Merge remote-tracking branch 'origin/release/v11.0.2' into release/v11.0.2

mjabascal10 · mjabascal10 · commit 9f85c83b011d · 2025-11-25T15:00:48.000-06:00
diff --git a/plugins/modules-config/validations/o365.go b/plugins/modules-config/validations/o365.go
@@ -13,12 +13,51 @@ import (
 )
 
 const (
-	loginUrl      = "https://login.microsoftonline.com/"
 	grantType     = "client_credentials"
-	scope         = "https://manage.office.com/.default"
 	endPointLogin = "/oauth2/v2.0/token"
 )
 
+type CloudEnvironment string
+
+const (
+	CloudCommercial CloudEnvironment = "Commercial"
+	CloudGCC        CloudEnvironment = "GCC"
+	CloudGCCHigh    CloudEnvironment = "GCCHigh"
+	CloudDoD        CloudEnvironment = "DoD"
+)
+
+type CloudConfig struct {
+	LoginAuthority string
+	Scope          string
+}
+
+func getCloudConfig(env CloudEnvironment) CloudConfig {
+	configs := map[CloudEnvironment]CloudConfig{
+		CloudCommercial: {
+			LoginAuthority: "https://login.microsoftonline.com/",
+			Scope:          "https://manage.office.com/.default",
+		},
+		CloudGCC: {
+			LoginAuthority: "https://login.microsoftonline.com/",
+			Scope:          "https://manage-gcc.office.com/.default",
+		},
+		CloudGCCHigh: {
+			LoginAuthority: "https://login.microsoftonline.us/",
+			Scope:          "https://manage.office365.us/.default",
+		},
+		CloudDoD: {
+			LoginAuthority: "https://login.microsoftonline.us/",
+			Scope:          "https://manage.protection.apps.mil/.default",
+		},
+	}
+
+	cloudConfig, exists := configs[env]
+	if !exists {
+		return configs[CloudCommercial]
+	}
+	return cloudConfig
+}
+
 type MicrosoftLoginResponse struct {
 	TokenType   string `json:"token_type,omitempty"`
 	Expires     int    `json:"expires_in,omitempty"`
@@ -30,6 +69,7 @@ type MicrosoftLoginResponse struct {
 
 func ValidateO365Config(config *config.ModuleGroup) error {
 	var clientId, clientSecret, tenantId string
+	var cloudEnvironment CloudEnvironment = CloudCommercial
 
 	if config == nil {
 		return fmt.Errorf("O365 configuration is nil")
@@ -43,6 +83,10 @@ func ValidateO365Config(config *config.ModuleGroup) error {
 			clientSecret = cnf.ConfValue
 		case "office365_tenant_id":
 			tenantId = cnf.ConfValue
+		case "office365_cloud_environment":
+			if cnf.ConfValue != "" {
+				cloudEnvironment = CloudEnvironment(cnf.ConfValue)
+			}
 		}
 	}
 
@@ -56,14 +100,16 @@ func ValidateO365Config(config *config.ModuleGroup) error {
 		return fmt.Errorf("Tenant ID is required in O365 configuration")
 	}
 
+	cloudConfig := getCloudConfig(cloudEnvironment)
+
 	// Validate credentials by attempting to get an access token
-	requestUrl := fmt.Sprintf("%s%s%s", loginUrl, tenantId, endPointLogin)
+	requestUrl := fmt.Sprintf("%s%s%s", cloudConfig.LoginAuthority, tenantId, endPointLogin)
 
 	data := url.Values{}
 	data.Set("grant_type", grantType)
 	data.Set("client_id", clientId)
 	data.Set("client_secret", clientSecret)
-	data.Set("scope", scope)
+	data.Set("scope", cloudConfig.Scope)
 
 	client := &http.Client{
 		Timeout: 10 * time.Second,
diff --git a/plugins/o365/go.mod b/plugins/o365/go.mod
@@ -5,7 +5,8 @@ go 1.24.2
 require (
 	github.com/google/uuid v1.6.0
 	github.com/threatwinds/go-sdk v1.0.43
-	github.com/utmstack/config-client-go v1.2.7
+	google.golang.org/grpc v1.74.2
+	google.golang.org/protobuf v1.36.6
 )
 
 require (
@@ -45,8 +46,6 @@ require (
 	golang.org/x/text v0.27.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250721164621-a45f3dfb1074 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 // indirect
-	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.5.0 // indirect
 )
diff --git a/plugins/o365/go.sum b/plugins/o365/go.sum
@@ -93,8 +93,6 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/utmstack/config-client-go v1.2.7 h1:JeRdI5JjH1liNzMW3LmyevjuPd67J/yt9MAO3+oJAuM=
-github.com/utmstack/config-client-go v1.2.7/go.mod h1:kM0KoUizM9ZlcQp0qKviGTWn/+anT5Rfjx3zfZk79nM=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
diff --git a/plugins/o365/main.go b/plugins/o365/main.go
@@ -17,31 +17,56 @@ import (
 	"github.com/utmstack/UTMStack/plugins/o365/config"
 )
 
+type CloudEnvironment string
+
 const (
-	loginUrl                  = "https://login.microsoftonline.com/"
-	GRANTTYPE                 = "client_credentials"
-	SCOPE                     = "https://manage.office.com/.default"
-	endPointLogin             = "/oauth2/v2.0/token"
-	endPointStartSubscription = "/activity/feed/subscriptions/start"
-	endPointContent           = "/activity/feed/subscriptions/content"
-	BASEURL                   = "https://manage.office.com/api/v1.0/"
-	DefaultTenant             = "ce66672c-e36d-4761-a8c8-90058fee1a24"
+	GRANTTYPE                                  = "client_credentials"
+	endPointLogin                              = "/oauth2/v2.0/token"
+	endPointStartSubscription                  = "/activity/feed/subscriptions/start"
+	endPointContent                            = "/activity/feed/subscriptions/content"
+	DefaultTenant                              = "ce66672c-e36d-4761-a8c8-90058fee1a24"
+	apiVersion                                 = "api/v1.0/"
+	CloudCommercial           CloudEnvironment = "Commercial"
+	CloudGCC                  CloudEnvironment = "GCC"
+	CloudGCCHigh              CloudEnvironment = "GCCHigh"
+	CloudDoD                  CloudEnvironment = "DoD"
 )
 
-func GetMicrosoftLoginLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", loginUrl, tenant, endPointLogin)
-}
-
-func GetStartSubscriptionLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", BASEURL, tenant, endPointStartSubscription)
+type CloudConfig struct {
+	LoginAuthority     string
+	ManagementEndpoint string
+	Scope              string
 }
 
-func GetContentLink(tenant string) string {
-	return fmt.Sprintf("%s%s%s", BASEURL, tenant, endPointContent)
-}
+func GetCloudConfig(env CloudEnvironment) CloudConfig {
+	configs := map[CloudEnvironment]CloudConfig{
+		CloudCommercial: {
+			LoginAuthority:     "https://login.microsoftonline.com/",
+			ManagementEndpoint: "https://manage.office.com/",
+			Scope:              "https://manage.office.com/.default",
+		},
+		CloudGCC: {
+			LoginAuthority:     "https://login.microsoftonline.com/",
+			ManagementEndpoint: "https://manage-gcc.office.com/",
+			Scope:              "https://manage-gcc.office.com/.default",
+		},
+		CloudGCCHigh: {
+			LoginAuthority:     "https://login.microsoftonline.us/",
+			ManagementEndpoint: "https://manage.office365.us/",
+			Scope:              "https://manage.office365.us/.default",
+		},
+		CloudDoD: {
+			LoginAuthority:     "https://login.microsoftonline.us/",
+			ManagementEndpoint: "https://manage.protection.apps.mil/",
+			Scope:              "https://manage.protection.apps.mil/.default",
+		},
+	}
 
-func GetTenantId() string {
-	return DefaultTenant
+	config, exists := configs[env]
+	if !exists {
+		return configs[CloudCommercial]
+	}
+	return config
 }
 
 func main() {
@@ -65,29 +90,17 @@ func main() {
 	for range ticker.C {
 		endTime := time.Now().UTC()
 
-		if err := ConnectionChecker(loginUrl); err != nil {
-			_ = catcher.Error("External connection failure detected: %v", err, nil)
-		}
-
 		moduleConfig := config.GetConfig()
 		if moduleConfig != nil && moduleConfig.ModuleActive {
+			checkConfiguredEnvironments(moduleConfig.ModuleGroups)
+
 			var wg sync.WaitGroup
 			wg.Add(len(moduleConfig.ModuleGroups))
 
 			for _, grp := range moduleConfig.ModuleGroups {
 				go func(group *config.ModuleGroup) {
 					defer wg.Done()
-					var invalid bool
-					for _, c := range group.ModuleGroupConfigurations {
-						if strings.TrimSpace(c.ConfValue) == "" {
-							invalid = true
-							break
-						}
-					}
-
-					if !invalid {
-						pull(startTime, endTime, group)
-					}
+					pull(startTime, endTime, group)
 				}(grp)
 			}
 
@@ -98,6 +111,34 @@ func main() {
 	}
 }
 
+func checkConfiguredEnvironments(groups []*config.ModuleGroup) {
+	uniqueAuthorities := make(map[string]CloudEnvironment)
+
+	for _, group := range groups {
+		env := getGroupEnvironment(group)
+		cloudConfig := GetCloudConfig(env)
+		uniqueAuthorities[cloudConfig.LoginAuthority] = env
+	}
+
+	for authority, env := range uniqueAuthorities {
+		if err := ConnectionChecker(authority); err != nil {
+			_ = catcher.Error("External connection failure detected", err, map[string]any{
+				"environment": env,
+				"authority":   authority,
+			})
+		}
+	}
+}
+
+func getGroupEnvironment(group *config.ModuleGroup) CloudEnvironment {
+	for _, cnf := range group.ModuleGroupConfigurations {
+		if cnf.ConfKey == "office365_cloud_environment" && cnf.ConfValue != "" {
+			return CloudEnvironment(cnf.ConfValue)
+		}
+	}
+	return CloudCommercial
+}
+
 func pull(startTime time.Time, endTime time.Time, group *config.ModuleGroup) {
 	agent := GetOfficeProcessor(group)
 
@@ -117,7 +158,7 @@ func pull(startTime time.Time, endTime time.Time, group *config.ModuleGroup) {
 	for _, log := range logs {
 		plugins.EnqueueLog(&plugins.Log{
 			Id:         uuid.New().String(),
-			TenantId:   GetTenantId(),
+			TenantId:   agent.TenantId,
 			DataType:   "o365",
 			DataSource: group.GroupName,
 			Timestamp:  time.Now().UTC().Format(time.RFC3339Nano),
@@ -127,11 +168,13 @@ func pull(startTime time.Time, endTime time.Time, group *config.ModuleGroup) {
 }
 
 type OfficeProcessor struct {
-	Credentials   MicrosoftLoginResponse
-	TenantId      string
-	ClientId      string
-	ClientSecret  string
-	Subscriptions []string
+	Credentials      MicrosoftLoginResponse
+	TenantId         string
+	ClientId         string
+	ClientSecret     string
+	Subscriptions    []string
+	CloudEnvironment CloudEnvironment
+	CloudConfig      CloudConfig
 }
 
 type MicrosoftLoginResponse struct {
@@ -162,7 +205,10 @@ type ContentList struct {
 type ContentDetailsResponse []map[string]any
 
 func GetOfficeProcessor(group *config.ModuleGroup) OfficeProcessor {
-	offProc := OfficeProcessor{}
+	offProc := OfficeProcessor{
+		CloudEnvironment: CloudCommercial,
+	}
+
 	for _, cnf := range group.ModuleGroupConfigurations {
 		switch cnf.ConfKey {
 		case "office365_client_id":
@@ -171,27 +217,34 @@ func GetOfficeProcessor(group *config.ModuleGroup) OfficeProcessor {
 			offProc.ClientSecret = cnf.ConfValue
 		case "office365_tenant_id":
 			offProc.TenantId = cnf.ConfValue
+		case "office365_cloud_environment":
+			if cnf.ConfValue != "" {
+				offProc.CloudEnvironment = CloudEnvironment(cnf.ConfValue)
+			}
 		}
 	}
 
-	offProc.Subscriptions = append(offProc.Subscriptions, []string{
+	offProc.CloudConfig = GetCloudConfig(offProc.CloudEnvironment)
+
+	offProc.Subscriptions = []string{
 		"Audit.AzureActiveDirectory",
 		"Audit.Exchange",
 		"Audit.General",
 		"DLP.All",
-		"Audit.SharePoint"}...)
+		"Audit.SharePoint",
+	}
 
 	return offProc
 }
 
 func (o *OfficeProcessor) GetAuth() error {
-	requestUrl := GetMicrosoftLoginLink(o.TenantId)
+	requestUrl := fmt.Sprintf("%s%s%s", o.CloudConfig.LoginAuthority, o.TenantId, endPointLogin)
 
 	data := url.Values{}
 	data.Set("grant_type", GRANTTYPE)
 	data.Set("client_id", o.ClientId)
 	data.Set("client_secret", o.ClientSecret)
-	data.Set("scope", SCOPE)
+	data.Set("scope", o.CloudConfig.Scope)
 
 	headers := map[string]string{
 		"Content-Type": "application/x-www-form-urlencoded",
@@ -230,7 +283,12 @@ func (o *OfficeProcessor) GetAuth() error {
 
 func (o *OfficeProcessor) StartSubscriptions() error {
 	for _, subscription := range o.Subscriptions {
-		link := GetStartSubscriptionLink(o.TenantId) + "?contentType=" + subscription
+		link := fmt.Sprintf("%s%s%s%s?contentType=%s",
+			o.CloudConfig.ManagementEndpoint,
+			apiVersion,
+			o.TenantId,
+			endPointStartSubscription,
+			subscription)
 		headers := map[string]string{
 			"Content-Type":  "application/json",
 			"Authorization": fmt.Sprintf("%s %s", o.Credentials.TokenType, o.Credentials.AccessToken),
@@ -277,7 +335,11 @@ func (o *OfficeProcessor) StartSubscriptions() error {
 }
 
 func (o *OfficeProcessor) GetContentList(subscription string, startTime time.Time, endTime time.Time) ([]ContentList, error) {
-	link := GetContentLink(o.TenantId) + fmt.Sprintf("?startTime=%s&endTime=%s&contentType=%s",
+	link := fmt.Sprintf("%s%s%s%s?startTime=%s&endTime=%s&contentType=%s",
+		o.CloudConfig.ManagementEndpoint,
+		apiVersion,
+		o.TenantId,
+		endPointContent,
 		startTime.UTC().Format("2006-01-02T15:04:05"),
 		endTime.UTC().Format("2006-01-02T15:04:05"),
 		subscription)
