feat(pam): windows discovery base

[x032205]

Context

Adds Windows Discovery with:

• AD scanning for machines (resources) & AD user/service accounts

Not yet supported:

• Local machine account scanning & import (WinRM)
• Dependency scanning & import (WinRM)

Screenshots

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
27411356	Triggered	Generic Database Assignment	3a65a82	backend/src/ee/services/pam-discovery/active-directory/active-directory-discovery-factory.ts	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Greptile Summary

This PR implements Windows Discovery for PAM with Active Directory scanning capabilities. The implementation adds comprehensive backend infrastructure including database tables, DALs, services, queue handlers, and API endpoints for discovering AD machines (resources) and AD user/service accounts. The frontend includes new pages and forms for managing discovery sources and viewing discovered resources/accounts.

Key Changes:

• Added 6 new database tables for discovery sources, runs, and junction tables linking discovered resources/accounts to sources
• Implemented AD LDAP enumeration via gateway proxy for discovering Windows Servers and domain accounts
• Service accounts are auto-detected using SPN and naming patterns (svc-, -service, -svc)
• Scheduled discovery runs daily at 3:00 AM UTC, with manual trigger support
• Comprehensive permission system with Read, Create, Edit, Delete, and RunScan actions
• Full audit logging for all discovery operations

Issues Found:

• Critical: Migration has conflicting constraint - gatewayId is notNullable() but foreign key uses onDelete("SET NULL") (line 21)
• LDAP filter construction uses user-provided domainFQDN - verify validation prevents LDAP injection
• No documentation found in /docs folder for this new discovery feature

Not Yet Supported (per PR description):

• Local machine account scanning via WinRM
• Dependency scanning via WinRM

Confidence Score: 3/5

• This PR has one critical database constraint issue that will cause runtime failures, but otherwise implements a well-structured feature with proper security controls
• Score reflects the critical migration bug (gatewayId constraint conflict) that must be fixed before merging. The implementation is otherwise solid with proper permissions, audit logging, encryption, and error handling. The LDAP enumeration appears safe but needs validation confirmation. Missing documentation is a concern for feature discoverability.
• Pay close attention to backend/src/db/migrations/20260219070359_pam-discovery.ts (line 21) - the gatewayId constraint conflict must be resolved

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260219070359_pam-discovery.ts	Creates 6 new PAM discovery tables with proper foreign keys, indices, and idempotency checks
backend/src/ee/services/pam-discovery/active-directory/active-directory-discovery-factory.ts	Active Directory LDAP discovery implementation with connection validation and auto-import of resources and accounts
backend/src/ee/services/pam-discovery/pam-discovery-source-service.ts	Service layer with proper permission checks for all PAM discovery operations including CRUD and scan triggering
backend/src/ee/services/permission/project-permission.ts	Adds PamDiscovery permission subject with Read, Create, Edit, Delete, and RunScan actions
backend/src/ee/routes/v1/pam-discovery-routers/pam-discovery-endpoints.ts	Generic endpoint factory for PAM discovery sources with comprehensive audit logging
frontend/src/pages/pam/PamDiscoveryPage/components/PamDiscoverySourceForm/ActiveDirectoryDiscoveryForm.tsx	Frontend form for AD discovery with proper validation and password handling using UNCHANGED_PASSWORD_SENTINEL
backend/src/ee/services/pam-discovery/pam-discovery-queue.ts	Queue handler for PAM discovery scans with manual and scheduled triggers, runs daily at 3 AM UTC

_{Last reviewed commit: 6b712df}

[greptile-apps]

_{71 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Column gatewayId is marked as notNullable() on line 20 but the foreign key uses onDelete("SET NULL"). This creates a constraint conflict - if the referenced gateway is deleted, the database will try to set this field to NULL but the NOT NULL constraint will prevent it, causing the delete operation to fail.

Suggested change

	t.foreign("gatewayId").references("id").inTable(TableName.GatewayV2).onDelete("SET NULL");
	t.foreign("gatewayId").references("id").inTable(TableName.GatewayV2).onDelete("CASCADE");

[sheensantoscapadngan]

valid ^^

we should make it so that deleting the gateway throws an error if it's selected in one of the discovery sources

[greptile-apps]

The regex patterns in toSlugName use simple character classes without nested quantifiers, so they're safe from ReDoS. However, consider using the re2 package for consistency with the codebase's security policy (Rule 1), even though these specific patterns are not vulnerable.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

[sheensantoscapadngan]

valid ^^

Redos!

[greptile-apps]

LDAP filters are hardcoded here, which is safe. User-controllable input (configuration.domainFQDN, credentials.username) is used in buildDomainDN and bind operations but not in the filter strings themselves. The baseDN is constructed from the domain FQDN, which could theoretically be manipulated. Verify that configuration.domainFQDN is validated on the frontend and backend to prevent LDAP injection (e.g., no special LDAP characters like *, (, ), \, etc.).

[sheensantoscapadngan]

IGNORE PLACEMENT OF COMMENT

we might not need the "New" and "Stale" columns altogether if you just do (+1) or (-1) beside the account/resource count?

[sheensantoscapadngan]

this should be PamDiscoverySourceRun right

[sheensantoscapadngan]

we might not need to track this since these are just values you can derive if needed

[sheensantoscapadngan]

for numeric columns, it would make more sense if it had count prefix or something better

[sheensantoscapadngan]

what does this refer to?

[sheensantoscapadngan]

nit - this can just be type

[sheensantoscapadngan]

maybe just use an enum for this

[sheensantoscapadngan]

let's make all audit logs for this have an identifier that's easily recognizable by users.. like discovery source name

[sheensantoscapadngan]

let's do discovery-sources?

[sheensantoscapadngan]

same here

[sheensantoscapadngan]

we should be doing this inside a transaction right because otherwise the read request might be served by a replica so it would be invalid

[sheensantoscapadngan]

don't we want to match against something more specific/definite like an active directory ID? Existing resources might clash with resources discovered so we could add a suffix to the name. Imagine if I had two domains each with a windows machine of the same name

[sheensantoscapadngan]

same concern here about matching and account name duplicates...

also shouldn't we be checking accountType as well?

[sheensantoscapadngan]

same concern about using transactions

[sheensantoscapadngan]

let's use enums for the status

[sheensantoscapadngan]

this should be in a txn right?

[sheensantoscapadngan]

same here.. it should likely be a txn per computer so that we don't hold up a txn for too long

[sheensantoscapadngan]

same remark here

[sheensantoscapadngan]

shouldn't we be updating the discovered resource count right away in case the account processing part fails?

[sheensantoscapadngan]

would it make sense to add a check to ensure that only one scan can happen at a time?

[sheensantoscapadngan]

nit - could just be added to the finally block

[sheensantoscapadngan]

enum

[sheensantoscapadngan]

what reason? is this for failure? let's be more specific

[sheensantoscapadngan]

nit - DiscoverySourceCredentials and same for configuration

[sheensantoscapadngan]

should we prefix these so that it's specific to windows? windows-scheduled-task as an example

[sheensantoscapadngan]

is this something we should to the user in the UI?

[sheensantoscapadngan]

nit but we can just combine this right?

[sheensantoscapadngan]

should we be using discriminatedUnion here or is that not a concern for this use-case?

[sheensantoscapadngan]

same Q here