fix: app scoped role assignment not properly linking to AZApp

SpecterOps · Apr 26, 2024 · 9f36bca · 9f36bca
2 parents 33ab1f3 + 3f31192
commit 9f36bca
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/cmd/list-role-assignments.go b/cmd/list-role-assignments.go
@@ -99,12 +99,17 @@ func listRoleAssignments(ctx context.Context, client client.AzureClient, roles <
 					count  = 0
 					filter = fmt.Sprintf("roleDefinitionId eq '%s'", id)
 				)
-				for item := range client.ListAzureADRoleAssignments(ctx, filter, "", "", "", nil) {
+				// We expand directoryScope in order to obtain the appId from app specific scoped role assignments
+				for item := range client.ListAzureADRoleAssignments(ctx, filter, "", "", "directoryScope", nil) {
 					if item.Error != nil {
 						log.Error(item.Error, "unable to continue processing role assignments for this role", "roleDefinitionId", id)
 					} else {
 						log.V(2).Info("found role assignment", "roleAssignments", item)
 						count++
+						// To ensure proper linking to AZApp nodes we want to supply the AppId instead when role assignments are app specific scoped
+						if item.Ok.DirectoryScopeId != "/" {
+							item.Ok.DirectoryScopeId = fmt.Sprintf("/%s", item.Ok.DirectoryScope.AppId)
+						}
 						roleAssignments.RoleAssignments = append(roleAssignments.RoleAssignments, item.Ok)
 					}
 				}

diff --git a/models/azure/unified_role_assignment.go b/models/azure/unified_role_assignment.go
@@ -67,7 +67,7 @@ type UnifiedRoleAssignment struct {
 	// The directory object that is the scope of the assignment.
 	// Read-only.
 	// Supports $expand.
-	DirectoryScope json.RawMessage
+	DirectoryScope Application `json:"directoryScope,omitempty"`
 
 	// Read-only property with details of the app specific scope when the assignment scope is app specific.
 	// Containment entity.