Skip to content

Implement cross-domain group membership handling and validation#341

Open
Ne0nd0g wants to merge 1 commit into
dreadnode:mainfrom
Ne0nd0g:fix/cross-forest-laps-bridge
Open

Implement cross-domain group membership handling and validation#341
Ne0nd0g wants to merge 1 commit into
dreadnode:mainfrom
Ne0nd0g:fix/cross-forest-laps-bridge

Conversation

@Ne0nd0g

@Ne0nd0g Ne0nd0g commented Jul 10, 2026

Copy link
Copy Markdown

Summary

Fixes provisioning and validation of cross-domain group memberships, enabling reliable creation and verification of cross-forest access relationships used by GOAD.

This change improves provisioning reliability for cross-domain group membership creation, corrects the Microsoft LAPS permission cmdlet parameter, and extends the CLI validation logic to recognize and validate cross-domain memberships represented by Foreign Security Principals (FSPs).

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would change existing behavior)
  • New lab, lab variant, or extension
  • New / updated provider support
  • Refactor / internal cleanup (no functional change)
  • Documentation
  • CI / build / release tooling
  • Dependency update

Area

  • CLI (cli/)
  • Ansible collection (ansible/)
  • Terraform / Terragrunt (infra/, modules/)
  • Packer / Warpgate (packer/, warpgate-templates/)
  • Lab definitions (ad/)
  • Extensions (extensions/)
  • Variant generator / tools (tools/)
  • Documentation (docs/, README.md, etc.)
  • CI workflows (.github/)

Related issues

N/A

How was this tested?

  • Added a unit test verifying that multi_domain_groups_member entries are parsed into the lab model.

  • Verified the new validation logic correctly resolves and validates cross-domain memberships, including memberships represented as Foreign Security Principals.

  • Verified provisioning retries transient replication and membership failures during cross-domain group creation.

  • Provider(s) tested: Hyper-V

  • Lab(s) tested: GOAD

  • Operator OS: Linux

Screenshots / logs (optional)

N/A

Checklist

  • I have read CONTRIBUTING.md.
  • My changes follow the existing code style of the area I touched.
  • I have added or updated tests where it makes sense (Go tests under cli/, Ansible syntax checks, etc.).
  • I have updated documentation (README, docs/, role README, command help text) where relevant.
  • I have checked that I am not committing real secrets, personal credentials, or internal hostnames. (Intentional lab credentials inside ad/, ansible/, and extensions/ are expected and fine.)
  • If this PR changes user-facing CLI behavior, I have updated the relevant --help text and any docs that reference it.
  • If this PR introduces a breaking change, I have called it out in the Summary above.

@dreadnode-renovate-bot dreadnode-renovate-bot Bot added the area/roles Changes made to Ansible roles label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/roles Changes made to Ansible roles

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant