npm - ownerlens - Versions diffs - 0.1.0 - Mend

ownerlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/src/providers/azure/runtime/entra/applicationsTable.ts ADDED Viewed

@@ -0,0 +1,175 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import type { EntraApplication } from "../../inputTransferObject/entra/EntraApplication";
+export async function insertEntraApplicationRows(
+  connection: DuckDBConnection,
+  applications: EntraApplication[] = []
+): Promise<void> {
+  for (const [ordinal, application] of applications.entries()) {
+    await connection.run(
+      `insert into entra_applications values (
+        $ordinal,
+        $id,
+        $appId,
+        $displayName,
+        $signInAudience,
+        $publisherDomain,
+        $identifierUris::json,
+        $tags::json,
+        $appRoles::json,
+        $oauth2PermissionScopes::json,
+        $requiredResourceAccess::json,
+        $web::json,
+        $spa::json,
+        $publicClient::json,
+        $passwordCredentials::json,
+        $keyCredentials::json,
+        $createdDateTime,
+        $deletedDateTime,
+        $disabledByMicrosoftStatus,
+        $info::json,
+        $notes,
+        $owners::json
+      )`,
+      {
+        ordinal,
+        id: application.id,
+        appId: application.appId,
+        displayName: application.displayName,
+        signInAudience: application.signInAudience,
+        publisherDomain: application.publisherDomain,
+        identifierUris: JSON.stringify(application.identifierUris ?? []),
+        tags: JSON.stringify(application.tags ?? []),
+        appRoles: JSON.stringify(application.appRoles ?? []),
+        oauth2PermissionScopes: JSON.stringify(application.oauth2PermissionScopes ?? []),
+        requiredResourceAccess: JSON.stringify(application.requiredResourceAccess ?? []),
+        web: JSON.stringify(application.web ?? null),
+        spa: JSON.stringify(application.spa ?? null),
+        publicClient: JSON.stringify(application.publicClient ?? null),
+        passwordCredentials: JSON.stringify(stripSecretText(application.passwordCredentials ?? [])),
+        keyCredentials: JSON.stringify(stripSecretText(application.keyCredentials ?? [])),
+        createdDateTime: application.createdDateTime,
+        deletedDateTime: application.deletedDateTime,
+        disabledByMicrosoftStatus: application.disabledByMicrosoftStatus,
+        info: JSON.stringify(application.info ?? null),
+        notes: application.notes,
+        owners: JSON.stringify(application.owners ?? [])
+      }
+    );
+  }
+}
+export async function readEntraApplicationRows(connection: DuckDBConnection): Promise<EntraApplication[]> {
+  const rows = await readRows<EntraApplicationRow>(
+    connection,
+    `select
+      id,
+      app_id,
+      display_name,
+      sign_in_audience,
+      publisher_domain,
+      identifier_uris,
+      tags,
+      app_roles,
+      oauth2_permission_scopes,
+      required_resource_access,
+      web,
+      spa,
+      public_client,
+      password_credentials,
+      key_credentials,
+      created_date_time,
+      deleted_date_time,
+      disabled_by_microsoft_status,
+      info,
+      notes,
+      owners
+    from entra_applications
+    order by ordinal`
+  );
+  return rows.map(mapApplicationRow);
+}
+type EntraApplicationRow = {
+  id: string;
+  app_id: string;
+  display_name: string;
+  sign_in_audience: string | null;
+  publisher_domain: string | null;
+  identifier_uris: string;
+  tags: string;
+  app_roles: string;
+  oauth2_permission_scopes: string;
+  required_resource_access: string;
+  web: string | null;
+  spa: string | null;
+  public_client: string | null;
+  password_credentials: string;
+  key_credentials: string;
+  created_date_time: string | null;
+  deleted_date_time: string | null;
+  disabled_by_microsoft_status: string | null;
+  info: string | null;
+  notes: string | null;
+  owners: string;
+};
+function mapApplicationRow(row: EntraApplicationRow): EntraApplication {
+  return {
+    id: row.id,
+    appId: row.app_id,
+    displayName: row.display_name,
+    signInAudience: row.sign_in_audience,
+    publisherDomain: row.publisher_domain,
+    identifierUris: parseJsonArray<string>(row.identifier_uris),
+    tags: parseJsonArray<string>(row.tags),
+    appRoles: parseJsonArray(row.app_roles),
+    oauth2PermissionScopes: parseJsonArray(row.oauth2_permission_scopes),
+    requiredResourceAccess: parseJsonArray(row.required_resource_access),
+    web: parseNullableJsonObject(row.web),
+    spa: parseNullableJsonObject(row.spa),
+    publicClient: parseNullableJsonObject(row.public_client),
+    passwordCredentials: parseJsonArray(row.password_credentials),
+    keyCredentials: parseJsonArray(row.key_credentials),
+    createdDateTime: row.created_date_time,
+    deletedDateTime: row.deleted_date_time,
+    disabledByMicrosoftStatus: row.disabled_by_microsoft_status,
+    info: parseNullableJsonObject(row.info),
+    notes: row.notes,
+    owners: parseJsonArray(row.owners)
+  };
+}
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}
+function parseJsonArray<T>(value: string | null | undefined): T[] {
+  return value ? JSON.parse(value) : [];
+}
+function parseNullableJsonObject(value: string | null | undefined): Record<string, unknown> | null {
+  return value ? JSON.parse(value) : null;
+}
+function stripSecretText(value: unknown): unknown {
+  if (Array.isArray(value)) {
+    return value.map(stripSecretText);
+  }
+  if (!value || typeof value !== "object") {
+    return value;
+  }
+  return Object.fromEntries(
+    Object.entries(value)
+      .filter(([key]) => key.toLowerCase() !== "secrettext")
+      .map(([key, entryValue]) => [key, stripSecretText(entryValue)])
+  );
+}

package/src/providers/azure/runtime/entra/entraServicePrincipalMapper.ts ADDED Viewed

@@ -0,0 +1,63 @@
+import type {
+  EntraAppRole as CoreEntraAppRole,
+  EntraOwner as CoreEntraOwner,
+  EntraServicePrincipal as CoreEntraServicePrincipal
+} from "../../../../core/azure/entra/types";
+import type {
+  EntraAppRole,
+  EntraOwner,
+  EntraServicePrincipal
+} from "../../inputTransferObject/entra/EntraServicePrincipal";
+export function mapEntraServicePrincipalToCore(
+  servicePrincipal: EntraServicePrincipal
+): CoreEntraServicePrincipal {
+  return {
+    id: servicePrincipal.id,
+    appId: servicePrincipal.appId,
+    displayName: servicePrincipal.displayName,
+    appDisplayName: servicePrincipal.appDisplayName,
+    servicePrincipalType: servicePrincipal.servicePrincipalType,
+    publisherName: servicePrincipal.publisherName,
+    accountEnabled: servicePrincipal.accountEnabled,
+    appOwnerOrganizationId: servicePrincipal.appOwnerOrganizationId,
+    homepage: servicePrincipal.homepage,
+    loginUrl: servicePrincipal.loginUrl,
+    replyUrls: [...servicePrincipal.replyUrls],
+    servicePrincipalNames: [...servicePrincipal.servicePrincipalNames],
+    tags: [...servicePrincipal.tags],
+    appRoles: servicePrincipal.appRoles?.map(mapEntraAppRoleToCore),
+    owners: servicePrincipal.owners?.map(mapEntraOwnerToCore),
+    appOwners: servicePrincipal.appOwners?.map(mapEntraOwnerToCore),
+    servicePrincipalOwners: servicePrincipal.servicePrincipalOwners?.map(mapEntraOwnerToCore),
+    applicationOwners: servicePrincipal.applicationOwners?.map(mapEntraOwnerToCore),
+    metadata: servicePrincipal.metadata ? { ...servicePrincipal.metadata } : servicePrincipal.metadata
+  };
+}
+export function mapEntraServicePrincipalsToCore(
+  servicePrincipals: EntraServicePrincipal[]
+): CoreEntraServicePrincipal[] {
+  return servicePrincipals.map(mapEntraServicePrincipalToCore);
+}
+function mapEntraAppRoleToCore(appRole: EntraAppRole): CoreEntraAppRole {
+  return {
+    id: appRole.id,
+    value: appRole.value,
+    displayName: appRole.displayName,
+    description: appRole.description,
+    isEnabled: appRole.isEnabled,
+    allowedMemberTypes: [...appRole.allowedMemberTypes]
+  };
+}
+function mapEntraOwnerToCore(owner: EntraOwner): CoreEntraOwner {
+  return {
+    id: owner.id,
+    displayName: owner.displayName,
+    userPrincipalName: owner.userPrincipalName,
+    mail: owner.mail,
+    ownerType: owner.ownerType
+  };
+}

package/src/providers/azure/runtime/entra/localReportRuntimeRest.ts ADDED Viewed

@@ -0,0 +1,41 @@
+import type { RuntimeRestEndpoint } from "../../../../core/runtime/rest";
+import { RuntimeHttpError } from "../../../../core/runtime/localSnapshotFiles";
+import type { LocalReportRuntime } from "../LocalReportRuntime";
+import { parseRuntimeCollectionQueryOptions } from "../runtimeRestQuery";
+export function defineEntraLocalReportRuntimeRestEndpoints(
+  runtime: LocalReportRuntime,
+  restBasePath: string
+): RuntimeRestEndpoint[] {
+  return [
+    {
+      path: `${restBasePath}/entra/servicePrincipals`,
+      handle: ({ url }) => runtime.queryEntraServicePrincipals(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/entra/managedIdentities`,
+      handle: ({ url }) => runtime.queryEntraManagedIdentities(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/entra/permissions`,
+      handle: ({ url }) => runtime.readEntraPrincipalPermissions(readRequiredSearchParam(url, "principalId"))
+    },
+    {
+      path: `${restBasePath}/entra/oauth2PermissionGrants`,
+      handle: ({ url }) => runtime.queryEntraOAuth2PermissionGrants(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/entra/appRoleAssignments`,
+      handle: ({ url }) => runtime.queryEntraAppRoleAssignments(parseRuntimeCollectionQueryOptions(url))
+    }
+  ];
+}
+function readRequiredSearchParam(url: URL, name: string): string {
+  const value = url.searchParams.get(name)?.trim();
+  if (!value) {
+    throw new RuntimeHttpError(`Missing required query parameter: ${name}`, 400);
+  }
+  return value;
+}

package/src/providers/azure/runtime/entra/oauth2PermissionGrantsTable.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import type { EntraOAuth2PermissionGrant } from "../../inputTransferObject/entra/EntraOAuth2PermissionGrant";
+export async function insertEntraOAuth2PermissionGrantRows(
+  connection: DuckDBConnection,
+  oauth2PermissionGrants: EntraOAuth2PermissionGrant[] = []
+): Promise<void> {
+  for (const [ordinal, grant] of oauth2PermissionGrants.entries()) {
+    await connection.run(
+      `insert into entra_oauth2_permission_grants values (
+        $ordinal,
+        $id,
+        $clientId,
+        $consentType,
+        $principalId,
+        $resourceId,
+        $scope
+      )`,
+      { ordinal, ...grant }
+    );
+  }
+}
+export async function readEntraOAuth2PermissionGrantRows(
+  connection: DuckDBConnection
+): Promise<EntraOAuth2PermissionGrant[]> {
+  return readRows<EntraOAuth2PermissionGrant>(
+    connection,
+    `select
+      id,
+      client_id as clientId,
+      consent_type as consentType,
+      principal_id as principalId,
+      resource_id as resourceId,
+      scope
+    from entra_oauth2_permission_grants
+    order by ordinal`
+  );
+}
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}

package/src/providers/azure/runtime/entra/principalProjection.ts ADDED Viewed

@@ -0,0 +1,173 @@
+import type {
+  LatestAzureIdentityEnrichment,
+  ManagedIdentityPermissionRiskSummary
+} from "../../../../core/azure/identityEnrichment";
+import type { AzureRoleAssignment } from "../../../../core/azure/resources";
+import type { ZtaRemediationSummary } from "../../../../core/azure/ztaReport";
+import { isManagedIdentity, type ManagedIdentity } from "../../../../core/azure/entra/managedIdentity";
+import {
+  isServicePrincipal,
+  type AzureIdentityRuntimeEnrichment,
+  type EntraPrincipalPermissionSummary,
+  type EntraPrincipalRbacSummary,
+  type ServicePrincipal
+} from "../../../../core/azure/entra/servicePrincipal";
+import type { EntraServicePrincipal } from "../../../../core/azure/entra/types";
+export function toServicePrincipals(
+  servicePrincipals: EntraServicePrincipal[],
+  enrichment?: LatestAzureIdentityEnrichment,
+  permissionsByPrincipalId: Map<string, EntraPrincipalPermissionSummary> = new Map(),
+  ztaSummariesByPrincipalId: Map<string, ZtaRemediationSummary> = new Map()
+): ServicePrincipal[] {
+  return servicePrincipals.filter(isServicePrincipal).map((servicePrincipal) => ({
+    ...servicePrincipal,
+    ...getAzureIdentityRuntimeEnrichment(servicePrincipal, enrichment),
+    ...getEntraPrincipalPermissionSummary(servicePrincipal, permissionsByPrincipalId),
+    ...getZtaRemediationSummary(servicePrincipal, ztaSummariesByPrincipalId)
+  }));
+}
+export function toManagedIdentities(
+  servicePrincipals: EntraServicePrincipal[],
+  enrichment?: LatestAzureIdentityEnrichment,
+  permissionsByPrincipalId: Map<string, EntraPrincipalPermissionSummary> = new Map(),
+  ztaSummariesByPrincipalId: Map<string, ZtaRemediationSummary> = new Map()
+): ManagedIdentity[] {
+  return servicePrincipals.filter(isManagedIdentity).map((servicePrincipal) => {
+    const assignmentEnrichment = enrichment?.managedIdentityAssignmentsByServicePrincipalId.get(
+      servicePrincipal.id.toLowerCase()
+    );
+    return {
+      ...servicePrincipal,
+      ...getAzureIdentityRuntimeEnrichment(servicePrincipal, enrichment),
+      ...getEntraPrincipalPermissionSummary(servicePrincipal, permissionsByPrincipalId),
+      ...getZtaRemediationSummary(servicePrincipal, ztaSummariesByPrincipalId),
+      managedIdentityAssignments: assignmentEnrichment?.managedIdentityAssignments ?? [],
+      assignedResourceGroups: assignmentEnrichment?.assignedResourceGroups ?? []
+    };
+  });
+}
+function getZtaRemediationSummary(
+  servicePrincipal: EntraServicePrincipal,
+  ztaSummariesByPrincipalId: Map<string, ZtaRemediationSummary>
+): ZtaRemediationSummary {
+  return ztaSummariesByPrincipalId.get(servicePrincipal.id.toLowerCase()) ?? createEmptyZtaRemediationSummary();
+}
+function getEntraPrincipalPermissionSummary(
+  servicePrincipal: EntraServicePrincipal,
+  permissionsByPrincipalId: Map<string, EntraPrincipalPermissionSummary>
+): EntraPrincipalPermissionSummary {
+  return permissionsByPrincipalId.get(servicePrincipal.id.toLowerCase()) ?? createEmptyPermissionSummary();
+}
+function createEmptyPermissionSummary(): EntraPrincipalPermissionSummary {
+  return {
+    oauthPemrissionsCount: 0,
+    appRolesPermissionCount: 0,
+    entraPermissionRisk: "none"
+  };
+}
+function createEmptyZtaRemediationSummary(): ZtaRemediationSummary {
+  return {
+    ztaRemediationCountAll: 0,
+    ztaRemediationFailedCount: 0,
+    ztaMaxRisk: "none"
+  };
+}
+function getAzureIdentityRuntimeEnrichment(
+  servicePrincipal: EntraServicePrincipal,
+  enrichment?: LatestAzureIdentityEnrichment
+): AzureIdentityRuntimeEnrichment {
+  const roleAssignments =
+    enrichment?.roleAssignmentsByPrincipalId.get(servicePrincipal.id.toLowerCase())?.roleAssignments ?? [];
+  const permissionRisk =
+    enrichment?.accessRiskByPrincipalId.get(servicePrincipal.id.toLowerCase()) ?? createRiskSummary(servicePrincipal.id);
+  return {
+    permissionRisk: permissionRisk.riskLevel,
+    azureRbac: formatAzureRbac(permissionRisk, roleAssignments),
+    roleAssignments,
+    ...createRbacSummary(permissionRisk, roleAssignments)
+  };
+}
+function createRiskSummary(principalId: string): ManagedIdentityPermissionRiskSummary {
+  return {
+    principalId,
+    riskLevel: "none",
+    assignmentCount: 0,
+    highRiskAssignmentCount: 0,
+    broadScopeAssignmentCount: 0,
+    roleAssignments: []
+  };
+}
+function formatAzureRbac(
+  permissionRisk: ManagedIdentityPermissionRiskSummary,
+  roleAssignments: AzureRoleAssignment[]
+): string {
+  if (permissionRisk.assignmentCount > 0) {
+    return permissionRisk.roleAssignments
+      .map((assignment) => {
+        const reasons = assignment.reasons.length > 0 ? ` (${assignment.reasons.join(", ")})` : "";
+        return `${assignment.roleDefinitionName ?? "Role"} on ${formatScope(assignment.scope)}${reasons}`;
+      })
+      .join(", ");
+  }
+  if (roleAssignments.length > 0) {
+    return roleAssignments
+      .map((assignment) => `${assignment.roleDefinitionName ?? "Role"} on ${formatScope(assignment.scope)}`)
+      .join(", ");
+  }
+  return "No Azure RBAC assignments";
+}
+function formatScope(scope: string): string {
+  const resourceGroupMatch = scope.match(/\/resourceGroups\/([^/]+)/i);
+  if (resourceGroupMatch) {
+    return `rg/${resourceGroupMatch[1]}`;
+  }
+  const subscriptionMatch = scope.match(/^\/subscriptions\/([^/]+)$/i);
+  if (subscriptionMatch) {
+    return "subscription";
+  }
+  return scope.split("/").filter(Boolean).slice(-2).join("/") || scope;
+}
+function createRbacSummary(
+  permissionRisk: ManagedIdentityPermissionRiskSummary,
+  roleAssignments: AzureRoleAssignment[]
+): EntraPrincipalRbacSummary {
+  return {
+    rbacRoleAssignmentCount: roleAssignments.length,
+    rbacRoleLevel: permissionRisk.riskLevel,
+    rbacSubscriptionCount: countRbacSubscriptions(roleAssignments)
+  };
+}
+function countRbacSubscriptions(roleAssignments: AzureRoleAssignment[]): number {
+  const subscriptionIds = new Set<string>();
+  for (const assignment of roleAssignments) {
+    const subscriptionId = getRoleAssignmentSubscriptionId(assignment);
+    if (subscriptionId) {
+      subscriptionIds.add(subscriptionId.toLowerCase());
+    }
+  }
+  return subscriptionIds.size;
+}
+function getRoleAssignmentSubscriptionId(assignment: AzureRoleAssignment): string | null {
+  return assignment.scopeSubscriptionId ?? assignment.subscriptionId ?? assignment.scope.match(/\/subscriptions\/([^/]+)/i)?.[1] ?? null;
+}

package/src/providers/azure/runtime/entra/servicePrincipalsTable.ts ADDED Viewed

@@ -0,0 +1,149 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import type { EntraServicePrincipal } from "../../inputTransferObject/entra/EntraServicePrincipal";
+export async function insertEntraServicePrincipalRows(
+  connection: DuckDBConnection,
+  servicePrincipals: EntraServicePrincipal[]
+): Promise<void> {
+  for (const [ordinal, servicePrincipal] of servicePrincipals.entries()) {
+    await connection.run(
+      `insert into entra_service_principals values (
+        $ordinal,
+        $id,
+        $appId,
+        $displayName,
+        $appDisplayName,
+        $servicePrincipalType,
+        $publisherName,
+        $accountEnabled,
+        $appOwnerOrganizationId,
+        $homepage,
+        $loginUrl,
+        $replyUrls::json,
+        $servicePrincipalNames::json,
+        $tags::json,
+        $appRoles::json,
+        $owners::json,
+        $appOwners::json,
+        $servicePrincipalOwners::json,
+        $applicationOwners::json,
+        $metadata::json
+      )`,
+      {
+        ordinal,
+        id: servicePrincipal.id,
+        appId: servicePrincipal.appId,
+        displayName: servicePrincipal.displayName,
+        appDisplayName: servicePrincipal.appDisplayName,
+        servicePrincipalType: servicePrincipal.servicePrincipalType,
+        publisherName: servicePrincipal.publisherName,
+        accountEnabled: servicePrincipal.accountEnabled,
+        appOwnerOrganizationId: servicePrincipal.appOwnerOrganizationId,
+        homepage: servicePrincipal.homepage,
+        loginUrl: servicePrincipal.loginUrl,
+        replyUrls: JSON.stringify(servicePrincipal.replyUrls),
+        servicePrincipalNames: JSON.stringify(servicePrincipal.servicePrincipalNames),
+        tags: JSON.stringify(servicePrincipal.tags),
+        appRoles: JSON.stringify(servicePrincipal.appRoles ?? []),
+        owners: JSON.stringify(servicePrincipal.owners ?? []),
+        appOwners: JSON.stringify(servicePrincipal.appOwners ?? []),
+        servicePrincipalOwners: JSON.stringify(servicePrincipal.servicePrincipalOwners ?? []),
+        applicationOwners: JSON.stringify(servicePrincipal.applicationOwners ?? []),
+        metadata: JSON.stringify(servicePrincipal.metadata ?? null)
+      }
+    );
+  }
+}
+export async function readEntraServicePrincipalRows(connection: DuckDBConnection): Promise<EntraServicePrincipal[]> {
+  const rows = await readRows<EntraServicePrincipalRow>(
+    connection,
+    `select
+      id,
+      app_id,
+      display_name,
+      app_display_name,
+      service_principal_type,
+      publisher_name,
+      account_enabled,
+      app_owner_organization_id,
+      homepage,
+      login_url,
+      reply_urls,
+      service_principal_names,
+      tags,
+      app_roles,
+      owners,
+      app_owners,
+      service_principal_owners,
+      application_owners,
+      metadata
+    from entra_service_principals
+    order by ordinal`
+  );
+  return rows.map(mapServicePrincipalRow);
+}
+type EntraServicePrincipalRow = {
+  id: string;
+  app_id: string;
+  display_name: string;
+  app_display_name: string | null;
+  service_principal_type: EntraServicePrincipal["servicePrincipalType"];
+  publisher_name: string | null;
+  account_enabled: boolean;
+  app_owner_organization_id: string | null;
+  homepage: string | null;
+  login_url: string | null;
+  reply_urls: string;
+  service_principal_names: string;
+  tags: string;
+  app_roles: string;
+  owners: string;
+  app_owners: string;
+  service_principal_owners: string;
+  application_owners: string;
+  metadata: string | null;
+};
+function mapServicePrincipalRow(row: EntraServicePrincipalRow): EntraServicePrincipal {
+  return {
+    id: row.id,
+    appId: row.app_id,
+    displayName: row.display_name,
+    appDisplayName: row.app_display_name,
+    servicePrincipalType: row.service_principal_type,
+    publisherName: row.publisher_name,
+    accountEnabled: row.account_enabled,
+    appOwnerOrganizationId: row.app_owner_organization_id,
+    homepage: row.homepage,
+    loginUrl: row.login_url,
+    replyUrls: parseJsonArray<string>(row.reply_urls),
+    servicePrincipalNames: parseJsonArray<string>(row.service_principal_names),
+    tags: parseJsonArray<string>(row.tags),
+    appRoles: parseJsonArray(row.app_roles),
+    owners: parseJsonArray(row.owners),
+    appOwners: parseJsonArray(row.app_owners),
+    servicePrincipalOwners: parseJsonArray(row.service_principal_owners),
+    applicationOwners: parseJsonArray(row.application_owners),
+    metadata: row.metadata ? parseJsonObject(row.metadata) : null
+  };
+}
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}
+function parseJsonArray<T>(value: string | null | undefined): T[] {
+  return value ? JSON.parse(value) : [];
+}
+function parseJsonObject(value: string | null | undefined): Record<string, unknown> {
+  return value ? JSON.parse(value) : {};
+}

package/src/providers/azure/runtime/entra/snapshotMetadataTable.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import type { EntraSnapshot } from "../../inputTransferObject/entra/EntraSnapshot";
+import type { LocalSnapshotData } from "../../../../core/runtime/localSnapshotFiles";
+export async function importEntraSnapshotMetadata(
+  connection: DuckDBConnection,
+  snapshot: EntraSnapshot & LocalSnapshotData
+): Promise<void> {
+  const { meta, servicePrincipals, applications, oauth2PermissionGrants, appRoleAssignments, ...extra } = snapshot;
+  void servicePrincipals;
+  void applications;
+  void oauth2PermissionGrants;
+  void appRoleAssignments;
+  await connection.run("insert into entra_snapshot_meta values ($data::json)", { data: JSON.stringify(meta) });
+  await connection.run("insert into entra_snapshot_extra values ($data::json)", { data: JSON.stringify(extra) });
+}