@etcsec-com/etc-collector 1.4.0

package/src/utils/type-name-normalizer.ts

@@ -0,0 +1,302 @@
+/**
+ * Type Name Normalizer
+ *
+ * Maps alternative vulnerability type names to their canonical form.
+ * This handles naming variations between different tools/scripts.
+ */
+
+/**
+ * Mapping of alternative names to canonical detection type names
+ * Key: Alternative name (from injection scripts, external tools, etc.)
+ * Value: Canonical name (used in our detectors)
+ */
+export const TYPE_NAME_ALIASES: Record<string, string> = {
+  // ==================== PASSWORD VARIATIONS ====================
+  PASSWORDNEVEREXPIRES: 'PASSWORD_NEVER_EXPIRES',
+  PASSWORD_NEVER_EXPIRES_FLAG: 'PASSWORD_NEVER_EXPIRES',
+  PASSWORDNOTREQUIRED: 'PASSWORD_NOT_REQUIRED',
+  PASSWORD_NOT_REQUIRED_FLAG: 'PASSWORD_NOT_REQUIRED',
+  REVERSIBLEENCRYPTION: 'REVERSIBLE_ENCRYPTION',
+  REVERSIBLE_ENCRYPTION_FLAG: 'REVERSIBLE_ENCRYPTION',
+  PASSWORDINDESCRIPTION: 'PASSWORD_IN_DESCRIPTION',
+  PASSWORD_IN_DESC: 'PASSWORD_IN_DESCRIPTION',
+  EMPTY_PASSWORD: 'PASSWORD_NOT_REQUIRED',
+  UNIXUSERPASSWORD_CLEAR: 'UNIX_USER_PASSWORD',
+  PASSWORD_COMMON_PATTERNS: 'PASSWORD_DICT_ATTACK_RISK',
+
+  // ==================== KERBEROS VARIATIONS ====================
+  KERBEROASTABLE: 'KERBEROASTING_RISK',
+  KERBEROASTABLE_WEAKPASSWORD: 'KERBEROASTING_RISK',
+  KERBEROASTABLE_WEAK: 'KERBEROASTING_RISK',
+  ASREPROASTABLE: 'ASREP_ROASTING_RISK',
+  ASREP_ROASTABLE: 'ASREP_ROASTING_RISK',
+  ADMIN_ASREP: 'ADMIN_ASREP_ROASTABLE',
+  PRIVILEGED_ASREP: 'ADMIN_ASREP_ROASTABLE',
+  ADMIN_ASREP_ROASTING: 'ADMIN_ASREP_ROASTABLE',
+  DES_ENABLED: 'WEAK_ENCRYPTION_DES',
+  DES_ENCRYPTION: 'WEAK_ENCRYPTION_DES',
+  USE_DES_KEY_ONLY: 'WEAK_ENCRYPTION_DES',
+  UNCONSTRAINEDDELEGATION: 'UNCONSTRAINED_DELEGATION',
+  UNCONSTRAINED_DELEG: 'UNCONSTRAINED_DELEGATION',
+  CONSTRAINEDDELEGATION: 'CONSTRAINED_DELEGATION',
+  CONSTRAINED_DELEG: 'CONSTRAINED_DELEGATION',
+  KERBEROS_TICKET_LIFETIME_LONG: 'KERBEROS_WEAK_CONFIG',
+
+  // ==================== COMPUTER VARIATIONS ====================
+  // Stale/Inactive computers
+  COMPUTER_STALE_INACTIVE: 'COMPUTER_STALE_INACTIVE',
+  COMPUTER_STALE: 'COMPUTER_STALE_INACTIVE',
+  STALE_COMPUTER: 'COMPUTER_STALE_INACTIVE',
+
+  // Password age
+  COMPUTER_OLD_PASSWORD: 'COMPUTER_PASSWORD_OLD',
+  COMPUTER_PASSWORD_NOT_CHANGED: 'COMPUTER_PASSWORD_OLD',
+
+  // LAPS
+  COMPUTER_NO_LAPS: 'COMPUTER_NO_LAPS',
+  NO_LAPS: 'COMPUTER_NO_LAPS',
+  LAPS_NOT_DEPLOYED: 'COMPUTER_NO_LAPS',
+
+  // Pre-created (disabled + never logged on) - different from never logged on (enabled)
+  COMPUTER_PRECREATED: 'COMPUTER_PRE_CREATED',
+  COMPUTER_STAGED: 'COMPUTER_PRE_CREATED',
+
+  // Legacy protocols
+  COMPUTER_LEGACY_PROTOCOL_SMBV1: 'COMPUTER_LEGACY_PROTOCOL',
+  COMPUTER_SMBV1: 'COMPUTER_LEGACY_PROTOCOL',
+  SMB1_ENABLED: 'COMPUTER_LEGACY_PROTOCOL',
+  SMBV1_ENABLED: 'COMPUTER_LEGACY_PROTOCOL',
+
+  // SMB Signing
+  COMPUTER_SMB_SIGNING_DISABLED: 'COMPUTER_SMB_SIGNING_DISABLED',
+  SMB_SIGNING_DISABLED: 'COMPUTER_SMB_SIGNING_DISABLED',
+  SMB_SIGNING_NOT_REQUIRED: 'COMPUTER_SMB_SIGNING_DISABLED',
+
+  // Disabled not deleted
+  COMPUTER_DISABLED_NOT_DELETED: 'COMPUTER_DISABLED_NOT_DELETED',
+  DISABLED_COMPUTER_NOT_DELETED: 'COMPUTER_DISABLED_NOT_DELETED',
+
+  // Pre-Windows 2000
+  COMPUTER_PRE_WIN2000: 'COMPUTER_PRE_WINDOWS_2000',
+  COMPUTER_PRE_2000: 'COMPUTER_PRE_WINDOWS_2000',
+  PRE_WINDOWS_2000_COMPUTER: 'COMPUTER_PRE_WINDOWS_2000',
+
+  // Description sensitive
+  COMPUTER_SENSITIVE_DESCRIPTION: 'COMPUTER_DESCRIPTION_SENSITIVE',
+  COMPUTER_DESC_SENSITIVE: 'COMPUTER_DESCRIPTION_SENSITIVE',
+
+  // RBCD
+  COMPUTER_RBCD: 'COMPUTER_RBCD',
+  RBCD: 'COMPUTER_RBCD',
+  RESOURCE_BASED_CONSTRAINED_DELEGATION: 'COMPUTER_RBCD',
+
+  // Duplicate SPN
+  COMPUTER_DUPLICATE_SPN: 'COMPUTER_DUPLICATE_SPN',
+  DUPLICATE_SPN: 'COMPUTER_DUPLICATE_SPN',
+
+  // ==================== ACCOUNT VARIATIONS ====================
+  SIDHISTORY: 'SID_HISTORY',
+  SID_HISTORY_PRESENT: 'SID_HISTORY',
+  NOTINPROTECTEDUSERS: 'NOT_IN_PROTECTED_USERS',
+  NOT_PROTECTED_USERS: 'NOT_IN_PROTECTED_USERS',
+  ADMINCOUNT_ORPHANED: 'ADMIN_COUNT_ORPHANED',
+  ORPHANED_ADMINCOUNT: 'ADMIN_COUNT_ORPHANED',
+  DISABLEDACCOUNTINPRIVGROUP: 'DISABLED_ACCOUNT_IN_ADMIN_GROUP',
+  DISABLED_ADMIN: 'DISABLED_ACCOUNT_IN_ADMIN_GROUP',
+  STALEACCOUNT: 'STALE_ACCOUNT',
+  STALE_USER: 'STALE_ACCOUNT',
+  INACTIVE_180: 'STALE_ACCOUNT',
+  INACTIVE_ACCOUNT: 'INACTIVE_365_DAYS',
+  INACTIVE_USER: 'INACTIVE_365_DAYS',
+  TEST_ACCOUNT: 'TEST_ACCOUNT',
+  TESTACCOUNT: 'TEST_ACCOUNT',
+  SHARED_ACCOUNT: 'SHARED_ACCOUNT',
+  SHAREDACCOUNT: 'SHARED_ACCOUNT',
+  SMARTCARD_NOT_REQUIRED: 'SMARTCARD_NOT_REQUIRED',
+  NO_SMARTCARD: 'SMARTCARD_NOT_REQUIRED',
+  SHADOW_CREDENTIALS: 'SHADOW_CREDENTIALS',
+  MSDS_KEYCREDENTIALLINK: 'SHADOW_CREDENTIALS',
+  FOREIGN_SECURITY_PRINCIPALS: 'FOREIGN_SECURITY_PRINCIPAL',
+
+  // ==================== SERVICE ACCOUNT VARIATIONS ====================
+  SERVICE_ACCOUNT_NAMING: 'SERVICE_ACCOUNT_NAMING',
+  SVC_ACCOUNT: 'SERVICE_ACCOUNT_NAMING',
+  SERVICE_ACCOUNT_OLD_PASSWORD: 'SERVICE_ACCOUNT_OLD_PASSWORD',
+  SVC_OLD_PASSWORD: 'SERVICE_ACCOUNT_OLD_PASSWORD',
+  SERVICE_ACCOUNT_PRIVILEGED: 'SERVICE_ACCOUNT_PRIVILEGED',
+  SVC_PRIVILEGED: 'SERVICE_ACCOUNT_PRIVILEGED',
+  SERVICE_ACCOUNT_NO_PREAUTH: 'SERVICE_ACCOUNT_NO_PREAUTH',
+  SVC_NO_PREAUTH: 'SERVICE_ACCOUNT_NO_PREAUTH',
+  SERVICE_ACCOUNT_INTERACTIVE: 'SERVICE_ACCOUNT_INTERACTIVE',
+  SVC_INTERACTIVE: 'SERVICE_ACCOUNT_INTERACTIVE',
+
+  // ==================== ACL VARIATIONS ====================
+  ACL_GENERICALL_DA: 'ACL_GENERICALL',
+  ACL_GENERICALL_DOMAIN_ADMINS: 'ACL_GENERICALL',
+  ACL_GENERICWRITE_SENSITIVEGROUP: 'ACL_GENERICWRITE',
+  ACL_GENERICWRITE_USER: 'ACL_GENERICWRITE',
+  ACL_WRITEDACL_OU: 'ACL_WRITEDACL',
+  ACL_WRITEDACL_SENSITIVEGROUP: 'ACL_WRITEDACL',
+  ACL_WRITEOWNER_SENSITIVEGROUP: 'ACL_WRITEOWNER',
+  ACL_ADDMEMBER: 'ACL_ADD_MEMBER',
+  ACL_ADD_MEMBER_GROUP: 'ACL_ADD_MEMBER',
+  ACL_DCSYNC: 'ACL_DS_REPLICATION_GET_CHANGES',
+  DCSYNC: 'ACL_DS_REPLICATION_GET_CHANGES',
+  DCSYNC_RIGHTS: 'ACL_DS_REPLICATION_GET_CHANGES',
+  ORPHANED_ACES: 'ORPHANED_ACL_ENTRIES',
+  NESTEDGROUPPATH: 'DANGEROUS_GROUP_NESTING',
+  NESTED_GROUP_PATH: 'DANGEROUS_GROUP_NESTING',
+
+  // ==================== ADCS VARIATIONS ====================
+  ESC1_VULNERABLE_CERTIFICATE_TEMPLATE: 'ESC1_VULNERABLE_TEMPLATE',
+  ESC1: 'ESC1_VULNERABLE_TEMPLATE',
+  ESC2_ANY_PURPOSE_EKU: 'ESC2_ANY_PURPOSE',
+  ESC2: 'ESC2_ANY_PURPOSE',
+  ESC3: 'ESC3_ENROLLMENT_AGENT',
+  ESC4: 'ESC4_VULNERABLE_TEMPLATE_ACL',
+  ESC5: 'ESC5_PKI_OBJECT_ACL',
+  ESC6_EDITF_ATTRIBUTESUBJECTALTNAME2: 'ESC6_EDITF_FLAG',
+  ESC6: 'ESC6_EDITF_FLAG',
+  ESC7: 'ESC7_CA_VULNERABLE_ACL',
+  ESC8: 'ESC8_HTTP_ENROLLMENT',
+  ESC9: 'ESC9_NO_SECURITY_EXTENSION',
+  ESC10: 'ESC10_WEAK_CERTIFICATE_MAPPING',
+  ESC11: 'ESC11_ICERT_REQUEST_ENFORCEMENT',
+
+  // ==================== GPO VARIATIONS ====================
+  GPO_LINKPOISONING: 'GPO_LINK_POISONING',
+  GPO_LINK_POISON: 'GPO_LINK_POISONING',
+  GPO_AUTHENTICATED_USERS_APPLY: 'GPO_WEAK_PERMISSIONS',
+  GPO_NO_SECURITY_FILTERING: 'GPO_WEAK_PERMISSIONS',
+  GPO_PASSWORD_IN_SYSVOL: 'GPO_PASSWORD_IN_SYSVOL',
+  GPO_SYSVOL_PASSWORD: 'GPO_PASSWORD_IN_SYSVOL',
+  CPASSWORD: 'GPO_PASSWORD_IN_SYSVOL',
+  GPO_CREATOR_OWNERS_MEMBER: 'GPO_MODIFY_RIGHTS',
+  GPO_DANGEROUS_PERMISSIONS: 'GPO_MODIFY_RIGHTS',
+  // Note: GPO_LAPS_NOT_DEPLOYED is distinct from COMPUTER_NO_LAPS
+  // - GPO_LAPS_NOT_DEPLOYED: No GPO found deploying LAPS
+  // - COMPUTER_NO_LAPS: Individual computers without LAPS attributes
+
+  // ==================== EXCESSIVE PRIVILEGES ====================
+  EXCESSIVEPRIVILEGES_DA: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVE_PRIVILEGES_DA: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVEPRIVILEGES_ENTERPRISEADMIN: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVE_PRIVILEGES_EA: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVEPRIVILEGES_AO: 'ACCOUNT_OPERATORS_MEMBER',
+  EXCESSIVE_PRIVILEGES_AO: 'ACCOUNT_OPERATORS_MEMBER',
+  EXCESSIVEPRIVILEGES_BO: 'BACKUP_OPERATORS_MEMBER',
+  EXCESSIVE_PRIVILEGES_BO: 'BACKUP_OPERATORS_MEMBER',
+  EXCESSIVEPRIVILEGES_PRINTOPS: 'PRINT_OPERATORS_MEMBER',
+  EXCESSIVE_PRIVILEGES_PRINTOPS: 'PRINT_OPERATORS_MEMBER',
+  EXCESSIVEPRIVILEGES_DNS: 'DNS_ADMINS_MEMBER',
+  EXCESSIVE_PRIVILEGES_DNS: 'DNS_ADMINS_MEMBER',
+  EXCESSIVEPRIVILEGES_SCHEMAADMIN: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVE_PRIVILEGES_SCHEMA: 'NOT_IN_PROTECTED_USERS',
+  EXCESSIVEPRIVILEGES_RDP: 'DANGEROUS_BUILTIN_MEMBERSHIP',
+  EXCESSIVE_PRIVILEGES_RDP: 'DANGEROUS_BUILTIN_MEMBERSHIP',
+
+  // ==================== ATTACK PATHS ====================
+  PATH_GPO_TO_DA: 'PATH_GPO_TO_DA',
+  PATH_SERVICE_TO_DA: 'PATH_SERVICE_TO_DA',
+  PATH_ASREP_TO_ADMIN: 'PATH_ASREP_TO_ADMIN',
+  PATH_NESTED_ADMIN: 'PATH_NESTED_ADMIN',
+  PATH_DELEGATION_CHAIN: 'PATH_DELEGATION_CHAIN',
+  PATH_CERTIFICATE_ESC: 'PATH_CERTIFICATE_ESC',
+  PATH_TRUST_LATERAL: 'PATH_TRUST_LATERAL',
+  PATH_KERBEROASTING_TO_DA: 'PATH_KERBEROASTING_TO_DA',
+  PATH_COMPUTER_TAKEOVER: 'PATH_COMPUTER_TAKEOVER',
+
+  // ==================== GROUP VARIATIONS ====================
+  OVERSIZED_GROUP_CRITICAL: 'OVERSIZED_GROUP_HIGH',
+  OVERSIZED_GROUP: 'GROUP_EXCESSIVE_MEMBERS',
+  AUTHENTICATED_USERS_IN_ACLS: 'EVERYONE_IN_ACL',
+  EVERYONE_IN_ACLS: 'EVERYONE_IN_ACL',
+  EXCESSIVE_ADMINS: 'EXCESSIVE_PRIVILEGED_ACCOUNTS',
+  TOO_MANY_ADMINS: 'EXCESSIVE_PRIVILEGED_ACCOUNTS',
+  EXCESSIVE_DOMAIN_ADMINS: 'EXCESSIVE_PRIVILEGED_ACCOUNTS',
+
+  // ==================== ADVANCED/CONFIG VARIATIONS ====================
+  ADMIN_SD_HOLDER_MODIFIED: 'ADMINSDHOLDER_BACKDOOR',
+  ADMINSD_HOLDER_MODIFIED: 'ADMINSDHOLDER_BACKDOOR',
+  LAPS_PASSWORDREAD: 'LAPS_PASSWORD_READABLE',
+  LAPS_READ: 'LAPS_PASSWORD_READABLE',
+  LAPS_PASSWORD_LEAKED: 'LAPS_PASSWORD_LEAKED',
+  SMB_V1_ENABLED: 'COMPUTER_LEGACY_PROTOCOL',
+  ANONYMOUS_LDAP_ACCESS: 'ANONYMOUS_LDAP_ACCESS',
+  ANONYMOUS_BIND: 'ANONYMOUS_LDAP_ACCESS',
+  AUDIT_POLICY_WEAK: 'AUDIT_POLICY_WEAK',
+  AUDIT_NOT_CONFIGURED: 'AUDIT_POLICY_WEAK',
+  LDAP_CHANNEL_BINDING_DISABLED: 'LDAP_CHANNEL_BINDING_DISABLED',
+  LDAP_SIGNING_DISABLED: 'LDAP_SIGNING_NOT_REQUIRED',
+  POWERSHELL_LOGGING_DISABLED: 'POWERSHELL_LOGGING_DISABLED',
+  PS_LOGGING_DISABLED: 'POWERSHELL_LOGGING_DISABLED',
+  DANGEROUS_LOGON_SCRIPT: 'DANGEROUS_LOGON_SCRIPT',
+  LOGON_SCRIPT_VULNERABLE: 'DANGEROUS_LOGON_SCRIPT',
+  SERVER_NO_ADMIN_GROUP: 'SERVER_NO_ADMIN_GROUP',
+  RECYCLE_BIN_DISABLED: 'RECYCLE_BIN_DISABLED',
+  AD_RECYCLE_BIN_DISABLED: 'RECYCLE_BIN_DISABLED',
+
+  // ==================== USER ACCOUNT VARIATIONS ====================
+  USER_CANNOT_CHANGE_PASSWORD: 'USER_CANNOT_CHANGE_PASSWORD',
+  CANNOT_CHANGE_PASSWORD: 'USER_CANNOT_CHANGE_PASSWORD',
+  SEENABLEDELEGATIONPRIVILEGE: 'DELEGATION_PRIVILEGE',
+  SE_ENABLE_DELEGATION: 'DELEGATION_PRIVILEGE',
+  SUSPICIOUSACCOUNTNAME: 'TEST_ACCOUNT',
+  SUSPICIOUS_ACCOUNT: 'TEST_ACCOUNT',
+  SUSPICIOUSSIDPROPERTIES: 'PRIMARYGROUPID_SPOOFING',
+  PRIMARYGROUPID_MODIFIED: 'PRIMARYGROUPID_SPOOFING',
+
+  // ==================== COMPUTER ACL ====================
+  COMPUTER_ACL_GENERICALL: 'COMPUTER_ACL_ABUSE',
+  COMPUTER_LOCAL_ADMIN_MAPPING: 'COMPUTER_IN_ADMIN_GROUP',
+  LOCAL_ADMIN_MAPPING: 'COMPUTER_IN_ADMIN_GROUP',
+
+  // ==================== LAPS VARIATIONS ====================
+  COMPUTER_WEAK_LAPS: 'LAPS_LEGACY_ATTRIBUTE',
+  WEAK_LAPS: 'LAPS_LEGACY_ATTRIBUTE',
+
+  // ==================== TRUST VARIATIONS ====================
+  TRUST_LATERAL: 'PATH_TRUST_LATERAL',
+  FOREST_TRUST_VULNERABLE: 'TRUST_MISCONFIGURED',
+  EXTERNAL_TRUST: 'TRUST_EXTERNAL',
+
+  // ==================== ULTRA VULNERABLE (TEST) ====================
+  ULTRA_VULNERABLE_USER: 'CRITICAL_VULNERABLE_USER',
+};
+
+/**
+ * Normalize a vulnerability type name to its canonical form
+ * @param typeName The type name to normalize
+ * @returns The canonical type name
+ */
+export function normalizeTypeName(typeName: string): string {
+  // First, uppercase and remove extra whitespace
+  const normalized = typeName.toUpperCase().trim();
+
+  // Check if there's an alias
+  if (TYPE_NAME_ALIASES[normalized]) {
+    return TYPE_NAME_ALIASES[normalized];
+  }
+
+  // Return as-is if no alias found
+  return normalized;
+}
+
+/**
+ * Check if two type names are equivalent (same canonical form)
+ * @param type1 First type name
+ * @param type2 Second type name
+ * @returns true if they map to the same canonical type
+ */
+export function areTypesEquivalent(type1: string, type2: string): boolean {
+  return normalizeTypeName(type1) === normalizeTypeName(type2);
+}
+
+/**
+ * Get all known type names (canonical + aliases)
+ */
+export function getAllKnownTypes(): string[] {
+  const aliases = Object.keys(TYPE_NAME_ALIASES);
+  const canonical = Object.values(TYPE_NAME_ALIASES);
+  return [...new Set([...aliases, ...canonical])];
+}

package/tests/integration/README.md

@@ -0,0 +1,156 @@
+# Tests d'Intégration
+
+## Configuration
+
+Les tests d'intégration nécessitent:
+- Un serveur Active Directory réel (pour tests LDAP)
+- Un tenant Azure AD avec une application configurée (pour tests Azure)
+
+### 1. Créer le fichier de configuration
+
+Copier `.env.test.example` vers `.env.test.local` à la racine du projet :
+
+```bash
+cp .env.test.example .env.test.local
+```
+
+### 2. Configurer les credentials
+
+Éditer `.env.test.local` avec vos credentials :
+
+```env
+# LDAP / Active Directory
+TEST_LDAP_URL=ldaps://your-dc:636
+TEST_LDAP_BIND_DN=CN=service-user,CN=Users,DC=domain,DC=com
+TEST_LDAP_BIND_PASSWORD=your-password
+TEST_LDAP_BASE_DN=DC=domain,DC=com
+TEST_LDAP_TLS_VERIFY=false
+
+# Azure AD / Microsoft Graph
+TEST_AZURE_TENANT_ID=your-tenant-id
+TEST_AZURE_CLIENT_ID=your-client-id
+TEST_AZURE_CLIENT_SECRET=your-client-secret
+```
+
+⚠️ **Sécurité** : `.env.test.local` est gitignored et ne sera jamais commité.
+
+## Lancer les Tests
+
+### Tests Unitaires LDAP (127 tests)
+
+```bash
+npm test -- tests/unit/providers/ldap/
+```
+
+✅ Ne nécessitent pas d'AD, toujours disponibles
+
+### Tests d'Intégration (10 tests)
+
+Sans configuration (tests skippés) :
+```bash
+npm test -- tests/integration/providers/
+```
+
+Avec configuration (tests exécutés) :
+```bash
+# Charger les variables d'environnement
+export $(cat .env.test.local | xargs)
+
+# Lancer les tests
+npm test -- tests/integration/providers/ldap-basic.integration.test.ts
+```
+
+### Tests d'Intégration Azure (10 tests)
+
+Sans configuration (tests skippés) :
+```bash
+npm test -- tests/integration/providers/azure-basic.integration.test.ts
+```
+
+Avec configuration (tests exécutés) :
+```bash
+# Charger les variables d'environnement
+export $(cat .env.test.local | xargs)
+
+# Lancer les tests
+npm test -- tests/integration/providers/azure-basic.integration.test.ts
+```
+
+### Tests Complets
+
+```bash
+# Tous les tests LDAP
+npm test -- ldap
+
+# Tous les tests Azure
+npm test -- azure
+
+# Tous les tests d'intégration
+npm test -- tests/integration
+```
+
+## Tests Disponibles
+
+### ldap-connectivity.test.ts
+- Test de connexion basique
+- Vérifie bind/unbind
+- ~100ms
+
+### ldap-basic.integration.test.ts (10 tests)
+- IT1: Connexion LDAPS
+- IT2: Test connection
+- IT3: Search users
+- IT4: Search user by CN
+- IT5: Search groups
+- IT6: Search Domain Users
+- IT7: Search OUs
+- IT8: Generic search
+- IT9: Injection prevention
+- IT10: Invalid credentials
+
+### ldap-provider.integration.test.ts (30+ tests)
+- Tests exhaustifs
+- Tous les types de recherches
+- Filtres complexes
+- Gestion d'erreurs
+- Performance
+
+### azure-basic.integration.test.ts (10 tests)
+- AZ1: Authentication with Microsoft Graph
+- AZ2: Test connection
+- AZ3: Get Azure AD users
+- AZ4: Get users with filter
+- AZ5: Get users with select
+- AZ6: Get Azure AD groups
+- AZ7: Get security groups only
+- AZ8: Get Azure AD applications
+- AZ9: Handle pagination
+- AZ10: Handle invalid credentials
+
+## Résultats Attendus
+
+```
+PASS tests/integration/providers/ldap-basic.integration.test.ts
+  ✓ IT1: should connect to LDAPS server (29 ms)
+  ✓ IT2: should test connection successfully
+  ✓ IT3: should search for users (1372 ms)
+  ...
+
+Tests: 10 passed, 10 total
+```
+
+## Troubleshooting
+
+### Tests skippés
+→ Vérifier que `.env.test.local` existe et contient `TEST_LDAP_URL`
+
+### Connection failed
+→ Vérifier firewall / connectivité réseau vers le DC
+→ Vérifier que le port 636 (LDAPS) est ouvert
+
+### Invalid credentials
+→ Vérifier `TEST_LDAP_BIND_DN` et `TEST_LDAP_BIND_PASSWORD`
+→ Le compte de service doit avoir les permissions de lecture AD
+
+### Certificate errors
+→ Mettre `TEST_LDAP_TLS_VERIFY=false` pour dev/test

package/tests/integration/ad-audit.integration.test.ts

@@ -0,0 +1,216 @@
+/**
+ * AD Audit Service Integration Tests
+ *
+ * Tests the full AD audit flow with real LDAP connectivity
+ * Story 1.7: AD Vulnerability Detection Engine
+ *
+ * Prerequisites:
+ * - .env.test.local configured with valid LDAP credentials
+ * - LDAP server accessible
+ */
+
+import { ADAuditService } from '../../src/services/audit/ad-audit.service';
+import { LDAPProvider } from '../../src/providers/ldap/ldap.provider';
+import { LDAPConfig } from '../../src/types/config.types';
+import dotenv from 'dotenv';
+import path from 'path';
+
+// Load test environment variables
+dotenv.config({ path: path.resolve(__dirname, '../../.env.test.local') });
+
+describe('AD Audit Service - Integration Tests', () => {
+  let auditService: ADAuditService;
+  let ldapProvider: LDAPProvider;
+
+  const ldapConfig: LDAPConfig = {
+    url: process.env['TEST_LDAP_URL'] || '',
+    bindDN: process.env['TEST_LDAP_BIND_DN'] || '',
+    bindPassword: process.env['TEST_LDAP_BIND_PASSWORD'] || '',
+    baseDN: process.env['TEST_LDAP_BASE_DN'] || '',
+    tlsVerify: process.env['TEST_LDAP_TLS_VERIFY'] === 'true',
+    timeout: 30000,
+  };
+
+  beforeAll(async () => {
+    // Skip tests if LDAP not configured
+    if (!ldapConfig.url || !ldapConfig.bindDN || !ldapConfig.bindPassword) {
+      console.warn('LDAP credentials not configured in .env.test.local - skipping integration tests');
+      return;
+    }
+
+    // Create provider and service
+    ldapProvider = new LDAPProvider(ldapConfig);
+    auditService = new ADAuditService(ldapProvider);
+
+    // Connect to LDAP
+    await ldapProvider.connect();
+  }, 60000);
+
+  afterAll(async () => {
+    if (ldapProvider) {
+      await ldapProvider.disconnect();
+    }
+  });
+
+  describe('Connection Tests', () => {
+    it('should connect to LDAP server', async () => {
+      const result = await auditService.testConnection();
+      expect(result.success).toBe(true);
+      expect(result.message).toContain('Connection successful');
+    }, 30000);
+
+    it('should connect to LDAP server', async () => {
+      await expect(ldapProvider.connect()).resolves.not.toThrow();
+    }, 30000);
+  });
+
+  describe('AD Audit Execution', () => {
+    it('should run full AD audit', async () => {
+      const result = await auditService.runAudit({
+        includeDetails: false,
+        maxUsers: 2000,
+        maxGroups: 200,
+        maxComputers: 200,
+      });
+
+      // Verify result structure
+      expect(result).toHaveProperty('score');
+      expect(result).toHaveProperty('findings');
+      expect(result).toHaveProperty('stats');
+      expect(result).toHaveProperty('timestamp');
+
+      // Verify score structure
+      expect(result.score).toHaveProperty('score');
+      expect(result.score).toHaveProperty('rating');
+      expect(result.score).toHaveProperty('weightedPoints');
+      expect(result.score).toHaveProperty('findings');
+      expect(result.score).toHaveProperty('categories');
+
+      // Score should be between 0 and 100
+      expect(result.score.score).toBeGreaterThanOrEqual(0);
+      expect(result.score.score).toBeLessThanOrEqual(100);
+
+      // Verify stats
+      expect(result.stats.totalUsers).toBeGreaterThan(0);
+      expect(result.stats.executionTimeMs).toBeGreaterThan(0);
+
+      // Log results
+      console.log('\n=== AD Audit Results ===');
+      console.log(`Security Score: ${result.score.score}/100 (${result.score.rating})`);
+      console.log(`Total Users: ${result.stats.totalUsers}`);
+      console.log(`Total Groups: ${result.stats.totalGroups}`);
+      console.log(`Total Computers: ${result.stats.totalComputers}`);
+      console.log(`Total Findings: ${result.stats.totalFindings}`);
+      console.log(`Execution Time: ${result.stats.executionTimeMs}ms`);
+      console.log('\nFindings by Severity:');
+      console.log(`  Critical: ${result.score.findings.critical}`);
+      console.log(`  High: ${result.score.findings.high}`);
+      console.log(`  Medium: ${result.score.findings.medium}`);
+      console.log(`  Low: ${result.score.findings.low}`);
+
+      if (result.findings.length > 0) {
+        console.log('\nTop 5 Findings:');
+        result.findings.slice(0, 5).forEach((finding, i) => {
+          console.log(`  ${i + 1}. [${finding.severity.toUpperCase()}] ${finding.title}: ${finding.count} affected`);
+        });
+      }
+    }, 120000);
+
+    it('should include details when requested', async () => {
+      const result = await auditService.runAudit({
+        includeDetails: true,
+        maxUsers: 10,
+      });
+
+      // Find a finding with affected entities
+      const findingWithDetails = result.findings.find((f) => f.affectedEntities && f.affectedEntities.length > 0);
+
+      if (findingWithDetails) {
+        expect(findingWithDetails.affectedEntities).toBeDefined();
+        expect(Array.isArray(findingWithDetails.affectedEntities)).toBe(true);
+        expect(findingWithDetails.affectedEntities!.length).toBeGreaterThan(0);
+        console.log(`\nSample finding with details: ${findingWithDetails.title}`);
+        console.log(`Affected entities: ${findingWithDetails.affectedEntities!.slice(0, 3).join(', ')}`);
+      }
+    }, 120000);
+
+    it('should detect password vulnerabilities', async () => {
+      const result = await auditService.runAudit({
+        maxUsers: 2000,
+      });
+
+      const passwordFindings = result.findings.filter((f) => f.category === 'passwords');
+      console.log(`\nPassword vulnerabilities found: ${passwordFindings.length}`);
+      passwordFindings.forEach((f) => {
+        console.log(`  - ${f.title}: ${f.count} (${f.severity})`);
+      });
+
+      // Just verify we got results, not specific counts (depends on AD state)
+      expect(result.findings.length).toBeGreaterThanOrEqual(0);
+    }, 120000);
+
+    it('should detect kerberos vulnerabilities', async () => {
+      const result = await auditService.runAudit({
+        maxUsers: 2000,
+      });
+
+      const kerberosFindings = result.findings.filter((f) => f.category === 'kerberos');
+      console.log(`\nKerberos vulnerabilities found: ${kerberosFindings.length}`);
+      kerberosFindings.forEach((f) => {
+        console.log(`  - ${f.title}: ${f.count} (${f.severity})`);
+      });
+    }, 120000);
+
+    it('should detect account vulnerabilities', async () => {
+      const result = await auditService.runAudit({
+        maxUsers: 2000,
+      });
+
+      const accountFindings = result.findings.filter((f) => f.category === 'accounts');
+      console.log(`\nAccount vulnerabilities found: ${accountFindings.length}`);
+      accountFindings.forEach((f) => {
+        console.log(`  - ${f.title}: ${f.count} (${f.severity})`);
+      });
+    }, 120000);
+
+    it('should show ALL vulnerabilities by category', async () => {
+      const result = await auditService.runAudit({
+        maxUsers: 2000,
+      });
+
+      console.log(`\n\n=== COMPLETE VULNERABILITY BREAKDOWN ===`);
+      console.log(`Total Findings: ${result.findings.length}`);
+
+      const byCategory = result.findings.reduce((acc: any, f) => {
+        if (!acc[f.category]) acc[f.category] = [];
+        acc[f.category].push(f);
+        return acc;
+      }, {});
+
+      Object.keys(byCategory).sort().forEach(category => {
+        console.log(`\n${category.toUpperCase()} (${byCategory[category].length} types):`);
+        byCategory[category]
+          .sort((a: any, b: any) => b.count - a.count)
+          .forEach((f: any) => {
+            console.log(`  - [${f.severity.toUpperCase()}] ${f.title}: ${f.count}`);
+          });
+      });
+    }, 120000);
+  });
+
+  describe('Error Handling', () => {
+    it('should handle invalid LDAP credentials gracefully', async () => {
+      const badConfig: LDAPConfig = {
+        ...ldapConfig,
+        bindPassword: 'invalid_password',
+      };
+
+      const badProvider = new LDAPProvider(badConfig);
+      const badService = new ADAuditService(badProvider);
+
+      await expect(badService.testConnection()).resolves.toMatchObject({
+        success: false,
+      });
+    }, 30000);
+  });
+});