npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/utils/graph.util.ts ADDED Viewed

@@ -0,0 +1,609 @@
+/**
+ * Graph Utilities for Attack Path Analysis
+ *
+ * Provides graph data structures and algorithms for analyzing
+ * privilege escalation paths in Active Directory.
+ *
+ * Phase 2: Attack Paths Detection
+ */
+import { ADUser, ADGroup, ADComputer } from '../types/ad.types';
+import { AclEntry } from '../types/ad.types';
+/**
+ * Node types in the attack graph
+ */
+export type NodeType = 'user' | 'group' | 'computer' | 'gpo' | 'ou' | 'domain';
+/**
+ * Edge types representing relationships
+ */
+export type EdgeType =
+  | 'memberOf' // Group membership
+  | 'hasMember' // Inverse of memberOf
+  | 'canModify' // ACL-based write access
+  | 'canRead' // ACL-based read access
+  | 'delegateTo' // Constrained delegation target
+  | 'rbcdFrom' // RBCD - can act on behalf of
+  | 'adminTo' // Local admin rights
+  | 'owns' // Object ownership
+  | 'gpLink' // GPO linked to OU/Domain
+  | 'contains'; // OU contains object
+/**
+ * Graph node representing an AD object
+ */
+export interface GraphNode {
+  dn: string;
+  type: NodeType;
+  name: string;
+  isPrivileged?: boolean;
+  isEnabled?: boolean;
+  attributes?: Record<string, unknown>;
+}
+/**
+ * Graph edge representing a relationship
+ */
+export interface GraphEdge {
+  source: string; // Source DN
+  target: string; // Target DN
+  type: EdgeType;
+  accessMask?: number; // For ACL edges
+  isInherited?: boolean;
+}
+/**
+ * Attack path from source to target
+ */
+export interface AttackPath {
+  source: GraphNode;
+  target: GraphNode;
+  edges: GraphEdge[];
+  length: number;
+  riskScore: number;
+}
+/**
+ * Dangerous ACL rights that enable privilege escalation
+ */
+export const DANGEROUS_RIGHTS = {
+  GENERIC_ALL: 0x10000000,
+  GENERIC_WRITE: 0x40000000,
+  WRITE_DACL: 0x00040000,
+  WRITE_OWNER: 0x00080000,
+  WRITE_PROPERTY: 0x00000020,
+  SELF: 0x00000008,
+  EXTENDED_RIGHT: 0x00000100,
+};
+/**
+ * Well-known privileged group names
+ */
+export const PRIVILEGED_GROUPS = [
+  'Domain Admins',
+  'Enterprise Admins',
+  'Administrators',
+  'Schema Admins',
+  'Account Operators',
+  'Backup Operators',
+  'Server Operators',
+  'Print Operators',
+  'DnsAdmins',
+  'Domain Controllers',
+  'Group Policy Creator Owners',
+];
+/**
+ * Attack Graph for analyzing privilege escalation paths
+ */
+export class AttackGraph {
+  private nodes: Map<string, GraphNode> = new Map();
+  private outEdges: Map<string, GraphEdge[]> = new Map();
+  private inEdges: Map<string, GraphEdge[]> = new Map();
+  private privilegedDNs: Set<string> = new Set();
+  /**
+   * Add a node to the graph
+   */
+  addNode(node: GraphNode): void {
+    const normalizedDn = node.dn.toLowerCase();
+    this.nodes.set(normalizedDn, { ...node, dn: normalizedDn });
+    if (!this.outEdges.has(normalizedDn)) {
+      this.outEdges.set(normalizedDn, []);
+    }
+    if (!this.inEdges.has(normalizedDn)) {
+      this.inEdges.set(normalizedDn, []);
+    }
+    if (node.isPrivileged) {
+      this.privilegedDNs.add(normalizedDn);
+    }
+  }
+  /**
+   * Add an edge to the graph
+   */
+  addEdge(edge: GraphEdge): void {
+    const normalizedEdge: GraphEdge = {
+      ...edge,
+      source: edge.source.toLowerCase(),
+      target: edge.target.toLowerCase(),
+    };
+    // Add to outgoing edges
+    const outList = this.outEdges.get(normalizedEdge.source);
+    if (outList) {
+      outList.push(normalizedEdge);
+    } else {
+      this.outEdges.set(normalizedEdge.source, [normalizedEdge]);
+    }
+    // Add to incoming edges
+    const inList = this.inEdges.get(normalizedEdge.target);
+    if (inList) {
+      inList.push(normalizedEdge);
+    } else {
+      this.inEdges.set(normalizedEdge.target, [normalizedEdge]);
+    }
+  }
+  /**
+   * Get a node by DN
+   */
+  getNode(dn: string): GraphNode | undefined {
+    return this.nodes.get(dn.toLowerCase());
+  }
+  /**
+   * Get all outgoing edges from a node
+   */
+  getOutEdges(dn: string): GraphEdge[] {
+    return this.outEdges.get(dn.toLowerCase()) || [];
+  }
+  /**
+   * Get all incoming edges to a node
+   */
+  getInEdges(dn: string): GraphEdge[] {
+    return this.inEdges.get(dn.toLowerCase()) || [];
+  }
+  /**
+   * Get all privileged nodes
+   */
+  getPrivilegedNodes(): GraphNode[] {
+    return Array.from(this.privilegedDNs)
+      .map((dn) => this.nodes.get(dn))
+      .filter((n): n is GraphNode => n !== undefined);
+  }
+  /**
+   * Mark a node as privileged
+   */
+  markAsPrivileged(dn: string): void {
+    const normalizedDn = dn.toLowerCase();
+    this.privilegedDNs.add(normalizedDn);
+    const node = this.nodes.get(normalizedDn);
+    if (node) {
+      node.isPrivileged = true;
+    }
+  }
+  /**
+   * Check if a node is privileged
+   */
+  isPrivileged(dn: string): boolean {
+    return this.privilegedDNs.has(dn.toLowerCase());
+  }
+  /**
+   * Find shortest path from source to any privileged node using BFS
+   */
+  findShortestPathToPrivileged(sourceDn: string, maxDepth = 5): AttackPath | null {
+    const source = this.getNode(sourceDn);
+    if (!source) return null;
+    // BFS queue: [currentDN, path of edges]
+    const queue: [string, GraphEdge[]][] = [[sourceDn.toLowerCase(), []]];
+    const visited = new Set<string>([sourceDn.toLowerCase()]);
+    while (queue.length > 0) {
+      const item = queue.shift();
+      if (!item) break;
+      const [currentDn, path] = item;
+      // Check depth limit
+      if (path.length >= maxDepth) continue;
+      // Explore neighbors
+      const edges = this.getOutEdges(currentDn);
+      for (const edge of edges) {
+        if (visited.has(edge.target)) continue;
+        visited.add(edge.target);
+        const newPath = [...path, edge];
+        const targetNode = this.getNode(edge.target);
+        // Found a privileged target
+        if (targetNode && this.isPrivileged(edge.target)) {
+          return {
+            source,
+            target: targetNode,
+            edges: newPath,
+            length: newPath.length,
+            riskScore: this.calculatePathRisk(newPath),
+          };
+        }
+        queue.push([edge.target, newPath]);
+      }
+    }
+    return null;
+  }
+  /**
+   * Find all paths to privileged nodes up to maxDepth
+   */
+  findAllPathsToPrivileged(sourceDn: string, maxDepth = 5, maxPaths = 10): AttackPath[] {
+    const source = this.getNode(sourceDn);
+    if (!source) return [];
+    const paths: AttackPath[] = [];
+    const visited = new Set<string>();
+    const dfs = (currentDn: string, currentPath: GraphEdge[]): void => {
+      if (currentPath.length >= maxDepth || paths.length >= maxPaths) return;
+      visited.add(currentDn);
+      const edges = this.getOutEdges(currentDn);
+      for (const edge of edges) {
+        if (visited.has(edge.target)) continue;
+        const newPath = [...currentPath, edge];
+        const targetNode = this.getNode(edge.target);
+        if (targetNode && this.isPrivileged(edge.target)) {
+          paths.push({
+            source,
+            target: targetNode,
+            edges: newPath,
+            length: newPath.length,
+            riskScore: this.calculatePathRisk(newPath),
+          });
+        }
+        if (paths.length < maxPaths) {
+          dfs(edge.target, newPath);
+        }
+      }
+      visited.delete(currentDn);
+    };
+    dfs(sourceDn.toLowerCase(), []);
+    return paths.sort((a, b) => a.length - b.length);
+  }
+  /**
+   * Get all nodes reachable from source within maxDepth
+   */
+  getReachable(sourceDn: string, maxDepth = 5): Set<string> {
+    const reachable = new Set<string>();
+    const queue: [string, number][] = [[sourceDn.toLowerCase(), 0]];
+    const visited = new Set<string>([sourceDn.toLowerCase()]);
+    while (queue.length > 0) {
+      const item = queue.shift();
+      if (!item) break;
+      const [currentDn, depth] = item;
+      reachable.add(currentDn);
+      if (depth >= maxDepth) continue;
+      const edges = this.getOutEdges(currentDn);
+      for (const edge of edges) {
+        if (!visited.has(edge.target)) {
+          visited.add(edge.target);
+          queue.push([edge.target, depth + 1]);
+        }
+      }
+    }
+    return reachable;
+  }
+  /**
+   * Get recursive group members (including nested)
+   */
+  getRecursiveMembers(groupDn: string, maxDepth = 10): Set<string> {
+    const members = new Set<string>();
+    const visited = new Set<string>();
+    const collectMembers = (dn: string, depth: number): void => {
+      if (depth > maxDepth || visited.has(dn)) return;
+      visited.add(dn);
+      const edges = this.getInEdges(dn);
+      for (const edge of edges) {
+        if (edge.type === 'memberOf') {
+          members.add(edge.source);
+          // Recursively get members of nested groups
+          const sourceNode = this.getNode(edge.source);
+          if (sourceNode?.type === 'group') {
+            collectMembers(edge.source, depth + 1);
+          }
+        }
+      }
+    };
+    collectMembers(groupDn.toLowerCase(), 0);
+    return members;
+  }
+  /**
+   * Calculate risk score for an attack path
+   */
+  private calculatePathRisk(edges: GraphEdge[]): number {
+    let score = 100 - edges.length * 10; // Shorter paths are riskier
+    for (const edge of edges) {
+      // ACL-based edges are high risk
+      if (edge.type === 'canModify' || edge.type === 'owns') {
+        score += 20;
+      }
+      // Delegation is medium risk
+      if (edge.type === 'delegateTo' || edge.type === 'rbcdFrom') {
+        score += 15;
+      }
+    }
+    return Math.max(0, Math.min(100, score));
+  }
+  /**
+   * Get graph statistics
+   */
+  getStats(): { nodes: number; edges: number; privileged: number } {
+    let edgeCount = 0;
+    this.outEdges.forEach((edges) => (edgeCount += edges.length));
+    return {
+      nodes: this.nodes.size,
+      edges: edgeCount,
+      privileged: this.privilegedDNs.size,
+    };
+  }
+}
+/**
+ * Build a group membership graph from AD data
+ */
+export function buildGroupMembershipGraph(
+  users: ADUser[],
+  groups: ADGroup[],
+  computers: ADComputer[]
+): AttackGraph {
+  const graph = new AttackGraph();
+  // Add groups as nodes
+  for (const group of groups) {
+    const isPrivileged = PRIVILEGED_GROUPS.some((pg) =>
+      group.sAMAccountName?.toLowerCase().includes(pg.toLowerCase()) ||
+      group.dn.toLowerCase().includes(`cn=${pg.toLowerCase()}`)
+    );
+    graph.addNode({
+      dn: group.dn,
+      type: 'group',
+      name: group.sAMAccountName || group.displayName || group.dn,
+      isPrivileged,
+      isEnabled: true,
+    });
+  }
+  // Add users as nodes
+  for (const user of users) {
+    graph.addNode({
+      dn: user.dn,
+      type: 'user',
+      name: user.sAMAccountName || user.displayName || user.dn,
+      isPrivileged: user.adminCount === 1,
+      isEnabled: user.enabled,
+      attributes: {
+        hasSPN: (() => {
+          const spn = user['servicePrincipalName'];
+          return spn && Array.isArray(spn) && spn.length > 0;
+        })(),
+        hasNoPreauth: user.userAccountControl ? (user.userAccountControl & 0x400000) !== 0 : false,
+      },
+    });
+    // Add membership edges
+    if (user.memberOf) {
+      for (const groupDn of user.memberOf) {
+        graph.addEdge({
+          source: user.dn,
+          target: groupDn,
+          type: 'memberOf',
+        });
+      }
+    }
+  }
+  // Add computers as nodes
+  for (const computer of computers) {
+    graph.addNode({
+      dn: computer.dn,
+      type: 'computer',
+      name: computer.sAMAccountName || computer.dNSHostName || computer.dn,
+      isPrivileged: false,
+      isEnabled: computer.enabled,
+    });
+    // Add membership edges
+    const computerMemberOf = computer['memberOf'];
+    if (computerMemberOf && Array.isArray(computerMemberOf)) {
+      for (const groupDn of computerMemberOf) {
+        graph.addEdge({
+          source: computer.dn,
+          target: groupDn,
+          type: 'memberOf',
+        });
+      }
+    }
+  }
+  // Add group nesting (group memberOf group)
+  for (const group of groups) {
+    if (group.memberOf) {
+      for (const parentDn of group.memberOf) {
+        graph.addEdge({
+          source: group.dn,
+          target: parentDn,
+          type: 'memberOf',
+        });
+      }
+    }
+  }
+  return graph;
+}
+/**
+ * Build ACL-based attack graph
+ */
+export function buildAclGraph(
+  aclEntries: AclEntry[],
+  baseGraph: AttackGraph
+): AttackGraph {
+  for (const acl of aclEntries) {
+    // Skip inherited ACEs (less interesting for attack paths)
+    // Skip ALLOW-only (we're looking at dangerous permissions)
+    const hasDangerousRight =
+      (acl.accessMask & DANGEROUS_RIGHTS.GENERIC_ALL) !== 0 ||
+      (acl.accessMask & DANGEROUS_RIGHTS.GENERIC_WRITE) !== 0 ||
+      (acl.accessMask & DANGEROUS_RIGHTS.WRITE_DACL) !== 0 ||
+      (acl.accessMask & DANGEROUS_RIGHTS.WRITE_OWNER) !== 0;
+    // aceType is string '0' for ACCESS_ALLOWED_ACE_TYPE
+    if (hasDangerousRight && String(acl.aceType) === '0') {
+      baseGraph.addEdge({
+        source: acl.trustee,
+        target: acl.objectDn,
+        type: 'canModify',
+        accessMask: acl.accessMask,
+        isInherited: false,
+      });
+    }
+  }
+  return baseGraph;
+}
+/**
+ * Add delegation relationships to graph
+ */
+export function addDelegationEdges(
+  users: ADUser[],
+  computers: ADComputer[],
+  graph: AttackGraph
+): void {
+  // Constrained delegation (users)
+  for (const user of users) {
+    const allowedToDelegateTo = (user as any)['msDS-AllowedToDelegateTo'];
+    if (allowedToDelegateTo && Array.isArray(allowedToDelegateTo)) {
+      for (const target of allowedToDelegateTo) {
+        graph.addEdge({
+          source: user.dn,
+          target: target, // This is an SPN, need to resolve
+          type: 'delegateTo',
+        });
+      }
+    }
+  }
+  // Constrained delegation (computers)
+  for (const computer of computers) {
+    const allowedToDelegateTo = (computer as any)['msDS-AllowedToDelegateTo'];
+    if (allowedToDelegateTo && Array.isArray(allowedToDelegateTo)) {
+      for (const target of allowedToDelegateTo) {
+        graph.addEdge({
+          source: computer.dn,
+          target: target,
+          type: 'delegateTo',
+        });
+      }
+    }
+    // RBCD
+    const rbcdAttr = (computer as any)['msDS-AllowedToActOnBehalfOfOtherIdentity'];
+    if (rbcdAttr) {
+      // RBCD allows the computer to accept delegation FROM the principals in this attribute
+      // The edge direction is: principal -> computer (can act on behalf)
+      graph.addEdge({
+        source: computer.dn,
+        target: computer.dn, // Self-reference to indicate RBCD is configured
+        type: 'rbcdFrom',
+      });
+    }
+  }
+}
+/**
+ * Detect group nesting depth
+ */
+export function detectNestingDepth(
+  groupDn: string,
+  groups: ADGroup[],
+  maxDepth = 10
+): number {
+  const groupMap = new Map<string, ADGroup>();
+  for (const g of groups) {
+    groupMap.set(g.dn.toLowerCase(), g);
+  }
+  const visited = new Set<string>();
+  let maxFound = 0;
+  const traverse = (dn: string, depth: number): void => {
+    if (depth > maxDepth || visited.has(dn.toLowerCase())) return;
+    visited.add(dn.toLowerCase());
+    maxFound = Math.max(maxFound, depth);
+    const group = groupMap.get(dn.toLowerCase());
+    if (group?.memberOf) {
+      for (const parentDn of group.memberOf) {
+        traverse(parentDn, depth + 1);
+      }
+    }
+  };
+  traverse(groupDn, 0);
+  return maxFound;
+}
+/**
+ * Check if a DN is a member of privileged groups (recursive)
+ */
+export function isPrivilegedMember(
+  dn: string,
+  graph: AttackGraph,
+  maxDepth = 10
+): boolean {
+  const reachable = graph.getReachable(dn, maxDepth);
+  for (const targetDn of reachable) {
+    if (graph.isPrivileged(targetDn)) {
+      return true;
+    }
+  }
+  return false;
+}

package/src/utils/logger.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import winston from 'winston';
+import DailyRotateFile from 'winston-daily-rotate-file';
+/**
+ * Winston Logger Configuration
+ * Structured JSON logging with file rotation
+ */
+const isDevelopment = process.env['NODE_ENV'] === 'development';
+const logLevel = process.env['LOG_LEVEL'] ?? 'info';
+// Custom format to redact sensitive data
+const redactSensitiveData = winston.format((info) => {
+  const sensitiveFields = [
+    'password',
+    'bindPassword',
+    'clientSecret',
+    'token',
+    'privateKey',
+    'secret',
+  ];
+  const visited = new WeakSet();
+  const redact = (obj: Record<string, unknown>): void => {
+    // Prevent circular reference infinite loops
+    if (visited.has(obj)) return;
+    visited.add(obj);
+    for (const key in obj) {
+      if (sensitiveFields.some((field) => key.toLowerCase().includes(field.toLowerCase()))) {
+        obj[key] = '[REDACTED]';
+      } else if (typeof obj[key] === 'object' && obj[key] !== null && !Array.isArray(obj[key])) {
+        redact(obj[key] as Record<string, unknown>);
+      }
+    }
+  };
+  redact(info);
+  return info;
+});
+// Transport configuration
+const transports: winston.transport[] = [
+  // Console transport
+  new winston.transports.Console({
+    format: isDevelopment
+      ? winston.format.combine(
+          winston.format.colorize(),
+          winston.format.simple()
+        )
+      : winston.format.json(),
+  }),
+];
+// File transports for production
+if (!isDevelopment) {
+  transports.push(
+    // Error log
+    new DailyRotateFile({
+      filename: 'logs/error-%DATE%.log',
+      datePattern: 'YYYY-MM-DD',
+      level: 'error',
+      maxSize: '20m',
+      maxFiles: '14d',
+      zippedArchive: true,
+    }),
+    // Combined log
+    new DailyRotateFile({
+      filename: 'logs/combined-%DATE%.log',
+      datePattern: 'YYYY-MM-DD',
+      maxSize: '20m',
+      maxFiles: '14d',
+      zippedArchive: true,
+    })
+  );
+}
+// Create logger instance
+export const logger = winston.createLogger({
+  level: logLevel,
+  format: winston.format.combine(
+    winston.format.timestamp(),
+    redactSensitiveData(),
+    winston.format.errors({ stack: true }),
+    winston.format.json()
+  ),
+  transports,
+  exitOnError: false,
+});
+// Helper methods for structured logging
+export const logInfo = (message: string, metadata?: Record<string, unknown>): void => {
+  logger.info(message, metadata);
+};
+export const logError = (message: string, error?: Error, metadata?: Record<string, unknown>): void => {
+  logger.error(message, {
+    ...metadata,
+    error: error?.message,
+    stack: error?.stack,
+  });
+};
+export const logWarn = (message: string, metadata?: Record<string, unknown>): void => {
+  logger.warn(message, metadata);
+};
+export const logDebug = (message: string, metadata?: Record<string, unknown>): void => {
+  logger.debug(message, metadata);
+};