Handle Entra ID federated identities

[tr4l]

One of the way a workflow can be authenticated on EntraID/Azure is by using OIDC and federated identities.

This make sense for GitHound and BloodHound to make this connection, as a Service Principal on Entra can be linked to a GitHub repositories.

Reference:

• https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect

[jaredcatkinson]

This has been added in both AzureHound via the AZFederatedIdentityCredential object. There is currently a PowerShell function that can be run across an AzureHound output file to draw edges from the relevant GH_Repository, GH_Branch, or GH_Environment to the AZFederatedIdentityCredential. The resulting edge is considered traversable and is called GH_CanAssumeIdentity. The current plan is to determine where it makes the most sense to automate the script (in AzureHound or GitHound) and include it directly.

$fidc = Get-Content './output/azurehound.json' -Raw | ConvertFrom-Json
$nodes = @($fidc.graph.nodes | Where-Object { $_.kind -contains 'AZFederatedIdentityCredential' })
$result = Parse-GitHoundOIDCSubject -FederatedIdentityCredentials $nodes

[pscustomobject]@{
    graph = [pscustomobject]@{
        nodes = @()
        edges = @($result.Edges)
    }
} | ConvertTo-Json -Depth 10 | Out-File './output/githound_oidc_manual.json'