npm - ownerlens - Versions diffs - 0.1.0 - Mend

ownerlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/src/providers/azure/runtime/runtimeRestQuery.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import type { LocalReportCollectionQueryOptions } from "./localReportCollections";
+export function parseRuntimeCollectionQueryOptions(url: URL): LocalReportCollectionQueryOptions {
+  return {
+    filters: parseRuntimeCollectionFilters(url),
+    page: parseOptionalInteger(url.searchParams.get("page")),
+    pageSize: parseOptionalInteger(url.searchParams.get("pageSize") ?? url.searchParams.get("count"))
+  };
+}
+function parseRuntimeCollectionFilters(url: URL): Array<{ column: string; values: string[] }> {
+  const filters = new Map<number, { column: string; values: string[] }>();
+  for (const [key, value] of url.searchParams) {
+    const match = /^filter\[(\d+)\]\[(column|value|values)\](?:\[(\d+)\])?$/.exec(key);
+    if (!match) {
+      continue;
+    }
+    const index = Number(match[1]);
+    const property = match[2];
+    const filter = filters.get(index) ?? { column: "", values: [] };
+    if (property === "column") {
+      filter.column = value;
+    } else {
+      filter.values.push(value);
+    }
+    filters.set(index, filter);
+  }
+  return [...filters.entries()]
+    .sort(([left], [right]) => left - right)
+    .map(([, filter]) => filter)
+    .filter((filter) => filter.column && filter.values.length > 0);
+}
+function parseOptionalInteger(value: string | null): number | undefined {
+  if (value === null || value.trim() === "") {
+    return undefined;
+  }
+  const parsed = Number(value);
+  return Number.isFinite(parsed) ? parsed : undefined;
+}

package/src/providers/azure/runtime/runtimeSqlSchema.ts ADDED Viewed

@@ -0,0 +1,357 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+const entraSnapshotSchemaSql = [
+  `
+    create table if not exists entra_snapshot_meta (
+      data json not null
+    )
+  `,
+  `
+    create table if not exists entra_snapshot_extra (
+      data json not null
+    )
+  `
+];
+const entraServicePrincipalSchemaSql = [
+  `
+    create table if not exists entra_service_principals (
+      ordinal integer not null,
+      id varchar primary key,
+      app_id varchar not null,
+      display_name varchar not null,
+      app_display_name varchar,
+      service_principal_type varchar not null,
+      publisher_name varchar,
+      account_enabled boolean not null,
+      app_owner_organization_id varchar,
+      homepage varchar,
+      login_url varchar,
+      reply_urls json not null,
+      service_principal_names json not null,
+      tags json not null,
+      app_roles json not null,
+      owners json not null,
+      app_owners json not null,
+      service_principal_owners json not null,
+      application_owners json not null,
+      metadata json
+    )
+  `
+];
+const entraApplicationSchemaSql = [
+  `
+    create table if not exists entra_applications (
+      ordinal integer not null,
+      id varchar primary key,
+      app_id varchar not null,
+      display_name varchar not null,
+      sign_in_audience varchar,
+      publisher_domain varchar,
+      identifier_uris json not null,
+      tags json not null,
+      app_roles json not null,
+      oauth2_permission_scopes json not null,
+      required_resource_access json not null,
+      web json,
+      spa json,
+      public_client json,
+      password_credentials json not null,
+      key_credentials json not null,
+      created_date_time varchar,
+      deleted_date_time varchar,
+      disabled_by_microsoft_status varchar,
+      info json,
+      notes varchar,
+      owners json not null
+    )
+  `
+];
+const entraOAuth2PermissionGrantSchemaSql = [
+  `
+    create table if not exists entra_oauth2_permission_grants (
+      ordinal integer not null,
+      id varchar primary key,
+      client_id varchar not null,
+      consent_type varchar not null,
+      principal_id varchar,
+      resource_id varchar not null,
+      scope varchar not null
+    )
+  `
+];
+const entraAppRoleAssignmentSchemaSql = [
+  `
+    create table if not exists entra_app_role_assignments (
+      ordinal integer not null,
+      id varchar primary key,
+      app_role_id varchar not null,
+      app_role_display_name varchar,
+      app_role_value varchar,
+      principal_id varchar not null,
+      principal_display_name varchar,
+      resource_id varchar not null,
+      resource_display_name varchar
+    )
+  `
+];
+const azureResourcesSnapshotSchemaSql = [
+  "create table if not exists azure_resources_snapshot_meta (data json not null)",
+  "create table if not exists azure_resources_snapshot_extra (data json not null)"
+];
+const azureResourcesSchemaSql = [
+  `
+    create table if not exists azure_subscriptions (
+      ordinal integer not null,
+      subscription_id varchar primary key,
+      subscription_name varchar not null,
+      tenant_id varchar not null,
+      state varchar not null,
+      tags json
+    )
+  `,
+  `
+    create table if not exists azure_resource_groups (
+      ordinal integer not null,
+      subscription_id varchar not null,
+      subscription_name varchar not null,
+      resource_group varchar not null,
+      location varchar not null,
+      tags json
+    )
+  `,
+  `
+    create table if not exists azure_resources (
+      ordinal integer not null,
+      subscription_id varchar not null,
+      subscription_name varchar not null,
+      resource_id varchar primary key,
+      resource_name varchar not null,
+      resource_group varchar not null,
+      resource_type varchar not null,
+      kind varchar,
+      location varchar not null,
+      tags json,
+      identity_type varchar,
+      identity_principal_id varchar,
+      identity_tenant_id varchar,
+      user_assigned_identity_resource_ids json not null,
+      user_assigned_identities json
+    )
+  `,
+  `
+    create table if not exists azure_user_assigned_managed_identities (
+      ordinal integer not null,
+      subscription_id varchar not null,
+      subscription_name varchar not null,
+      resource_id varchar primary key,
+      name varchar not null,
+      resource_group varchar not null,
+      location varchar not null,
+      client_id varchar not null,
+      principal_id varchar not null,
+      tenant_id varchar not null,
+      tags json
+    )
+  `,
+  `
+    create table if not exists azure_role_assignments (
+      ordinal integer not null,
+      subscription_id varchar not null,
+      subscription_name varchar not null,
+      role_assignment_id varchar,
+      scope varchar not null,
+      scope_type varchar,
+      scope_subscription_id varchar,
+      scope_resource_group varchar,
+      scope_resource_provider varchar,
+      scope_resource_type varchar,
+      scope_resource_name varchar,
+      scope_management_group varchar,
+      principal_id varchar not null,
+      principal_type varchar,
+      principal_display_name varchar,
+      sign_in_name varchar,
+      role_definition_id varchar,
+      role_definition_name varchar,
+      can_delegate boolean,
+      condition varchar,
+      condition_version varchar
+    )
+  `,
+  `
+    create table if not exists azure_activity_logs (
+      ordinal integer not null,
+      subscription_id varchar not null,
+      subscription_name varchar not null,
+      event_timestamp varchar not null,
+      submission_timestamp varchar,
+      caller varchar,
+      caller_user_principal_name varchar,
+      caller_name varchar,
+      caller_email varchar,
+      caller_object_id varchar,
+      caller_identity_type varchar,
+      caller_app_id varchar,
+      caller_ip_address varchar,
+      caller_tenant_id varchar,
+      operation_name varchar,
+      operation_name_value varchar,
+      status varchar,
+      sub_status varchar,
+      category varchar,
+      resource_group_name varchar,
+      resource_id varchar,
+      resource_provider_name varchar,
+      resource_type varchar,
+      authorization_action varchar,
+      authorization_scope varchar
+    )
+  `
+];
+const disabledOwnerEvidenceSchemaSql = [
+  `
+    create table if not exists azure_disabled_owner_evidence_keys (
+      owner_key varchar primary key,
+      disabled_at varchar not null
+    )
+  `
+];
+const zeroTrustAssessmentMetadataSchemaSql = [
+  `
+    create table if not exists zta_report (
+      id varchar not null primary key,
+      file_name varchar not null,
+      executed_at varchar,
+      imported_at varchar not null
+    )
+  `,
+  `
+    create table if not exists zta_report_meta (
+      report_id varchar not null primary key,
+      data json not null
+    )
+  `,
+  `
+    create table if not exists zta_report_extra (
+      report_id varchar not null primary key,
+      data json not null
+    )
+  `
+];
+const zeroTrustAssessmentTestSchemaSql = [
+  `
+    create table if not exists zta_tests (
+      report_id varchar not null,
+      ordinal integer not null,
+      test_id varchar not null,
+      title varchar,
+      pillar varchar,
+      status varchar,
+      risk varchar,
+      impact varchar,
+      implementation_cost varchar,
+      category varchar,
+      sfi_pillar varchar,
+      skipped_reason varchar,
+      skipped_code varchar,
+      minimum_license json,
+      applies_to json,
+      tags json,
+      related_objects json,
+      result varchar,
+      description varchar,
+      data json not null,
+      primary key (report_id, ordinal)
+    )
+  `,
+  `
+    create table if not exists zta_test_related_objects (
+      report_id varchar not null,
+      test_ordinal integer not null,
+      related_object_id varchar not null,
+      primary key (report_id, test_ordinal, related_object_id)
+    )
+  `
+];
+const zeroTrustAssessmentSchemaSql = [
+  ...zeroTrustAssessmentMetadataSchemaSql,
+  ...zeroTrustAssessmentTestSchemaSql
+];
+const azureIdentityEnrichmentSchemaSql = [
+  `
+    create table if not exists azure_runtime_enrichment_runs (
+      run_id varchar primary key,
+      started_at varchar not null,
+      completed_at varchar,
+      status varchar not null,
+      identity_role_assignment_count integer not null,
+      access_risk_identity_count integer not null,
+      managed_identity_assignment_count integer not null,
+      error_message varchar
+    )
+  `,
+  `
+    create table if not exists azure_identity_role_assignment_enrichment (
+      run_id varchar not null,
+      principal_id varchar not null,
+      assignment_count integer not null,
+      role_assignments json not null
+    )
+  `,
+  `
+    create table if not exists azure_identity_access_risk_enrichment (
+      run_id varchar not null,
+      principal_id varchar not null,
+      risk_level varchar not null,
+      assignment_count integer not null,
+      high_risk_assignment_count integer not null,
+      broad_scope_assignment_count integer not null,
+      role_assignments json not null
+    )
+  `,
+  `
+    create table if not exists azure_managed_identity_assignment_enrichment (
+      run_id varchar not null,
+      service_principal_id varchar not null,
+      principal_id varchar not null,
+      client_id varchar not null,
+      assignment_count integer not null,
+      assigned_resource_groups json not null,
+      managed_identity_assignments json not null
+    )
+  `
+];
+const runtimeSchemaSql = [
+  ...entraSnapshotSchemaSql,
+  ...entraServicePrincipalSchemaSql,
+  ...entraApplicationSchemaSql,
+  ...entraOAuth2PermissionGrantSchemaSql,
+  ...entraAppRoleAssignmentSchemaSql,
+  ...azureResourcesSnapshotSchemaSql,
+  ...azureResourcesSchemaSql,
+  ...disabledOwnerEvidenceSchemaSql,
+  ...zeroTrustAssessmentSchemaSql,
+  ...azureIdentityEnrichmentSchemaSql
+];
+export async function prepareRuntimeSqlSchema(connection: DuckDBConnection): Promise<void> {
+  await runSqlSchema(connection, runtimeSchemaSql);
+}
+async function runSqlSchema(connection: DuckDBConnection, statements: string[]): Promise<void> {
+  for (const statement of statements) {
+    await connection.run(statement);
+  }
+}

package/src/providers/azure/runtime/zta/Discovery.ts ADDED Viewed

@@ -0,0 +1,141 @@
+import type { Dirent } from "node:fs";
+import { readdir, readFile } from "node:fs/promises";
+import path from "node:path";
+export type JsonDiscoveryCandidate<T extends Record<string, unknown>> = {
+  absolutePath: string;
+  relativePath: string;
+  data: T;
+};
+export type JsonDiscoveryDescription<T extends Record<string, unknown>> = {
+  requiredTopLevelKeys: string[];
+  validate?: (value: Record<string, unknown>) => value is T;
+  compareCandidates?: (left: JsonDiscoveryCandidate<T>, right: JsonDiscoveryCandidate<T>) => number;
+};
+export async function discoverJsonFile<T extends Record<string, unknown>>(
+  rootDir: string,
+  description: JsonDiscoveryDescription<T>
+): Promise<JsonDiscoveryCandidate<T> | null> {
+  const jsonPaths = await listJsonFiles(rootDir);
+  const candidates: JsonDiscoveryCandidate<T>[] = [];
+  for (const filePath of jsonPaths) {
+    const data = await readJsonDiscoveryCandidate(filePath, description);
+    if (!data) {
+      continue;
+    }
+    candidates.push({
+      absolutePath: filePath,
+      relativePath: toPosixRelativePath(rootDir, filePath),
+      data
+    });
+  }
+  return candidates.sort(description.compareCandidates)[0] ?? null;
+}
+export function compareByNewestDateField<T extends Record<string, unknown>>(
+  fieldName: keyof T
+): (left: JsonDiscoveryCandidate<T>, right: JsonDiscoveryCandidate<T>) => number {
+  return (left, right) => {
+    const dateComparison = compareNullableDateStrings(
+      toNullableString(right.data[fieldName]),
+      toNullableString(left.data[fieldName])
+    );
+    return dateComparison === 0 ? left.relativePath.localeCompare(right.relativePath) : dateComparison;
+  };
+}
+async function listJsonFiles(rootDir: string): Promise<string[]> {
+  let entries: Dirent[];
+  try {
+    entries = await readdir(rootDir, { recursive: true, withFileTypes: true });
+  } catch (error) {
+    if (isNodeError(error) && error.code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
+  return entries
+    .filter((entry) => entry.isFile() && entry.name.toLowerCase().endsWith(".json"))
+    .map((entry) => path.join(entry.parentPath, entry.name))
+    .sort((left, right) => left.localeCompare(right));
+}
+async function readJsonDiscoveryCandidate<T extends Record<string, unknown>>(
+  filePath: string,
+  description: JsonDiscoveryDescription<T>
+): Promise<T | null> {
+  try {
+    const rawJson = stripJsonByteOrderMark(await readFile(filePath, "utf8"));
+    if (!containsRequiredJsonKeyNames(rawJson, description.requiredTopLevelKeys)) {
+      return null;
+    }
+    const value = JSON.parse(rawJson) as unknown;
+    if (!isPlainObject(value) || !hasRequiredTopLevelKeys(value, description.requiredTopLevelKeys)) {
+      return null;
+    }
+    if (description.validate && !description.validate(value)) {
+      return null;
+    }
+    return value as T;
+  } catch {
+    return null;
+  }
+}
+function hasRequiredTopLevelKeys(value: Record<string, unknown>, keys: string[]): boolean {
+  return keys.every((key) => Object.prototype.hasOwnProperty.call(value, key));
+}
+function containsRequiredJsonKeyNames(value: string, keys: string[]): boolean {
+  return keys.every((key) => value.includes(JSON.stringify(key)));
+}
+function isPlainObject(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function compareNullableDateStrings(left: string | null, right: string | null): number {
+  const leftTime = left ? Date.parse(left) : Number.NaN;
+  const rightTime = right ? Date.parse(right) : Number.NaN;
+  if (Number.isNaN(leftTime) && Number.isNaN(rightTime)) {
+    return 0;
+  }
+  if (Number.isNaN(leftTime)) {
+    return 1;
+  }
+  if (Number.isNaN(rightTime)) {
+    return -1;
+  }
+  return leftTime - rightTime;
+}
+function toNullableString(value: unknown): string | null {
+  return typeof value === "string" ? value : null;
+}
+function toPosixRelativePath(rootDir: string, filePath: string): string {
+  return path.relative(rootDir, filePath).split(path.sep).join("/");
+}
+function stripJsonByteOrderMark(value: string): string {
+  return value.charCodeAt(0) === 0xfeff ? value.slice(1) : value;
+}
+function isNodeError(error: unknown): error is NodeJS.ErrnoException {
+  return error instanceof Error;
+}

package/src/providers/azure/runtime/zta/LocalZeroTrustAssessmentReportRuntime.ts ADDED Viewed

@@ -0,0 +1,86 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import { RuntimeHttpError } from "../../../../core/runtime/localSnapshotFiles";
+import type { ZtaRemediationSummary, ZtaReport } from "../../../../core/azure/ztaReport";
+import { compareByNewestDateField, discoverJsonFile, type JsonDiscoveryDescription } from "./Discovery";
+import {
+  createEmptyZeroTrustAssessmentImportStatus,
+  importZeroTrustAssessmentReportToDuckDb,
+  readZeroTrustAssessmentReportFromDuckDb,
+  type ZeroTrustAssessmentDuckDbImportStatus
+} from "./snapshotStore";
+import { readZeroTrustAssessmentRemediationSummaries } from "./tables";
+import type { ZeroTrustAssessmentReport } from "./types";
+import { toZtaReport } from "./ztaReportMapper";
+const zeroTrustAssessmentReportDiscovery: JsonDiscoveryDescription<ZeroTrustAssessmentReport> = {
+  requiredTopLevelKeys: ["TestResultSummary", "ExecutedAt", "TenantId"],
+  validate: isZeroTrustAssessmentReport,
+  compareCandidates: compareByNewestDateField<ZeroTrustAssessmentReport>("ExecutedAt")
+};
+export type LocalZeroTrustAssessmentReportRuntimeOptions = {
+  dataDir: string;
+  getConnection: () => DuckDBConnection;
+};
+export class LocalZeroTrustAssessmentReportRuntime {
+  private readonly dataDir: string;
+  private readonly getConnection: () => DuckDBConnection;
+  private status = createEmptyZeroTrustAssessmentImportStatus();
+  constructor(options: LocalZeroTrustAssessmentReportRuntimeOptions) {
+    this.dataDir = options.dataDir;
+    this.getConnection = options.getConnection;
+  }
+  getStatus(): ZeroTrustAssessmentDuckDbImportStatus {
+    return this.status;
+  }
+  async importSnapshot(): Promise<void> {
+    const candidate = await discoverJsonFile(this.dataDir, zeroTrustAssessmentReportDiscovery);
+    if (!candidate) {
+      return;
+    }
+    this.status = await importZeroTrustAssessmentReportToDuckDb(
+      this.getConnection(),
+      candidate.data,
+      candidate.relativePath
+    );
+  }
+  async readReport(): Promise<ZtaReport> {
+    this.assertImported();
+    return toZtaReport(await readZeroTrustAssessmentReportFromDuckDb(this.getConnection()));
+  }
+  async readRemediationSummaries(): Promise<Map<string, ZtaRemediationSummary>> {
+    this.assertImported();
+    return readZeroTrustAssessmentRemediationSummaries(this.getConnection());
+  }
+  private assertImported(): void {
+    if (!this.status.imported) {
+      throw new RuntimeHttpError(
+        "ZTA report JSON with TestResultSummary, ExecutedAt, and TenantId was not found under ./data.",
+        404
+      );
+    }
+  }
+}
+function isZeroTrustAssessmentReport(value: unknown): value is ZeroTrustAssessmentReport {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const report = value as Record<string, unknown>;
+  return (
+    Object.prototype.hasOwnProperty.call(report, "TestResultSummary") &&
+    Object.prototype.hasOwnProperty.call(report, "ExecutedAt") &&
+    Object.prototype.hasOwnProperty.call(report, "TenantId") &&
+    Array.isArray(report.Tests)
+  );
+}