ownerlens 0.1.0

package/src/providers/azure/runtime/entra/snapshotStore.ts

@@ -0,0 +1,102 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+
+import type { EntraSnapshot } from "../../inputTransferObject/entra/EntraSnapshot";
+import type { LocalSnapshotData } from "../../../../core/runtime/localSnapshotFiles";
+import { insertEntraApplicationRows, readEntraApplicationRows } from "./applicationsTable";
+import { insertEntraAppRoleAssignmentRows, readEntraAppRoleAssignmentRows } from "./appRoleAssignmentsTable";
+import { insertEntraOAuth2PermissionGrantRows, readEntraOAuth2PermissionGrantRows } from "./oauth2PermissionGrantsTable";
+import { insertEntraServicePrincipalRows, readEntraServicePrincipalRows } from "./servicePrincipalsTable";
+import { importEntraSnapshotMetadata } from "./snapshotMetadataTable";
+
+export const entraSnapshotFileName = "entra-snapshot.json";
+
+export type EntraDuckDbImportStatus = {
+  imported: boolean;
+  fileName: string;
+  servicePrincipalCount: number;
+  applicationCount: number;
+  oauth2PermissionGrantCount: number;
+  appRoleAssignmentCount: number;
+  importedAt: string | null;
+};
+
+export function createEmptyEntraImportStatus(): EntraDuckDbImportStatus {
+  return {
+    imported: false,
+    fileName: entraSnapshotFileName,
+    servicePrincipalCount: 0,
+    applicationCount: 0,
+    oauth2PermissionGrantCount: 0,
+    appRoleAssignmentCount: 0,
+    importedAt: null
+  };
+}
+
+export async function importEntraSnapshotToDuckDb(
+  connection: DuckDBConnection,
+  snapshot: EntraSnapshot & LocalSnapshotData
+): Promise<EntraDuckDbImportStatus> {
+  await connection.run("begin transaction");
+  try {
+    await connection.run("delete from entra_snapshot_meta");
+    await connection.run("delete from entra_snapshot_extra");
+    await connection.run("delete from entra_service_principals");
+    await connection.run("delete from entra_applications");
+    await connection.run("delete from entra_oauth2_permission_grants");
+    await connection.run("delete from entra_app_role_assignments");
+
+    const { servicePrincipals, applications, oauth2PermissionGrants, appRoleAssignments } = snapshot;
+    await importEntraSnapshotMetadata(connection, snapshot);
+
+    await insertEntraServicePrincipalRows(connection, servicePrincipals);
+    await insertEntraApplicationRows(connection, applications);
+    await insertEntraOAuth2PermissionGrantRows(connection, oauth2PermissionGrants);
+    await insertEntraAppRoleAssignmentRows(connection, appRoleAssignments);
+
+    await connection.run("commit");
+    return {
+      imported: true,
+      fileName: entraSnapshotFileName,
+      servicePrincipalCount: servicePrincipals.length,
+      applicationCount: applications?.length ?? 0,
+      oauth2PermissionGrantCount: oauth2PermissionGrants?.length ?? 0,
+      appRoleAssignmentCount: appRoleAssignments?.length ?? 0,
+      importedAt: new Date().toISOString()
+    };
+  } catch (error) {
+    await connection.run("rollback");
+    throw error;
+  }
+}
+
+export async function readEntraSnapshotFromDuckDb(
+  connection: DuckDBConnection
+): Promise<EntraSnapshot & LocalSnapshotData> {
+  const metaRows = await readRows<{ data: string }>(connection, "select data from entra_snapshot_meta limit 1");
+  const extraRows = await readRows<{ data: string }>(connection, "select data from entra_snapshot_extra limit 1");
+  const servicePrincipals = await readEntraServicePrincipalRows(connection);
+  const applications = await readEntraApplicationRows(connection);
+  const oauth2PermissionGrants = await readEntraOAuth2PermissionGrantRows(connection);
+  const appRoleAssignments = await readEntraAppRoleAssignmentRows(connection);
+
+  return {
+    ...parseJsonObject(extraRows[0]?.data),
+    meta: parseJsonObject(metaRows[0]?.data) as EntraSnapshot["meta"],
+    servicePrincipals,
+    applications,
+    oauth2PermissionGrants,
+    appRoleAssignments
+  };
+}
+
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}
+
+function parseJsonObject(value: string | null | undefined): Record<string, unknown> {
+  return value ? JSON.parse(value) : {};
+}

package/src/providers/azure/runtime/localReportCollections.ts

@@ -0,0 +1,101 @@
+import { RuntimeHttpError } from "../../../core/runtime/localSnapshotFiles";
+
+export type LocalReportCollectionQueryOptions = {
+  page?: number;
+  pageSize?: number;
+  filters?: LocalReportCollectionFilter[];
+};
+
+export type LocalReportCollectionFilter = {
+  column: string;
+  values: string[];
+};
+
+export type LocalReportPaginatedCollection<CollectionId extends string = string> = {
+  collectionId: CollectionId;
+  rows: Record<string, unknown>[];
+  columns: string[];
+  page: number;
+  pageSize: number;
+  count: number;
+};
+
+export function buildPaginatedCollection<CollectionId extends string>(
+  collectionId: CollectionId,
+  rows: Record<string, unknown>[],
+  query: LocalReportCollectionQueryOptions
+): LocalReportPaginatedCollection<CollectionId> {
+  const columns = buildCollectionColumns(rows);
+  const filteredRows = applyRuntimeCollectionFilters(rows, columns, query.filters ?? []);
+  const pageSize = clampInteger(query.pageSize ?? 50, 1, 500);
+  const page = clampInteger(query.page ?? 1, 1, Math.max(1, Math.ceil(filteredRows.length / pageSize)));
+  const pageRows = filteredRows.slice((page - 1) * pageSize, page * pageSize);
+
+  return {
+    collectionId,
+    rows: pageRows,
+    columns,
+    page,
+    pageSize,
+    count: filteredRows.length
+  };
+}
+
+function buildCollectionColumns(rows: Record<string, unknown>[]): string[] {
+  const columns = new Set<string>();
+
+  for (const row of rows) {
+    for (const column of Object.keys(row)) {
+      columns.add(column);
+    }
+  }
+
+  return [...columns];
+}
+
+function applyRuntimeCollectionFilters(
+  rows: Record<string, unknown>[],
+  columns: string[],
+  filters: LocalReportCollectionFilter[]
+): Record<string, unknown>[] {
+  const activeFilters = filters
+    .map((filter) => ({
+      column: filter.column,
+      values: filter.values.map((value) => value.trim()).filter(Boolean)
+    }))
+    .filter((filter) => filter.column && filter.values.length > 0);
+
+  if (activeFilters.length === 0) {
+    return rows;
+  }
+
+  for (const filter of activeFilters) {
+    if (!columns.includes(filter.column)) {
+      throw new RuntimeHttpError(`Unknown collection column: ${filter.column}`, 400);
+    }
+  }
+
+  return rows.filter((row) =>
+    activeFilters.every((filter) => {
+      const fieldValue = formatRuntimeFilterValue(row[filter.column]).toLocaleLowerCase();
+      return filter.values.some((value) => fieldValue.includes(value.toLocaleLowerCase()));
+    })
+  );
+}
+
+function formatRuntimeFilterValue(value: unknown): string {
+  if (value === null || value === undefined) {
+    return "";
+  }
+
+  if (typeof value === "string") {
+    return value;
+  }
+
+  return JSON.stringify(value);
+}
+
+function clampInteger(value: number, min: number, max: number): number {
+  const integer = Number.isFinite(value) ? Math.trunc(value) : min;
+  return Math.min(Math.max(integer, min), max);
+}

package/src/providers/azure/runtime/localReportRuntimeRest.ts

@@ -0,0 +1,71 @@
+import path from "node:path";
+
+import { RuntimeHttpError } from "../../../core/runtime/localSnapshotFiles";
+import { createRuntimeRestMiddleware, type RuntimeRestEndpoint } from "../../../core/runtime/rest";
+import { defineEntraLocalReportRuntimeRestEndpoints } from "./entra/localReportRuntimeRest";
+import { LocalReportRuntime } from "./LocalReportRuntime";
+import { defineAzureResourcesLocalReportRuntimeRestEndpoints } from "./resources/localReportRuntimeRest";
+import { defineZeroTrustAssessmentLocalReportRuntimeRestEndpoints } from "./zta/localReportRuntimeRest";
+
+const restBasePath = "/api/data";
+
+export type LocalReportRuntimePluginHost = {
+  httpServer?: {
+    once(event: "listening" | "close", listener: () => void): void;
+  } | null;
+  middlewares: {
+    use(middleware: ReturnType<typeof createRuntimeRestMiddleware>): void;
+  };
+};
+
+export function createLocalReportRuntime(dataDir: string): LocalReportRuntime {
+  return new LocalReportRuntime({ dataDir, databasePath: path.join(dataDir, "runtime.duckdb") });
+}
+
+export function defineLocalReportRuntimeRestEndpoints(runtime: LocalReportRuntime): RuntimeRestEndpoint[] {
+  return [
+    {
+      path: restBasePath,
+      handle: () => runtime.listSnapshots()
+    },
+    {
+      path: `${restBasePath}/read`,
+      handle: ({ url }) => runtime.readSnapshot(url.searchParams.get("name") ?? "")
+    },
+    ...defineEntraLocalReportRuntimeRestEndpoints(runtime, restBasePath),
+    ...defineAzureResourcesLocalReportRuntimeRestEndpoints(runtime, restBasePath),
+    ...defineZeroTrustAssessmentLocalReportRuntimeRestEndpoints(runtime, restBasePath),
+    {
+      path: `${restBasePath}/runtime/enrichment/recalculate`,
+      handle: async () => {
+        await runtime.recalculateEnrichment();
+        return runtime.getStatus().enrichment;
+      }
+    },
+    {
+      path: `${restBasePath}/runtime`,
+      handle: () => runtime.getStatus()
+    }
+  ];
+}
+
+export function installLocalReportRuntimeRest(host: LocalReportRuntimePluginHost, runtime: LocalReportRuntime): void {
+  host.httpServer?.once("listening", () => {
+    void runtime.initialize();
+  });
+  host.httpServer?.once("close", () => {
+    void runtime.close();
+  });
+
+  host.middlewares.use(
+    createRuntimeRestMiddleware({
+      basePath: restBasePath,
+      endpoints: defineLocalReportRuntimeRestEndpoints(runtime),
+      getErrorStatusCode: (error) => (error instanceof RuntimeHttpError ? error.statusCode : 500)
+    })
+  );
+}
+
+export function createDefaultLocalReportRuntime(root: string): LocalReportRuntime {
+  return createLocalReportRuntime(path.join(root, "data"));
+}

package/src/providers/azure/runtime/resources/AzureResourcesCollectionQueryService.ts

@@ -0,0 +1,145 @@
+import { mapRoleAssignmentToAzureRbac } from "../../../../core/azure/azureRbac";
+import type { AzureRbac } from "../../../../core/azure/azureRbac";
+import type { ResourceGroupOwnershipRow } from "../../../../core/azure/resources";
+
+import { evaluateAzureRoleAssignmentRisk } from "../enrichment/evaluateAzureRoleAssignmentRisk";
+import { buildAzureOwnershipReport } from "../../ownership/buildAzureOwnershipReport";
+import {
+  buildPaginatedCollection,
+  type LocalReportCollectionQueryOptions,
+  type LocalReportPaginatedCollection
+} from "../localReportCollections";
+import type { DisabledEvidenceStore } from "../DisabledEvidenceStore";
+import type { LocalEntraReportRuntime } from "../entra/LocalEntraReportRuntime";
+import {
+  type LocalAzureResourcesReportCollectionId,
+  type LocalAzureResourcesReportRuntime
+} from "./LocalAzureResourcesReportRuntime";
+import {
+  applyResourceGroupOwnerDisabledEvidence,
+  buildResourceGroupOwnershipRows
+} from "./resourceGroupOwnership";
+
+export type LocalAzureResourcesExtendedCollectionId =
+  | LocalAzureResourcesReportCollectionId
+  | "azureResources.resourceGroupOwnership"
+  | "azureRbac";
+
+export type AzureResourcesCollectionQueryServiceOptions = {
+  entra: LocalEntraReportRuntime;
+  azureResources: LocalAzureResourcesReportRuntime;
+  disabledEvidenceStore: DisabledEvidenceStore;
+};
+
+export class AzureResourcesCollectionQueryService {
+  private readonly entra: LocalEntraReportRuntime;
+  private readonly azureResources: LocalAzureResourcesReportRuntime;
+  private readonly disabledEvidenceStore: DisabledEvidenceStore;
+
+  constructor(options: AzureResourcesCollectionQueryServiceOptions) {
+    this.entra = options.entra;
+    this.azureResources = options.azureResources;
+    this.disabledEvidenceStore = options.disabledEvidenceStore;
+  }
+
+  async querySubscriptions(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.subscriptions">> {
+    return buildPaginatedCollection(
+      "azureResources.subscriptions",
+      (await this.azureResources.readAzureSubscriptions()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryResourceGroups(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.resourceGroups">> {
+    return buildPaginatedCollection(
+      "azureResources.resourceGroups",
+      (await this.azureResources.readAzureResourceGroups()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryResourceGroupOwnership(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.resourceGroupOwnership">> {
+    return buildPaginatedCollection(
+      "azureResources.resourceGroupOwnership",
+      await this.readResourceGroupOwnershipRows(),
+      options
+    );
+  }
+
+  async queryResources(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.resources">> {
+    return buildPaginatedCollection(
+      "azureResources.resources",
+      (await this.azureResources.readAzureResources()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryUserAssignedManagedIdentities(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.userAssignedManagedIdentities">> {
+    return buildPaginatedCollection(
+      "azureResources.userAssignedManagedIdentities",
+      (await this.azureResources.readAzureUserAssignedManagedIdentities()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryRoleAssignments(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.roleAssignments">> {
+    return buildPaginatedCollection(
+      "azureResources.roleAssignments",
+      (await this.azureResources.readAzureRoleAssignments()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryAzureRbac(
+    servicePrincipalId: string,
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureRbac">> {
+    return buildPaginatedCollection(
+      "azureRbac",
+      (await this.readAzureRbacRows(servicePrincipalId)) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async queryActivityLogs(
+    options: LocalReportCollectionQueryOptions
+  ): Promise<LocalReportPaginatedCollection<"azureResources.activityLogs">> {
+    return buildPaginatedCollection(
+      "azureResources.activityLogs",
+      (await this.azureResources.readAzureActivityLogs()) as unknown as Record<string, unknown>[],
+      options
+    );
+  }
+
+  async readResourceGroupOwnershipRows(): Promise<ResourceGroupOwnershipRow[]> {
+    const [resourceSnapshot, entraSnapshot, disabledKeys] = await Promise.all([
+      this.azureResources.readSnapshot(),
+      this.entra.readSnapshot(),
+      this.disabledEvidenceStore.readKeys()
+    ]);
+    const ownerReport = buildAzureOwnershipReport(resourceSnapshot, entraSnapshot);
+    const ownerRows = applyResourceGroupOwnerDisabledEvidence(ownerReport.owners, disabledKeys);
+
+    return buildResourceGroupOwnershipRows(resourceSnapshot.resourceGroups, ownerRows);
+  }
+
+  private async readAzureRbacRows(servicePrincipalId: string): Promise<AzureRbac[]> {
+    const normalizedServicePrincipalId = servicePrincipalId.trim().toLowerCase();
+
+    return (await this.azureResources.readAzureRoleAssignments())
+      .filter((assignment) => assignment.principalId.toLowerCase() === normalizedServicePrincipalId)
+      .map((assignment) => mapRoleAssignmentToAzureRbac(assignment, evaluateAzureRoleAssignmentRisk(assignment).riskLevel));
+  }
+}

package/src/providers/azure/runtime/resources/LocalAzureResourcesReportRuntime.ts

@@ -0,0 +1,114 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+
+import type { DuckDBConnection } from "@duckdb/node-api";
+
+import type {
+  AzureActivityLog,
+  AzureResource,
+  AzureResourceGroup,
+  AzureRoleAssignment,
+  AzureSnapshot,
+  AzureSubscription,
+  AzureUserAssignedManagedIdentity
+} from "../../../../core/azure/resources";
+import { pathExists, RuntimeHttpError, type LocalSnapshotData } from "../../../../core/runtime/localSnapshotFiles";
+import type { AzureSnapshot as AzureSnapshotInput } from "../../inputTransferObject/resources/AzureSnapshot";
+import {
+  azureResourcesSnapshotFileName,
+  createEmptyAzureResourcesImportStatus,
+  importAzureResourcesSnapshotToDuckDb,
+  readAzureResourcesSnapshotFromDuckDb,
+  type AzureResourcesDuckDbImportStatus
+} from "./snapshotStore";
+import {
+  readAzureActivityLogRows,
+  readAzureResourceGroupRows,
+  readAzureResourceRows,
+  readAzureRoleAssignmentRows,
+  readAzureSubscriptionRows,
+  readAzureUserAssignedManagedIdentityRows
+} from "./tables";
+
+export type LocalAzureResourcesReportCollectionId =
+  | "azureResources.subscriptions"
+  | "azureResources.resourceGroups"
+  | "azureResources.resources"
+  | "azureResources.userAssignedManagedIdentities"
+  | "azureResources.roleAssignments"
+  | "azureResources.activityLogs";
+
+export type LocalAzureResourcesReportRuntimeOptions = {
+  dataDir: string;
+  getConnection: () => DuckDBConnection;
+};
+
+export class LocalAzureResourcesReportRuntime {
+  private readonly dataDir: string;
+  private readonly getConnection: () => DuckDBConnection;
+  private status = createEmptyAzureResourcesImportStatus();
+
+  constructor(options: LocalAzureResourcesReportRuntimeOptions) {
+    this.dataDir = options.dataDir;
+    this.getConnection = options.getConnection;
+  }
+
+  getStatus(): AzureResourcesDuckDbImportStatus {
+    return this.status;
+  }
+
+  canReadSnapshot(name: string): boolean {
+    return name === azureResourcesSnapshotFileName;
+  }
+
+  async importSnapshot(): Promise<void> {
+    const snapshotPath = path.join(this.dataDir, azureResourcesSnapshotFileName);
+    if (!(await pathExists(snapshotPath))) {
+      return;
+    }
+
+    const snapshot = JSON.parse(await readFile(snapshotPath, "utf8")) as AzureSnapshotInput & LocalSnapshotData;
+    this.status = await importAzureResourcesSnapshotToDuckDb(this.getConnection(), snapshot);
+  }
+
+  async readSnapshot(): Promise<AzureSnapshot & LocalSnapshotData> {
+    this.assertImported();
+    return readAzureResourcesSnapshotFromDuckDb(this.getConnection());
+  }
+
+  async readAzureSubscriptions(): Promise<AzureSubscription[]> {
+    this.assertImported();
+    return readAzureSubscriptionRows(this.getConnection());
+  }
+
+  async readAzureResourceGroups(): Promise<AzureResourceGroup[]> {
+    this.assertImported();
+    return readAzureResourceGroupRows(this.getConnection());
+  }
+
+  async readAzureResources(): Promise<AzureResource[]> {
+    this.assertImported();
+    return readAzureResourceRows(this.getConnection());
+  }
+
+  async readAzureUserAssignedManagedIdentities(): Promise<AzureUserAssignedManagedIdentity[]> {
+    this.assertImported();
+    return readAzureUserAssignedManagedIdentityRows(this.getConnection());
+  }
+
+  async readAzureRoleAssignments(): Promise<AzureRoleAssignment[]> {
+    this.assertImported();
+    return readAzureRoleAssignmentRows(this.getConnection());
+  }
+
+  async readAzureActivityLogs(): Promise<AzureActivityLog[]> {
+    this.assertImported();
+    return readAzureActivityLogRows(this.getConnection());
+  }
+
+  private assertImported(): void {
+    if (!this.status.imported) {
+      throw new RuntimeHttpError(`Snapshot file ./data/${azureResourcesSnapshotFileName} was not found.`, 404);
+    }
+  }
+}

package/src/providers/azure/runtime/resources/disabledOwnerEvidenceTable.ts

@@ -0,0 +1,60 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+
+export type DisabledOwnerKey = string;
+
+export async function readDisabledOwnerEvidenceKeys(
+  connection: DuckDBConnection
+): Promise<Set<DisabledOwnerKey>> {
+  const rows = await readRows<DisabledOwnerEvidenceDbRow>(
+    connection,
+    "select owner_key from azure_disabled_owner_evidence_keys order by owner_key"
+  );
+
+  return new Set(rows.map((row) => row.owner_key));
+}
+
+export async function disableOwnerEvidenceKey(
+  connection: DuckDBConnection,
+  key: DisabledOwnerKey
+): Promise<void> {
+  await connection.run(
+    `insert into azure_disabled_owner_evidence_keys values ($key, $disabledAt)
+    on conflict(owner_key) do update set disabled_at = excluded.disabled_at`,
+    {
+      key,
+      disabledAt: new Date().toISOString()
+    }
+  );
+}
+
+export async function enableOwnerEvidenceKey(
+  connection: DuckDBConnection,
+  key: DisabledOwnerKey
+): Promise<void> {
+  await connection.run("delete from azure_disabled_owner_evidence_keys where owner_key = $key", { key });
+}
+
+export async function countDisabledOwnerEvidenceKeys(connection: DuckDBConnection): Promise<number> {
+  const rows = await readRows<DisabledOwnerEvidenceKeyCountRow>(
+    connection,
+    "select count(*) as disabled_count from azure_disabled_owner_evidence_keys"
+  );
+
+  return Number(rows[0]?.disabled_count ?? 0);
+}
+
+type DisabledOwnerEvidenceDbRow = {
+  owner_key: DisabledOwnerKey;
+};
+
+type DisabledOwnerEvidenceKeyCountRow = {
+  disabled_count: string | number;
+};
+
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql);
+  return reader.getRowObjectsJson() as Row[];
+}

package/src/providers/azure/runtime/resources/localReportRuntimeRest.ts

@@ -0,0 +1,81 @@
+import { RuntimeHttpError } from "../../../../core/runtime/localSnapshotFiles";
+import type { RuntimeRestEndpoint } from "../../../../core/runtime/rest";
+import type { LocalReportRuntime } from "../LocalReportRuntime";
+import { parseRuntimeCollectionQueryOptions } from "../runtimeRestQuery";
+
+export function defineAzureResourcesLocalReportRuntimeRestEndpoints(
+  runtime: LocalReportRuntime,
+  restBasePath: string
+): RuntimeRestEndpoint[] {
+  return [
+    {
+      path: `${restBasePath}/azureResources/subscriptions`,
+      handle: ({ url }) => runtime.queryAzureSubscriptions(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/resourceGroups`,
+      handle: ({ url }) => runtime.queryAzureResourceGroups(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/resourceGroupOwnership`,
+      handle: ({ url }) => runtime.queryAzureResourceGroupOwnership(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/resourceGroupOwnership/disabledEvidence`,
+      handle: async ({ url }) => {
+        const key = readRequiredSearchParam(url, "key");
+        const disabled = readBooleanSearchParam(url, "disabled");
+        const disabledCount = await runtime.setOwnerEvidenceDisabled(key, disabled);
+
+        return {
+          key,
+          disabled,
+          disabledCount
+        };
+      }
+    },
+    {
+      path: `${restBasePath}/azureResources/resources`,
+      handle: ({ url }) => runtime.queryAzureResources(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/userAssignedManagedIdentities`,
+      handle: ({ url }) => runtime.queryAzureUserAssignedManagedIdentities(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/roleAssignments`,
+      handle: ({ url }) => runtime.queryAzureRoleAssignments(parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureRbac`,
+      handle: ({ url }) =>
+        runtime.queryAzureRbac(readRequiredSearchParam(url, "servicePrincipalId"), parseRuntimeCollectionQueryOptions(url))
+    },
+    {
+      path: `${restBasePath}/azureResources/activityLogs`,
+      handle: ({ url }) => runtime.queryAzureActivityLogs(parseRuntimeCollectionQueryOptions(url))
+    }
+  ];
+}
+
+function readRequiredSearchParam(url: URL, name: string): string {
+  const value = url.searchParams.get(name)?.trim();
+  if (!value) {
+    throw new RuntimeHttpError(`Missing required query parameter: ${name}`, 400);
+  }
+
+  return value;
+}
+
+function readBooleanSearchParam(url: URL, name: string): boolean {
+  const value = readRequiredSearchParam(url, name).toLowerCase();
+  if (value === "true" || value === "1") {
+    return true;
+  }
+
+  if (value === "false" || value === "0") {
+    return false;
+  }
+
+  throw new RuntimeHttpError(`Invalid boolean query parameter: ${name}`, 400);
+}