("wait=1.5", 30*time.Second)
 	require.NotNil(t, err)

diff --git a/cmd/api/src/api/registration/registration.go b/cmd/api/src/api/registration/registration.go
@@ -33,14 +33,14 @@ import (
 	"github.com/specterops/bloodhound/src/queries"
 )
 
-func RegisterFossGlobalMiddleware(routerInst *router.Router, cfg config.Configuration, identityResolver auth.IdentityResolver, authenticator api.Authenticator) {
+func RegisterFossGlobalMiddleware(routerInst *router.Router, cfg config.Configuration, db *database.BloodhoundDB, identityResolver auth.IdentityResolver, authenticator api.Authenticator) {
 	// Set up the middleware stack
 	routerInst.UsePrerouting(middleware.ContextMiddleware)
 	routerInst.UsePrerouting(middleware.CORSMiddleware())
 
 	// Set up logging. This must be done after ContextMiddleware is initialized so the context can be accessed in the log logic
 	if cfg.EnableAPILogging {
-		routerInst.UsePrerouting(middleware.LoggingMiddleware(cfg, identityResolver))
+		routerInst.UsePrerouting(middleware.LoggingMiddleware(cfg, identityResolver, db))
 	}
 
 	routerInst.UsePostrouting(

diff --git a/cmd/api/src/api/registration/v2.go b/cmd/api/src/api/registration/v2.go
@@ -40,7 +40,7 @@ func samlWriteAPIErrorResponse(request *http.Request, response http.ResponseWrit
 func registerV2Auth(cfg config.Configuration, db database.Database, permissions auth.PermissionSet, routerInst *router.Router, authenticator api.Authenticator) {
 	var (
 		loginResource      = authapi.NewLoginResource(cfg, authenticator, db)
-		managementResource = authapi.NewManagementResource(cfg, db, auth.NewAuthorizer())
+		managementResource = authapi.NewManagementResource(cfg, db, auth.NewAuthorizer(db))
 		samlResource       = saml.NewSAMLRootResource(cfg, db, samlWriteAPIErrorResponse)
 	)
 

diff --git a/cmd/api/src/api/v2/agi.go b/cmd/api/src/api/v2/agi.go
@@ -175,20 +175,19 @@ func (s Resources) UpdateAssetGroup(response http.ResponseWriter, request *http.
 		pathVars                = mux.Vars(request)
 		rawAssetGroupID         = pathVars[api.URIPathVariableAssetGroupID]
 		updateAssetGroupRequest UpdateAssetGroupRequest
+		assetGroup              model.AssetGroup
 	)
 
 	if assetGroupID, err := strconv.Atoi(rawAssetGroupID); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseDetailsIDMalformed, request), response)
 	} else if err := api.ReadJSONRequestPayloadLimited(&updateAssetGroupRequest, request); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
-	} else if err := s.DB.AppendAuditLog(*ctx.FromRequest(request), "UpdateAssetGroup", updateAssetGroupRequest); err != nil {
-		api.HandleDatabaseError(request, response, err)
-	} else if assetGroup, err := s.DB.GetAssetGroup(int32(assetGroupID)); err != nil {
+	} else if assetGroup, err = s.DB.GetAssetGroup(int32(assetGroupID)); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else {
 		assetGroup.Name = updateAssetGroupRequest.Name
 
-		if err := s.DB.UpdateAssetGroup(assetGroup); err != nil {
+		if err := s.DB.UpdateAssetGroup(request.Context(), assetGroup); err != nil {
 			api.HandleDatabaseError(request, response, err)
 		} else {
 			api.WriteBasicResponse(request.Context(), assetGroup, http.StatusOK, response)
@@ -201,9 +200,7 @@ func (s Resources) CreateAssetGroup(response http.ResponseWriter, request *http.
 
 	if err := api.ReadJSONRequestPayloadLimited(&createRequest, request); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
-	} else if err := s.DB.AppendAuditLog(*ctx.FromRequest(request), "CreateAssetGroup", createRequest); err != nil {
-		api.HandleDatabaseError(request, response, err)
-	} else if newAssetGroup, err := s.DB.CreateAssetGroup(createRequest.Name, createRequest.Tag, false); err != nil {
+	} else if newAssetGroup, err := s.DB.CreateAssetGroup(request.Context(), createRequest.Name, createRequest.Tag, false); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else {
 		assetGroupURL := *ctx.Get(request.Context()).Host
@@ -218,17 +215,16 @@ func (s Resources) DeleteAssetGroup(response http.ResponseWriter, request *http.
 	var (
 		pathVars        = mux.Vars(request)
 		rawAssetGroupID = pathVars[api.URIPathVariableAssetGroupID]
+		assetGroup      model.AssetGroup
 	)
 
 	if assetGroupID, err := strconv.Atoi(rawAssetGroupID); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseDetailsIDMalformed, request), response)
-	} else if assetGroup, err := s.DB.GetAssetGroup(int32(assetGroupID)); err != nil {
+	} else if assetGroup, err = s.DB.GetAssetGroup(int32(assetGroupID)); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else if assetGroup.SystemGroup {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusConflict, "Cannot delete a system defined asset group.", request), response)
-	} else if err := s.DB.AppendAuditLog(*ctx.FromRequest(request), "DeleteAssetGroup", assetGroup); err != nil {
-		api.HandleDatabaseError(request, response, err)
-	} else if err := s.DB.DeleteAssetGroup(assetGroup); err != nil {
+	} else if err := s.DB.DeleteAssetGroup(request.Context(), assetGroup); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else {
 		response.WriteHeader(http.StatusOK)
@@ -274,6 +270,7 @@ func (s Resources) UpdateAssetGroupSelectors(response http.ResponseWriter, reque
 
 func (s Resources) DeleteAssetGroupSelector(response http.ResponseWriter, request *http.Request) {
 	var (
+		assetGroupSelector      model.AssetGroupSelector
 		pathVars                = mux.Vars(request)
 		rawAssetGroupID         = pathVars[api.URIPathVariableAssetGroupID]
 		rawAssetGroupSelectorID = pathVars[api.URIPathVariableAssetGroupSelectorID]
@@ -285,13 +282,11 @@ func (s Resources) DeleteAssetGroupSelector(response http.ResponseWriter, reques
 		api.HandleDatabaseError(request, response, err)
 	} else if assetGroupSelectorID, err := strconv.Atoi(rawAssetGroupSelectorID); err != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, api.ErrorResponseDetailsIDMalformed, request), response)
-	} else if assetGroupSelector, err := s.DB.GetAssetGroupSelector(int32(assetGroupSelectorID)); err != nil {
+	} else if assetGroupSelector, err = s.DB.GetAssetGroupSelector(int32(assetGroupSelectorID)); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else if assetGroupSelector.SystemSelector {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusConflict, "Cannot delete a system defined asset group selector.", request), response)
-	} else if err := s.DB.AppendAuditLog(*ctx.FromRequest(request), "DeleteAssetGroupSelector", assetGroupSelector); err != nil {
-		api.HandleDatabaseError(request, response, err)
-	} else if err := s.DB.DeleteAssetGroupSelector(assetGroupSelector); err != nil {
+	} else if err := s.DB.DeleteAssetGroupSelector(request.Context(), assetGroupSelector); err != nil {
 		api.HandleDatabaseError(request, response, err)
 	} else {
 		response.WriteHeader(http.StatusOK)