ownerlens 0.1.0

package/src/core/azure/entra/types.ts

@@ -0,0 +1,56 @@
+import type { PermissionRiskLevel } from "../../risk/types";
+
+export type ServicePrincipalType = "Application" | "ManagedIdentity" | "SocialIdp" | "Legacy";
+
+export type ServicePrincipalAppRole = {
+  id: string;
+  value: string | null;
+  displayName: string | null;
+  description: string | null;
+  isEnabled: boolean | null;
+  allowedMemberTypes: string[];
+};
+
+export type ServicePrincipalOwner = {
+  id?: string | null;
+  displayName?: string | null;
+  userPrincipalName?: string | null;
+  mail?: string | null;
+  ownerType?: string | null;
+};
+
+export type EntraServicePrincipal = {
+  id: string;
+  appId: string;
+  displayName: string;
+  appDisplayName: string | null;
+  servicePrincipalType: ServicePrincipalType;
+  publisherName: string | null;
+  accountEnabled: boolean;
+  appOwnerOrganizationId: string | null;
+  homepage: string | null;
+  loginUrl: string | null;
+  replyUrls: string[];
+  servicePrincipalNames: string[];
+  tags: string[];
+  appRoles?: ServicePrincipalAppRole[];
+  owners?: ServicePrincipalOwner[];
+  appOwners?: ServicePrincipalOwner[];
+  servicePrincipalOwners?: ServicePrincipalOwner[];
+  applicationOwners?: ServicePrincipalOwner[];
+  metadata?: Record<string, unknown> | null;
+};
+
+export type EntraOAuth2PermissionGrant = {
+  id: string;
+  clientId: string;
+  consentType: "Principal" | "AllPrincipals" | string;
+  principalId: string | null;
+  resourceId: string;
+  risk: PermissionRiskLevel;
+  scope: string;
+};
+
+export type EntraAppRole = ServicePrincipalAppRole;
+export type EntraServicePrincipalType = ServicePrincipalType;
+export type EntraOwner = ServicePrincipalOwner;

package/src/core/azure/identityEnrichment.ts

@@ -0,0 +1,65 @@
+import type { PermissionRiskLevel } from "../risk/types";
+import type { AzureRoleAssignment, AzureUserAssignedIdentityAssignment } from "./resources";
+
+export type AzureManagedIdentityResourceAssignment = AzureUserAssignedIdentityAssignment & {
+  assignedResourceId: string;
+  assignedResourceName: string;
+  assignedResourceType: string;
+  assignedResourceGroup: string;
+  subscriptionId: string;
+  subscriptionName: string;
+};
+
+export type ManagedIdentityPermissionRiskLevel = PermissionRiskLevel;
+
+export type ManagedIdentityPermissionRiskAssignment = AzureRoleAssignment & {
+  riskLevel: ManagedIdentityPermissionRiskLevel;
+  reasons: string[];
+};
+
+export type ManagedIdentityPermissionRiskSummary = {
+  principalId: string;
+  riskLevel: ManagedIdentityPermissionRiskLevel;
+  assignmentCount: number;
+  highRiskAssignmentCount: number;
+  broadScopeAssignmentCount: number;
+  roleAssignments: ManagedIdentityPermissionRiskAssignment[];
+};
+
+export const AZURE_ACCESS_RISK_RANK: Record<ManagedIdentityPermissionRiskLevel, number> = {
+  none: 0,
+  low: 1,
+  medium: 2,
+  high: 3
+};
+
+export type AzureIdentityEnrichmentStatus = {
+  calculated: boolean;
+  latestRunId: string | null;
+  identityRoleAssignmentCount: number;
+  accessRiskIdentityCount: number;
+  managedIdentityAssignmentCount: number;
+  calculatedAt: string | null;
+};
+
+export type AzureRoleAssignmentEnrichment = {
+  principalId: string;
+  roleAssignments: AzureRoleAssignment[];
+  assignmentCount: number;
+};
+
+export type AzureManagedIdentityAssignmentEnrichment = {
+  servicePrincipalId: string;
+  principalId: string;
+  clientId: string;
+  managedIdentityAssignments: AzureManagedIdentityResourceAssignment[];
+  assignedResourceGroups: string[];
+  assignmentCount: number;
+};
+
+export type LatestAzureIdentityEnrichment = {
+  status: AzureIdentityEnrichmentStatus;
+  roleAssignmentsByPrincipalId: Map<string, AzureRoleAssignmentEnrichment>;
+  accessRiskByPrincipalId: Map<string, ManagedIdentityPermissionRiskSummary>;
+  managedIdentityAssignmentsByServicePrincipalId: Map<string, AzureManagedIdentityAssignmentEnrichment>;
+};

package/src/core/azure/resources.ts

@@ -0,0 +1,141 @@
+import type { OwnerConfidence, OwnerEvidence } from "../ownership/types";
+
+export type AzureResourceTags = Record<string, string>;
+
+export type AzureResourceGroup = {
+  subscriptionId: string;
+  subscriptionName: string;
+  resourceGroup: string;
+  location: string;
+  tags: AzureResourceTags | null;
+};
+
+export type AzureResource = {
+  subscriptionId: string;
+  subscriptionName: string;
+  resourceId: string;
+  resourceName: string;
+  resourceGroup: string;
+  resourceType: string;
+  kind: string | null;
+  location: string;
+  tags: AzureResourceTags | null;
+  identityType: string | null;
+  identityPrincipalId: string | null;
+  identityTenantId: string | null;
+  userAssignedIdentityResourceIds: string[];
+  userAssignedIdentities: unknown;
+};
+
+export type AzureSubscriptionState = "Enabled" | "Disabled" | "Warned" | "PastDue" | "Deleted";
+
+export type AzureSubscription = {
+  subscriptionId: string;
+  subscriptionName: string;
+  tenantId: string;
+  state: AzureSubscriptionState;
+  tags: AzureResourceTags | null;
+};
+
+export type AzureUserAssignedManagedIdentity = {
+  subscriptionId: string;
+  subscriptionName: string;
+  resourceId: string;
+  name: string;
+  resourceGroup: string;
+  location: string;
+  clientId: string;
+  principalId: string;
+  tenantId: string;
+  tags: AzureResourceTags | null;
+};
+
+export type AzureActivityLog = {
+  subscriptionId: string;
+  subscriptionName: string;
+  eventTimestamp: string;
+  submissionTimestamp: string | null;
+  caller: string | null;
+  callerUserPrincipalName?: string | null;
+  callerName?: string | null;
+  callerEmail?: string | null;
+  callerObjectId?: string | null;
+  callerIdentityType?: string | null;
+  callerAppId?: string | null;
+  callerIpAddress?: string | null;
+  callerTenantId?: string | null;
+  operationName: string | null;
+  operationNameValue: string | null;
+  status: string | null;
+  subStatus: string | null;
+  category: string | null;
+  resourceGroupName: string | null;
+  resourceId: string | null;
+  resourceProviderName: string | null;
+  resourceType: string | null;
+  authorizationAction: string | null;
+  authorizationScope: string | null;
+};
+
+export type AzureSnapshotMeta = {
+  provider: "azure";
+  snapshotVersion: string;
+  createdAt: string;
+  activityDays: number;
+  activityStartTime: string;
+  maxActivityRecords: number;
+  requestedSubscriptions: string[];
+  subscriptionCount: number;
+  resourceGroupCount: number;
+  resourceCount: number;
+  userAssignedManagedIdentityCount: number;
+  roleAssignmentCount?: number;
+  activityLogCount: number;
+};
+
+export type AzureSnapshot = {
+  meta: AzureSnapshotMeta;
+  subscriptions: AzureSubscription[];
+  resourceGroups: AzureResourceGroup[];
+  resources: AzureResource[];
+  userAssignedManagedIdentities: AzureUserAssignedManagedIdentity[];
+  roleAssignments?: AzureRoleAssignment[];
+  activityLogs: AzureActivityLog[];
+};
+
+export type ResourceGroupOwnershipRow = AzureResourceGroup & {
+  targetKey: string;
+  owner: string | null;
+  confidence: OwnerConfidence;
+  source: string;
+  evidence: OwnerEvidence[];
+};
+
+export type AzureUserAssignedIdentityAssignment = {
+  resourceId: string;
+  clientId: string | null;
+  principalId: string | null;
+};
+
+export type AzureRoleAssignment = {
+  subscriptionId: string;
+  subscriptionName: string;
+  roleAssignmentId: string | null;
+  scope: string;
+  scopeType?: "ManagementGroup" | "Subscription" | "ResourceGroup" | "Resource" | "Unknown" | null;
+  scopeSubscriptionId?: string | null;
+  scopeResourceGroup?: string | null;
+  scopeResourceProvider?: string | null;
+  scopeResourceType?: string | null;
+  scopeResourceName?: string | null;
+  scopeManagementGroup?: string | null;
+  principalId: string;
+  principalType: string | null;
+  principalDisplayName: string | null;
+  signInName: string | null;
+  roleDefinitionId: string | null;
+  roleDefinitionName: string | null;
+  canDelegate: boolean | null;
+  condition: string | null;
+  conditionVersion: string | null;
+};

package/src/core/azure/ztaReport.ts

@@ -0,0 +1,58 @@
+import type { PermissionRiskLevel } from "../risk/types";
+
+export type ZtaReport = {
+  Meta: ZtaReportMeta;
+  Tests: ZtaReportTest[];
+};
+
+export type ZtaRemediationSummary = {
+  ztaRemediationCountAll: number;
+  ztaRemediationFailedCount: number;
+  ztaMaxRisk: PermissionRiskLevel;
+};
+
+export type ZtaReportMeta = {
+  Account?: string | null;
+  CurrentVersion?: string | null;
+  Domain?: string | null;
+  EndOfJson?: boolean | null;
+  ExecutedAt?: string | null;
+  LatestVersion?: string | null;
+  TenantId?: string | null;
+  TenantInfo?: Record<string, unknown> | null;
+  TenantName?: string | null;
+  TestResultSummary?: Record<string, unknown> | null;
+  [key: string]: unknown;
+};
+
+export type ZtaRelatedObject = {
+  id?: string | null;
+  object_id?: string | null;
+  servicePrincipalId?: string | null;
+  tags?: string[] | null;
+  applicationId?: string | null;
+  displayName?: string | null;
+  servicePrincipalType?: string | null;
+  userPrincipalName?: string | null;
+};
+
+export type ZtaReportTest = {
+  TestId?: string | number | null;
+  TestTitle?: string | null;
+  TestPillar?: string | null;
+  SkippedReason?: string | null;
+  TestImpact?: string | null;
+  TestImplementationCost?: string | null;
+  TestMinimumLicense?: string | string[] | null;
+  TestStatus?: string | null;
+  TestResult?: string | null;
+  TestTags?: string[] | null;
+  TestSkipped?: string | null;
+  TestDescription?: string | null;
+  TestCategory?: string | null;
+  TestRisk?: string | null;
+  TestSfiPillar?: string | null;
+  TestAppliesTo?: string[] | null;
+  RelatedObjects?: ZtaRelatedObject[] | null;
+  [key: string]: unknown;
+};

package/src/core/config.ts

@@ -0,0 +1,39 @@
+import type { OwnerConfidence } from "./ownership/types";
+
+export type OwnerTagConfig = {
+  name: string;
+  confidence: Exclude<OwnerConfidence, "none">;
+};
+
+export type AppConfig = {
+  azure: {
+    ownership: {
+      /**
+       * Ordered by priority. The tag value is treated as the owner identity,
+       * so it can be a group name, security group alias, or user email.
+       */
+      ownerTags: OwnerTagConfig[];
+    };
+  };
+};
+
+export const appConfig: AppConfig = {
+  azure: {
+    ownership: {
+      ownerTags: [
+        {
+          name: "ownerGroup",
+          confidence: "high"
+        },
+        {
+          name: "costCenter",
+          confidence: "high"
+        },
+        {
+          name: "owner",
+          confidence: "medium"
+        }
+      ]
+    }
+  }
+};

package/src/core/ownership/OwnershipTarget.ts

@@ -0,0 +1,32 @@
+import type { OwnerResolution } from "./types";
+
+export type OwnershipSourceProvider = "azure" | "entra" | "zeroTrustAssessment";
+
+export type OwnershipTargetRiskLevel = "none" | "low" | "medium" | "high" | "critical";
+
+export type OwnershipTargetRef = {
+  type: string;
+  id: string;
+  label?: string;
+};
+
+export type OwnershipTarget = {
+  id: string;
+  kind: string;
+  displayName: string;
+  sourceProvider: OwnershipSourceProvider;
+  technicalId?: string | null;
+  ownership?: OwnerResolution;
+  riskLevel?: OwnershipTargetRiskLevel;
+  refs?: OwnershipTargetRef[];
+};
+
+export function buildZeroTrustAssessmentAuditFindingTarget(
+  target: Omit<OwnershipTarget, "kind" | "sourceProvider">
+): OwnershipTarget {
+  return {
+    ...target,
+    kind: "zta.auditFinding",
+    sourceProvider: "zeroTrustAssessment"
+  };
+}

package/src/core/ownership/resolveOwner.ts

@@ -0,0 +1,5 @@
+import type { OwnerResolution } from "./types";
+
+export type OwnerResolver<TTarget, TContext> = {
+  resolveOwner(target: TTarget, context: TContext): OwnerResolution;
+};

package/src/core/ownership/types.ts

@@ -0,0 +1,14 @@
+export type OwnerConfidence = "high" | "medium" | "low" | "none";
+
+export type OwnerEvidence = {
+  user: string;
+  date: string | null;
+  disabled?: boolean;
+};
+
+export type OwnerResolution = {
+  owner: string | null;
+  confidence: OwnerConfidence;
+  source: string;
+  evidence: OwnerEvidence[];
+};

package/src/core/risk/types.ts

@@ -0,0 +1 @@
+export type PermissionRiskLevel = "high" | "medium" | "low" | "none";

package/src/core/runtime/index.ts

@@ -0,0 +1 @@
+export {};

package/src/core/runtime/localSnapshotFiles.ts

@@ -0,0 +1,74 @@
+import { constants as fsConstants } from "node:fs";
+import { access, readdir, readFile, stat } from "node:fs/promises";
+import path from "node:path";
+
+export type LocalSnapshotFile = {
+  name: string;
+  size: number;
+  updatedAt: string;
+};
+
+export type LocalSnapshotData = {
+  meta?: {
+    provider?: string;
+    createdAt?: string;
+    [key: string]: unknown;
+  };
+  [key: string]: unknown;
+};
+
+export const snapshotNamePattern = /^[\w.-]*snapshot\.json$/i;
+
+export async function listLocalSnapshotFiles(dataDir: string): Promise<LocalSnapshotFile[]> {
+  const entries = await readdir(dataDir);
+  const files = await Promise.all(
+    entries
+      .filter((name) => snapshotNamePattern.test(name))
+      .map(async (name) => {
+        const filePath = path.join(dataDir, name);
+        const details = await stat(filePath);
+        return {
+          name,
+          size: details.size,
+          updatedAt: details.mtime.toISOString()
+        };
+      })
+  );
+
+  return files.sort((a, b) => a.name.localeCompare(b.name));
+}
+
+export async function readLocalSnapshotFile(dataDir: string, name: string): Promise<LocalSnapshotData> {
+  validateSnapshotFileName(name);
+
+  const filePath = path.join(dataDir, name);
+  if (!(await pathExists(filePath))) {
+    throw new RuntimeHttpError(`Snapshot file ./data/${name} was not found.`, 404);
+  }
+
+  return JSON.parse(await readFile(filePath, "utf8")) as LocalSnapshotData;
+}
+
+export function validateSnapshotFileName(name: string): void {
+  if (!snapshotNamePattern.test(name) || path.basename(name) !== name) {
+    throw new RuntimeHttpError("Invalid snapshot file name.", 400);
+  }
+}
+
+export async function pathExists(filePath: string): Promise<boolean> {
+  try {
+    await access(filePath, fsConstants.F_OK);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export class RuntimeHttpError extends Error {
+  readonly statusCode: number;
+
+  constructor(message: string, statusCode: number) {
+    super(message);
+    this.statusCode = statusCode;
+  }
+}

package/src/core/runtime/rest.ts

@@ -0,0 +1,61 @@
+export type RuntimeRequest = {
+  method?: string;
+  url?: string;
+};
+
+export type RuntimeResponse = {
+  statusCode: number;
+  setHeader(name: string, value: string): void;
+  end(body: string): void;
+};
+
+export type RuntimeNext = () => void;
+
+export type RuntimeRestEndpoint = {
+  method?: string;
+  path: string;
+  handle(input: { req: RuntimeRequest; url: URL }): Promise<unknown> | unknown;
+};
+
+export type RuntimeRestMiddlewareOptions = {
+  basePath: string;
+  endpoints: RuntimeRestEndpoint[];
+  getErrorStatusCode(error: unknown): number;
+};
+
+export function createRuntimeRestMiddleware(options: RuntimeRestMiddlewareOptions) {
+  return async (req: RuntimeRequest, res: RuntimeResponse, next: RuntimeNext): Promise<void> => {
+    if (!req.url?.startsWith(options.basePath)) {
+      next();
+      return;
+    }
+
+    try {
+      const url = new URL(req.url, "http://localhost");
+      const endpoint = options.endpoints.find(
+        (candidate) =>
+          candidate.path === url.pathname &&
+          (!candidate.method || candidate.method.toUpperCase() === (req.method ?? "GET").toUpperCase())
+      );
+
+      if (!endpoint) {
+        next();
+        return;
+      }
+
+      sendJson(res, await endpoint.handle({ req, url }));
+    } catch (error) {
+      sendJson(
+        res,
+        { error: error instanceof Error ? error.message : "Unknown error" },
+        options.getErrorStatusCode(error)
+      );
+    }
+  };
+}
+
+export function sendJson(res: RuntimeResponse, value: unknown, statusCode = 200): void {
+  res.statusCode = statusCode;
+  res.setHeader("Content-Type", "application/json; charset=utf-8");
+  res.end(JSON.stringify(value));
+}

package/src/lib/searchFilterUtils.ts

@@ -0,0 +1,17 @@
+export function hasSearchExpression(query: string): boolean {
+  return query.trim().length > 0;
+}
+
+export function matchesSearchExpression(searchText: string, query: string): boolean {
+  const expression = query.trim();
+
+  if (expression.length === 0) {
+    return true;
+  }
+
+  try {
+    return new RegExp(expression, "im").test(searchText);
+  } catch {
+    return false;
+  }
+}

package/src/lib/utils.ts

@@ -0,0 +1,48 @@
+import { clsx, type ClassValue } from "clsx";
+import { twMerge } from "tailwind-merge";
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}
+
+export function formatValue(value: unknown): string {
+  if (value === null || value === undefined || value === "") {
+    return "-";
+  }
+
+  if (Array.isArray(value)) {
+    return value.length > 0 ? value.map(formatValue).join(", ") : "[]";
+  }
+
+  if (typeof value === "object") {
+    return JSON.stringify(value);
+  }
+
+  return String(value);
+}
+
+export function formatDate(value: unknown): string {
+  if (typeof value !== "string") {
+    return "-";
+  }
+
+  const parsed = new Date(value);
+  return Number.isNaN(parsed.getTime()) ? value : parsed.toLocaleString();
+}
+
+export function formatBytes(bytes: number): string {
+  if (!Number.isFinite(bytes)) {
+    return "-";
+  }
+
+  const units = ["B", "KB", "MB", "GB"];
+  let value = bytes;
+  let unitIndex = 0;
+
+  while (value >= 1024 && unitIndex < units.length - 1) {
+    value /= 1024;
+    unitIndex += 1;
+  }
+
+  return `${value.toFixed(unitIndex === 0 ? 0 : 1)} ${units[unitIndex]}`;
+}

package/src/main.tsx

@@ -0,0 +1,10 @@
+import { StrictMode } from "react";
+import { createRoot } from "react-dom/client";
+import App from "./App";
+import "./styles.css";
+
+createRoot(document.getElementById("root")!).render(
+  <StrictMode>
+    <App />
+  </StrictMode>
+);

package/src/providers/azure/identities/azureIdentityTypes.ts

@@ -0,0 +1 @@
+export type { AzureManagedIdentityResourceAssignment } from "../../../core/azure/identityEnrichment";

package/src/providers/azure/identities/buildAzureManagedIdentityAssignmentIndex.test.ts

@@ -0,0 +1,32 @@
+import { normalizeUserAssignedIdentityAssignments } from "./userAssignedIdentityAssignments.ts";
+
+const firstIdentityResourceId =
+  "/subscriptions/sub-1/resourceGroups/rg-a/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-a";
+const secondIdentityResourceId =
+  "/subscriptions/sub-1/resourceGroups/rg-b/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-b";
+
+test("normalizes user-assigned identity assignments", () => {
+  const assignments = normalizeUserAssignedIdentityAssignments({
+    [firstIdentityResourceId]: {
+      clientId: "client-a",
+      principalId: "principal-a"
+    },
+    [secondIdentityResourceId]: {
+      ClientId: "client-b",
+      PrincipalId: "principal-b"
+    }
+  });
+
+  expect(assignments).toEqual([
+    {
+      resourceId: firstIdentityResourceId,
+      clientId: "client-a",
+      principalId: "principal-a"
+    },
+    {
+      resourceId: secondIdentityResourceId,
+      clientId: "client-b",
+      principalId: "principal-b"
+    }
+  ]);
+});