ownerlens 0.1.0

package/src/providers/azure/runtime/entra/EntraCollectionQueryService.ts

@@ -0,0 +1,307 @@
+import { RuntimeHttpError } from "../../../../core/runtime/localSnapshotFiles";
+import type { ManagedIdentity } from "../../../../core/azure/entra/managedIdentity";
+import type { ServicePrincipal } from "../../../../core/azure/entra/servicePrincipal";
+import type {
+  AzureRoleAssignment,
+  AzureUserAssignedManagedIdentity,
+  ResourceGroupOwnershipRow
+} from "../../../../core/azure/resources";
+import type { OwnerConfidence } from "../../../../core/ownership/types";
+
+import {
+  buildPaginatedCollection,
+  type LocalReportCollectionQueryOptions,
+  type LocalReportPaginatedCollection
+} from "../localReportCollections";
+import type { AzureResourcesCollectionQueryService } from "../resources/AzureResourcesCollectionQueryService";
+import type { LocalAzureResourcesReportRuntime } from "../resources/LocalAzureResourcesReportRuntime";
+import type { ZeroTrustAssessmentQueryService } from "../zta/ZeroTrustAssessmentQueryService";
+import type { LocalEntraReportRuntime } from "./LocalEntraReportRuntime";
+
+export type EntraCollectionQueryServiceOptions = {
+  entra: LocalEntraReportRuntime;
+  azureResources: LocalAzureResourcesReportRuntime;
+  azureResourcesQueries: AzureResourcesCollectionQueryService;
+  zeroTrustAssessmentQueries: ZeroTrustAssessmentQueryService;
+};
+
+export class EntraCollectionQueryService {
+  private readonly entra: LocalEntraReportRuntime;
+  private readonly azureResources: LocalAzureResourcesReportRuntime;
+  private readonly azureResourcesQueries: AzureResourcesCollectionQueryService;
+  private readonly zeroTrustAssessmentQueries: ZeroTrustAssessmentQueryService;
+
+  constructor(options: EntraCollectionQueryServiceOptions) {
+    this.entra = options.entra;
+    this.azureResources = options.azureResources;
+    this.azureResourcesQueries = options.azureResourcesQueries;
+    this.zeroTrustAssessmentQueries = options.zeroTrustAssessmentQueries;
+  }
+
+  async queryServicePrincipals(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"entra.servicePrincipals">> {
+    return buildPaginatedCollection("entra.servicePrincipals", await this.readServicePrincipalRows(), options);
+  }
+
+  async queryManagedIdentities(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"entra.managedIdentities">> {
+    return buildPaginatedCollection("entra.managedIdentities", await this.readManagedIdentityRows(), options);
+  }
+
+  async queryOAuth2PermissionGrants(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"entra.oauth2PermissionGrants">> {
+    return buildPaginatedCollection(
+      "entra.oauth2PermissionGrants",
+      (await this.entra.readEntraOAuth2PermissionGrants()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryAppRoleAssignments(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"entra.appRoleAssignments">> {
+    return buildPaginatedCollection(
+      "entra.appRoleAssignments",
+      (await this.entra.readEntraAppRoleAssignments()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  private async readManagedIdentityRows(): Promise<Record<string, unknown>[]> {
+    const managedIdentities = await this.enrichWithZtaRemediationSummaries(await this.entra.readManagedIdentities());
+
+    try {
+      const [resourceGroupOwnershipRows, userAssignedManagedIdentities] = await Promise.all([
+        this.azureResourcesQueries.readResourceGroupOwnershipRows(),
+        this.azureResources.readAzureUserAssignedManagedIdentities()
+      ]);
+
+      return enrichManagedIdentitiesWithResourceGroupOwners(
+        managedIdentities,
+        resourceGroupOwnershipRows,
+        userAssignedManagedIdentities
+      ) as unknown as Record<string, unknown>[];
+    } catch (error) {
+      if (error instanceof RuntimeHttpError && error.statusCode === 404) {
+        return managedIdentities as unknown as Record<string, unknown>[];
+      }
+
+      throw error;
+    }
+  }
+
+  private async readServicePrincipalRows(): Promise<Record<string, unknown>[]> {
+    const servicePrincipals = await this.enrichWithZtaRemediationSummaries(await this.entra.readServicePrincipals());
+
+    try {
+      return enrichServicePrincipalsWithResourceGroupOwners(
+        servicePrincipals,
+        await this.azureResourcesQueries.readResourceGroupOwnershipRows()
+      ) as unknown as Record<string, unknown>[];
+    } catch (error) {
+      if (error instanceof RuntimeHttpError && error.statusCode === 404) {
+        return servicePrincipals as unknown as Record<string, unknown>[];
+      }
+
+      throw error;
+    }
+  }
+
+  private async enrichWithZtaRemediationSummaries<Row extends ServicePrincipal | ManagedIdentity>(rows: Row[]): Promise<Row[]> {
+    const summariesByPrincipalId = await this.zeroTrustAssessmentQueries.readRemediationSummaries();
+
+    return rows.map((row) => ({
+      ...row,
+      ...(summariesByPrincipalId.get(row.id.toLowerCase()) ?? {})
+    }));
+  }
+}
+
+type ManagedIdentityOwnerProjection = {
+  potentialOwners: string[];
+  ownerConfidence: OwnerConfidence;
+};
+
+type ServicePrincipalOwnerProjection = {
+  potentialOwners: string[];
+  ownerConfidence: OwnerConfidence;
+};
+
+type ResourceGroupOwnershipIndex = {
+  byResourceGroup: Map<string, ResourceGroupOwnershipRow>;
+  bySubscription: Map<string, ResourceGroupOwnershipRow[]>;
+};
+
+function enrichManagedIdentitiesWithResourceGroupOwners(
+  managedIdentities: ManagedIdentity[],
+  resourceGroupOwnershipRows: ResourceGroupOwnershipRow[],
+  userAssignedManagedIdentities: AzureUserAssignedManagedIdentity[]
+): ManagedIdentity[] {
+  const ownershipByResourceGroup = buildResourceGroupOwnershipIndex(resourceGroupOwnershipRows).byResourceGroup;
+  const locationsByPrincipal = buildManagedIdentityLocationIndex(userAssignedManagedIdentities);
+
+  return managedIdentities.map((identity) => {
+    const userAssignedIdentity =
+      locationsByPrincipal.get(identity.id.toLowerCase()) ?? locationsByPrincipal.get(identity.appId.toLowerCase());
+    const projection = projectManagedIdentityOwner(userAssignedIdentity, ownershipByResourceGroup);
+
+    return {
+      ...identity,
+      ...projection
+    };
+  });
+}
+
+function enrichServicePrincipalsWithResourceGroupOwners(
+  servicePrincipals: ServicePrincipal[],
+  resourceGroupOwnershipRows: ResourceGroupOwnershipRow[]
+): ServicePrincipal[] {
+  const ownershipIndex = buildResourceGroupOwnershipIndex(resourceGroupOwnershipRows);
+
+  return servicePrincipals.map((servicePrincipal) => ({
+    ...servicePrincipal,
+    ...projectServicePrincipalOwners(servicePrincipal.roleAssignments, ownershipIndex)
+  }));
+}
+
+function buildResourceGroupOwnershipIndex(rows: ResourceGroupOwnershipRow[]): ResourceGroupOwnershipIndex {
+  const byResourceGroup = new Map<string, ResourceGroupOwnershipRow>();
+  const bySubscription = new Map<string, ResourceGroupOwnershipRow[]>();
+
+  for (const row of rows) {
+    byResourceGroup.set(getResourceGroupKey(row.subscriptionId, row.resourceGroup), row);
+
+    const subscriptionKey = row.subscriptionId.toLowerCase();
+    const subscriptionRows = bySubscription.get(subscriptionKey) ?? [];
+    subscriptionRows.push(row);
+    bySubscription.set(subscriptionKey, subscriptionRows);
+  }
+
+  return { byResourceGroup, bySubscription };
+}
+
+function buildManagedIdentityLocationIndex(
+  userAssignedManagedIdentities: AzureUserAssignedManagedIdentity[]
+): Map<string, AzureUserAssignedManagedIdentity> {
+  const index = new Map<string, AzureUserAssignedManagedIdentity>();
+
+  for (const identity of userAssignedManagedIdentities) {
+    addManagedIdentityLocation(index, identity.principalId, identity);
+    addManagedIdentityLocation(index, identity.clientId, identity);
+  }
+
+  return index;
+}
+
+function addManagedIdentityLocation(
+  index: Map<string, AzureUserAssignedManagedIdentity>,
+  key: string,
+  identity: AzureUserAssignedManagedIdentity
+): void {
+  const normalizedKey = key.trim().toLowerCase();
+  if (!normalizedKey) {
+    return;
+  }
+
+  index.set(normalizedKey, identity);
+}
+
+function projectManagedIdentityOwner(
+  identity: AzureUserAssignedManagedIdentity | undefined,
+  ownershipByResourceGroup: Map<string, ResourceGroupOwnershipRow>
+): ManagedIdentityOwnerProjection {
+  if (!identity) {
+    return {
+      potentialOwners: [],
+      ownerConfidence: "none"
+    };
+  }
+
+  const ownership = ownershipByResourceGroup.get(getResourceGroupKey(identity.subscriptionId, identity.resourceGroup));
+
+  return {
+    potentialOwners: ownership?.owner ? [ownership.owner] : [],
+    ownerConfidence: ownership?.confidence ?? "none"
+  };
+}
+
+function projectServicePrincipalOwners(
+  roleAssignments: AzureRoleAssignment[],
+  ownershipIndex: ResourceGroupOwnershipIndex
+): ServicePrincipalOwnerProjection {
+  const resourceGroups = new Map<string, ResourceGroupOwnershipRow>();
+
+  for (const assignment of roleAssignments) {
+    for (const row of getRoleAssignmentResourceGroupOwners(assignment, ownershipIndex)) {
+      resourceGroups.set(getResourceGroupKey(row.subscriptionId, row.resourceGroup), row);
+    }
+  }
+
+  const ownerRows = [...resourceGroups.values()].filter((row) => row.owner);
+
+  return {
+    potentialOwners: uniqueSorted(ownerRows.map((row) => row.owner).filter(isString)),
+    ownerConfidence: ownerRows.reduce<OwnerConfidence>(
+      (confidence, row) => maxOwnerConfidence(confidence, row.confidence),
+      "none"
+    )
+  };
+}
+
+function getRoleAssignmentResourceGroupOwners(
+  assignment: AzureRoleAssignment,
+  ownershipIndex: ResourceGroupOwnershipIndex
+): ResourceGroupOwnershipRow[] {
+  const scope = assignment.scope;
+  const subscriptionId = getScopeSubscriptionId(scope) ?? assignment.subscriptionId;
+  const resourceGroup = getScopeResourceGroup(scope);
+
+  if (subscriptionId && resourceGroup) {
+    const row = ownershipIndex.byResourceGroup.get(getResourceGroupKey(subscriptionId, resourceGroup));
+    return row ? [row] : [];
+  }
+
+  if (isSubscriptionScope(scope) && subscriptionId) {
+    return ownershipIndex.bySubscription.get(subscriptionId.toLowerCase()) ?? [];
+  }
+
+  return [];
+}
+
+function getScopeSubscriptionId(scope: string): string | null {
+  return scope.match(/\/subscriptions\/([^/]+)/i)?.[1] ?? null;
+}
+
+function getScopeResourceGroup(scope: string): string | null {
+  return scope.match(/\/resourceGroups\/([^/]+)/i)?.[1] ?? null;
+}
+
+function isSubscriptionScope(scope: string): boolean {
+  return /^\/subscriptions\/[^/]+\/?$/i.test(scope);
+}
+
+function getResourceGroupKey(subscriptionId: string, resourceGroup: string): string {
+  return `${subscriptionId.toLowerCase()}:${resourceGroup.toLowerCase()}`;
+}
+
+function uniqueSorted(values: string[]): string[] {
+  return [...new Set(values)].sort((left, right) => left.localeCompare(right, undefined, { sensitivity: "base" }));
+}
+
+function isString(value: string | null): value is string {
+  return typeof value === "string" && value.trim().length > 0;
+}
+
+function maxOwnerConfidence(left: OwnerConfidence, right: OwnerConfidence): OwnerConfidence {
+  return OWNER_CONFIDENCE_RANK[left] >= OWNER_CONFIDENCE_RANK[right] ? left : right;
+}
+
+const OWNER_CONFIDENCE_RANK: Record<OwnerConfidence, number> = {
+  none: 0,
+  low: 1,
+  medium: 2,
+  high: 3
+};

package/src/providers/azure/runtime/entra/LocalEntraReportRuntime.ts

@@ -0,0 +1,227 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+
+import type { DuckDBConnection } from "@duckdb/node-api";
+
+import { pathExists, RuntimeHttpError, type LocalSnapshotData } from "../../../../core/runtime/localSnapshotFiles";
+import type { ManagedIdentity } from "../../../../core/azure/entra/managedIdentity";
+import type { EntraPrincipalPermissionSummary, ServicePrincipal } from "../../../../core/azure/entra/servicePrincipal";
+import type { EntraOAuth2PermissionGrant } from "../../../../core/azure/entra/types";
+import type { PermissionRiskLevel } from "../../../../core/risk/types";
+import type { EntraAppRoleAssignment } from "../../inputTransferObject/entra/EntraAppRoleAssignment";
+import type { EntraOAuth2PermissionGrant as InputEntraOAuth2PermissionGrant } from "../../inputTransferObject/entra/EntraOAuth2PermissionGrant";
+import type { EntraServicePrincipal } from "../../inputTransferObject/entra/EntraServicePrincipal";
+import type { EntraSnapshot } from "../../inputTransferObject/entra/EntraSnapshot";
+import { readEntraAppRoleAssignmentRows } from "./appRoleAssignmentsTable";
+import { readEntraOAuth2PermissionGrantRows } from "./oauth2PermissionGrantsTable";
+import { readLatestAzureIdentityEnrichment } from "../enrichment/azureIdentityEnrichment";
+import { readEntraServicePrincipalRows } from "./servicePrincipalsTable";
+import {
+  createEmptyEntraImportStatus,
+  entraSnapshotFileName,
+  importEntraSnapshotToDuckDb,
+  readEntraSnapshotFromDuckDb,
+  type EntraDuckDbImportStatus
+} from "./snapshotStore";
+import { mapEntraServicePrincipalsToCore } from "./entraServicePrincipalMapper";
+import { toManagedIdentities, toServicePrincipals } from "./principalProjection";
+
+export type LocalEntraReportCollectionId =
+  | "entra.servicePrincipals"
+  | "entra.managedIdentities"
+  | "entra.oauth2PermissionGrants"
+  | "entra.appRoleAssignments";
+
+export type EntraPrincipalPermissions = {
+  principalId: string;
+  oauth2PermissionGrants: EntraOAuth2PermissionGrant[];
+  appRoleAssignments: EntraAppRoleAssignment[];
+};
+
+export type LocalEntraReportRuntimeOptions = {
+  dataDir: string;
+  getConnection: () => DuckDBConnection;
+};
+
+export class LocalEntraReportRuntime {
+  private readonly dataDir: string;
+  private readonly getConnection: () => DuckDBConnection;
+  private status = createEmptyEntraImportStatus();
+
+  constructor(options: LocalEntraReportRuntimeOptions) {
+    this.dataDir = options.dataDir;
+    this.getConnection = options.getConnection;
+  }
+
+  getStatus(): EntraDuckDbImportStatus {
+    return this.status;
+  }
+
+  canReadSnapshot(name: string): boolean {
+    return name === entraSnapshotFileName;
+  }
+
+  async importSnapshot(): Promise<void> {
+    const entraSnapshotPath = path.join(this.dataDir, entraSnapshotFileName);
+    if (!(await pathExists(entraSnapshotPath))) {
+      return;
+    }
+
+    const snapshot = JSON.parse(await readFile(entraSnapshotPath, "utf8")) as EntraSnapshot & LocalSnapshotData;
+    this.status = await importEntraSnapshotToDuckDb(this.getConnection(), snapshot);
+  }
+
+  async readSnapshot(): Promise<EntraSnapshot & LocalSnapshotData> {
+    this.assertImported();
+    return readEntraSnapshotFromDuckDb(this.getConnection());
+  }
+
+  async readEntraServicePrincipals(): Promise<EntraServicePrincipal[]> {
+    this.assertImported();
+    return readEntraServicePrincipalRows(this.getConnection());
+  }
+
+  async readServicePrincipals(): Promise<ServicePrincipal[]> {
+    this.assertImported();
+    const connection = this.getConnection();
+    const permissionsByPrincipalId = await this.readPrincipalPermissionSummary(connection);
+
+    return toServicePrincipals(
+      mapEntraServicePrincipalsToCore(await readEntraServicePrincipalRows(connection)),
+      await readLatestAzureIdentityEnrichment(connection),
+      permissionsByPrincipalId
+    );
+  }
+
+  async readManagedIdentities(): Promise<ManagedIdentity[]> {
+    this.assertImported();
+    const connection = this.getConnection();
+    const permissionsByPrincipalId = await this.readPrincipalPermissionSummary(connection);
+
+    return toManagedIdentities(
+      mapEntraServicePrincipalsToCore(await readEntraServicePrincipalRows(connection)),
+      await readLatestAzureIdentityEnrichment(connection),
+      permissionsByPrincipalId
+    );
+  }
+
+  async readEntraOAuth2PermissionGrants(): Promise<EntraOAuth2PermissionGrant[]> {
+    this.assertImported();
+    return (await readEntraOAuth2PermissionGrantRows(this.getConnection())).map(toCoreEntraOAuth2PermissionGrant);
+  }
+
+  async readEntraAppRoleAssignments(): Promise<EntraAppRoleAssignment[]> {
+    this.assertImported();
+    return readEntraAppRoleAssignmentRows(this.getConnection());
+  }
+
+  async readEntraPrincipalPermissions(principalId: string): Promise<EntraPrincipalPermissions> {
+    this.assertImported();
+    const normalizedPrincipalId = principalId.toLowerCase();
+    const [oauth2PermissionGrants, appRoleAssignments] = await Promise.all([
+      readEntraOAuth2PermissionGrantRows(this.getConnection()),
+      readEntraAppRoleAssignmentRows(this.getConnection())
+    ]);
+
+    return {
+      principalId,
+      oauth2PermissionGrants: oauth2PermissionGrants.filter(
+        (grant) => grant.clientId.toLowerCase() === normalizedPrincipalId
+      ).map(toCoreEntraOAuth2PermissionGrant),
+      appRoleAssignments: appRoleAssignments.filter(
+        (assignment) => assignment.principalId.toLowerCase() === normalizedPrincipalId
+      )
+    };
+  }
+
+  private assertImported(): void {
+    if (!this.status.imported) {
+      throw new RuntimeHttpError(`Snapshot file ./data/${entraSnapshotFileName} was not found.`, 404);
+    }
+  }
+
+  private async readPrincipalPermissionSummary(
+    connection: DuckDBConnection
+  ): Promise<Map<string, EntraPrincipalPermissionSummary>> {
+    const [oauth2PermissionGrants, appRoleAssignments] = await Promise.all([
+      readEntraOAuth2PermissionGrantRows(connection),
+      readEntraAppRoleAssignmentRows(connection)
+    ]);
+    const permissionsByPrincipalId = new Map<string, EntraPrincipalPermissionSummary>();
+
+    for (const grant of oauth2PermissionGrants) {
+      const summary = getOrCreatePrincipalPermissionSummary(permissionsByPrincipalId, grant.clientId);
+      const scopeCount = countOAuthPermissionScopes(grant.scope);
+      summary.oauthPemrissionsCount += scopeCount;
+      if (scopeCount > 0) {
+        summary.entraPermissionRisk = maxPermissionRisk(
+          summary.entraPermissionRisk,
+          grant.consentType === "AllPrincipals" ? "high" : "medium"
+        );
+      }
+    }
+
+    for (const assignment of appRoleAssignments) {
+      const summary = getOrCreatePrincipalPermissionSummary(permissionsByPrincipalId, assignment.principalId);
+      summary.appRolesPermissionCount += 1;
+      summary.entraPermissionRisk = maxPermissionRisk(summary.entraPermissionRisk, "medium");
+    }
+
+    return permissionsByPrincipalId;
+  }
+}
+
+function getOrCreatePrincipalPermissionSummary(
+  permissionsByPrincipalId: Map<string, EntraPrincipalPermissionSummary>,
+  principalId: string
+): EntraPrincipalPermissionSummary {
+  const normalizedPrincipalId = principalId.toLowerCase();
+  const existing = permissionsByPrincipalId.get(normalizedPrincipalId);
+
+  if (existing) {
+    return existing;
+  }
+
+  const summary = {
+    oauthPemrissionsCount: 0,
+    appRolesPermissionCount: 0,
+    entraPermissionRisk: "none" as PermissionRiskLevel
+  };
+
+  permissionsByPrincipalId.set(normalizedPrincipalId, summary);
+  return summary;
+}
+
+function countOAuthPermissionScopes(scope: string): number {
+  return scope.split(/\s+/).filter(Boolean).length;
+}
+
+function toCoreEntraOAuth2PermissionGrant(grant: InputEntraOAuth2PermissionGrant): EntraOAuth2PermissionGrant {
+  return {
+    ...grant,
+    risk: getOAuth2PermissionGrantRisk(grant)
+  };
+}
+
+function getOAuth2PermissionGrantRisk(grant: Pick<InputEntraOAuth2PermissionGrant, "consentType">): PermissionRiskLevel {
+  if (grant.consentType === "AllPrincipals") {
+    return "high";
+  }
+
+  if (grant.consentType === "Principal") {
+    return "low";
+  }
+
+  return "medium";
+}
+
+const permissionRiskRank: Record<PermissionRiskLevel, number> = {
+  none: 0,
+  low: 1,
+  medium: 2,
+  high: 3
+};
+
+function maxPermissionRisk(left: PermissionRiskLevel, right: PermissionRiskLevel): PermissionRiskLevel {
+  return permissionRiskRank[left] >= permissionRiskRank[right] ? left : right;
+}

package/src/providers/azure/runtime/entra/appRoleAssignmentsTable.ts

@@ -0,0 +1,52 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+
+import type { EntraAppRoleAssignment } from "../../inputTransferObject/entra/EntraAppRoleAssignment";
+
+export async function insertEntraAppRoleAssignmentRows(
+  connection: DuckDBConnection,
+  appRoleAssignments: EntraAppRoleAssignment[] = []
+): Promise<void> {
+  for (const [ordinal, assignment] of appRoleAssignments.entries()) {
+    await connection.run(
+      `insert into entra_app_role_assignments values (
+        $ordinal,
+        $id,
+        $appRoleId,
+        $appRoleDisplayName,
+        $appRoleValue,
+        $principalId,
+        $principalDisplayName,
+        $resourceId,
+        $resourceDisplayName
+      )`,
+      { ordinal, ...assignment }
+    );
+  }
+}
+
+export async function readEntraAppRoleAssignmentRows(
+  connection: DuckDBConnection
+): Promise<EntraAppRoleAssignment[]> {
+  return readRows<EntraAppRoleAssignment>(
+    connection,
+    `select
+      id,
+      app_role_id as appRoleId,
+      app_role_display_name as appRoleDisplayName,
+      app_role_value as appRoleValue,
+      principal_id as principalId,
+      principal_display_name as principalDisplayName,
+      resource_id as resourceId,
+      resource_display_name as resourceDisplayName
+    from entra_app_role_assignments
+    order by ordinal`
+  );
+}
+
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}