npm - ownerlens - Versions diffs - 0.1.0 - Mend

ownerlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/src/providers/azure/runtime/zta/ZeroTrustAssessmentQueryService.ts ADDED Viewed

@@ -0,0 +1,124 @@
+import { RuntimeHttpError } from "../../../../core/runtime/localSnapshotFiles";
+import type {
+  ZtaRelatedObject,
+  ZtaRemediationSummary,
+  ZtaReport,
+  ZtaReportTest
+} from "../../../../core/azure/ztaReport";
+import {
+  buildPaginatedCollection,
+  type LocalReportCollectionFilter,
+  type LocalReportCollectionQueryOptions
+} from "../localReportCollections";
+import type { LocalZeroTrustAssessmentReportRuntime } from "./LocalZeroTrustAssessmentReportRuntime";
+export type LocalZeroTrustAssessmentReportCollectionId = "zeroTrustAssessment.report";
+export type ZeroTrustAssessmentQueryServiceOptions = {
+  zeroTrustAssessment: LocalZeroTrustAssessmentReportRuntime;
+};
+export class ZeroTrustAssessmentQueryService {
+  private readonly zeroTrustAssessment: LocalZeroTrustAssessmentReportRuntime;
+  constructor(options: ZeroTrustAssessmentQueryServiceOptions) {
+    this.zeroTrustAssessment = options.zeroTrustAssessment;
+  }
+  async readReport(): Promise<ZtaReport> {
+    return this.zeroTrustAssessment.readReport();
+  }
+  async queryReport(options: LocalReportCollectionQueryOptions) {
+    const report = await this.readReport();
+    const { relatedObjectFilters, remainingFilters } = splitRelatedObjectFilters(options.filters ?? []);
+    const tests = applyRelatedObjectFilters(report.Tests ?? [], relatedObjectFilters);
+    const collection = buildPaginatedCollection(
+      "zeroTrustAssessment.report",
+      tests as Record<string, unknown>[],
+      { ...options, filters: remainingFilters }
+    );
+    return {
+      ...collection,
+      Meta: report.Meta,
+      Tests: collection.rows as ZtaReportTest[]
+    };
+  }
+  async readRemediationSummaries(): Promise<Map<string, ZtaRemediationSummary>> {
+    try {
+      return await this.zeroTrustAssessment.readRemediationSummaries();
+    } catch (error) {
+      if (error instanceof RuntimeHttpError && error.statusCode === 404) {
+        return new Map();
+      }
+      throw error;
+    }
+  }
+}
+function splitRelatedObjectFilters(filters: LocalReportCollectionFilter[]): {
+  relatedObjectFilters: LocalReportCollectionFilter[];
+  remainingFilters: LocalReportCollectionFilter[];
+} {
+  return {
+    relatedObjectFilters: filters.filter((filter) => filter.column === "RelatedObjects"),
+    remainingFilters: filters.filter((filter) => filter.column !== "RelatedObjects")
+  };
+}
+function applyRelatedObjectFilters(
+  tests: ZtaReportTest[],
+  filters: LocalReportCollectionFilter[]
+): ZtaReportTest[] {
+  const activeFilters = filters
+    .map((filter) => filter.values.map((value) => value.trim()).filter(Boolean))
+    .filter((values) => values.length > 0);
+  if (activeFilters.length === 0) {
+    return tests;
+  }
+  return tests.flatMap((test) => {
+    const relatedObjects = test.RelatedObjects ?? [];
+    const matchingRelatedObjects = relatedObjects.filter((relatedObject) =>
+      matchesRelatedObjectFilters(relatedObject, activeFilters)
+    );
+    if (matchingRelatedObjects.length === 0) {
+      return [];
+    }
+    return [
+      {
+        ...test,
+        RelatedObjects: matchingRelatedObjects
+      }
+    ];
+  });
+}
+function formatRelatedObjectsSearchValue(relatedObjects: ZtaRelatedObject[]): string {
+  return relatedObjects
+    .flatMap((relatedObject) => [
+      relatedObject.servicePrincipalId,
+      ...(relatedObject.tags ?? []),
+      relatedObject.applicationId,
+      relatedObject.id,
+      relatedObject.displayName
+    ])
+    .filter(isNonEmptyString)
+    .join(" ");
+}
+function matchesRelatedObjectFilters(relatedObject: ZtaRelatedObject, filters: string[][]): boolean {
+  const searchableValue = formatRelatedObjectsSearchValue([relatedObject]).toLocaleLowerCase();
+  return filters.every((values) => values.some((value) => searchableValue.includes(value.toLocaleLowerCase())));
+}
+function isNonEmptyString(value: unknown): value is string {
+  return typeof value === "string" && value.trim().length > 0;
+}

package/src/providers/azure/runtime/zta/localReportRuntimeRest.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { RuntimeRestEndpoint } from "../../../../core/runtime/rest";
+import type { LocalReportRuntime } from "../LocalReportRuntime";
+import { parseRuntimeCollectionQueryOptions } from "../runtimeRestQuery";
+export function defineZeroTrustAssessmentLocalReportRuntimeRestEndpoints(
+  runtime: LocalReportRuntime,
+  restBasePath: string
+): RuntimeRestEndpoint[] {
+  return [
+    {
+      path: `${restBasePath}/zeroTrustAssessment/report`,
+      handle: ({ url }) => runtime.queryZeroTrustAssessmentReport(parseRuntimeCollectionQueryOptions(url))
+    }
+  ];
+}

package/src/providers/azure/runtime/zta/snapshotMetadataTable.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import type { DuckDBConnection } from "@duckdb/node-api";
+import type { ZeroTrustAssessmentReport } from "./types";
+export async function insertZeroTrustAssessmentReport(
+  connection: DuckDBConnection,
+  reportId: string,
+  report: ZeroTrustAssessmentReport,
+  fileName: string,
+  importedAt: string
+): Promise<void> {
+  await connection.run(
+    `
+      insert into zta_report (id, file_name, executed_at, imported_at)
+      values ($reportId, $fileName, $executedAt, $importedAt)
+    `,
+    {
+      reportId,
+      fileName,
+      executedAt: report.ExecutedAt ?? null,
+      importedAt
+    }
+  );
+}
+export async function importZeroTrustAssessmentMetadata(
+  connection: DuckDBConnection,
+  reportId: string,
+  report: ZeroTrustAssessmentReport
+): Promise<void> {
+  const { Tests, ...metadata } = report;
+  const {
+    Account,
+    CurrentVersion,
+    Domain,
+    EndOfJson,
+    ExecutedAt,
+    LatestVersion,
+    TenantId,
+    TenantInfo,
+    TenantName,
+    TestResultSummary,
+    ...extra
+  } = metadata;
+  await connection.run(
+    `
+      insert into zta_report_meta (report_id, data)
+      values ($reportId, $meta::json)
+    `,
+    {
+      reportId,
+      meta: JSON.stringify({
+        Account,
+        CurrentVersion,
+        Domain,
+        EndOfJson,
+        ExecutedAt,
+        LatestVersion,
+        TenantId,
+        TenantInfo,
+        TenantName,
+        TestResultSummary
+      })
+    }
+  );
+  await connection.run(
+    `
+      insert into zta_report_extra (report_id, data)
+      values ($reportId, $extra::json)
+    `,
+    {
+      reportId,
+      extra: JSON.stringify(extra)
+    }
+  );
+}

package/src/providers/azure/runtime/zta/snapshotStore.ts ADDED Viewed

@@ -0,0 +1,112 @@
+import { randomUUID } from "node:crypto";
+import type { DuckDBConnection, DuckDBValue } from "@duckdb/node-api";
+import {
+  insertZeroTrustAssessmentReport,
+  importZeroTrustAssessmentMetadata
+} from "./snapshotMetadataTable";
+import {
+  insertZeroTrustAssessmentRelatedObjectRows,
+  insertZeroTrustAssessmentTestRows,
+  readZeroTrustAssessmentTestRows
+} from "./tables";
+import type { ZeroTrustAssessmentReport } from "./types";
+export const zeroTrustAssessmentReportFileName = "ZeroTrustAssessmentReport.json";
+export type ZeroTrustAssessmentDuckDbImportStatus = {
+  imported: boolean;
+  fileName: string;
+  reportId: string | null;
+  testCount: number;
+  importedAt: string | null;
+};
+export function createEmptyZeroTrustAssessmentImportStatus(): ZeroTrustAssessmentDuckDbImportStatus {
+  return {
+    imported: false,
+    fileName: zeroTrustAssessmentReportFileName,
+    reportId: null,
+    testCount: 0,
+    importedAt: null
+  };
+}
+export async function importZeroTrustAssessmentReportToDuckDb(
+  connection: DuckDBConnection,
+  report: ZeroTrustAssessmentReport,
+  fileName = zeroTrustAssessmentReportFileName
+): Promise<ZeroTrustAssessmentDuckDbImportStatus> {
+  await connection.run("begin transaction");
+  try {
+    const reportId = randomUUID();
+    const importedAt = new Date().toISOString();
+    await insertZeroTrustAssessmentReport(connection, reportId, report, fileName, importedAt);
+    await importZeroTrustAssessmentMetadata(connection, reportId, report);
+    await insertZeroTrustAssessmentTestRows(connection, reportId, report.Tests ?? []);
+    await insertZeroTrustAssessmentRelatedObjectRows(connection, reportId, report.Tests ?? []);
+    await connection.run("commit");
+    return {
+      imported: true,
+      fileName,
+      reportId,
+      testCount: report.Tests?.length ?? 0,
+      importedAt
+    };
+  } catch (error) {
+    await connection.run("rollback");
+    throw error;
+  }
+}
+export async function readZeroTrustAssessmentReportFromDuckDb(
+  connection: DuckDBConnection
+): Promise<ZeroTrustAssessmentReport> {
+  const reportRows = await readRows<{ id: string }>(
+    connection,
+    `
+      select id
+      from zta_report
+      order by executed_at desc nulls last, imported_at desc
+      limit 1
+    `
+  );
+  const reportId = reportRows[0]?.id;
+  if (!reportId) {
+    return { Tests: [] };
+  }
+  const metaRows = await readRows<{ data: string }>(
+    connection,
+    "select data from zta_report_meta where report_id = $reportId limit 1",
+    { reportId }
+  );
+  const extraRows = await readRows<{ data: string }>(
+    connection,
+    "select data from zta_report_extra where report_id = $reportId limit 1",
+    { reportId }
+  );
+  return {
+    ...parseJsonObject(extraRows[0]?.data),
+    ...parseJsonObject(metaRows[0]?.data),
+    Tests: await readZeroTrustAssessmentTestRows(connection, reportId)
+  };
+}
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string,
+  params?: Record<string, DuckDBValue>
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql, params);
+  return reader.getRowObjectsJson() as Row[];
+}
+function parseJsonObject(value: string | null | undefined): Record<string, unknown> {
+  return value ? JSON.parse(value) : {};
+}

package/src/providers/azure/runtime/zta/tables.ts ADDED Viewed

@@ -0,0 +1,361 @@
+import type { DuckDBConnection, DuckDBValue } from "@duckdb/node-api";
+import type { ZtaRelatedObject, ZtaRemediationSummary } from "../../../../core/azure/ztaReport";
+import type { ZeroTrustAssessmentTest } from "./types";
+export async function insertZeroTrustAssessmentTestRows(
+  connection: DuckDBConnection,
+  reportId: string,
+  tests: ZeroTrustAssessmentTest[]
+): Promise<void> {
+  const servicePrincipalRelatedObjectIds = await readServicePrincipalRelatedObjectIds(connection);
+  for (const [ordinal, originalTest] of tests.entries()) {
+    const enrichedTest = enrichRelatedObjectsWithServicePrincipalIds(originalTest, servicePrincipalRelatedObjectIds);
+    const test = normalizeZeroTrustAssessmentRiskFields(enrichedTest);
+    await connection.run(
+      `insert into zta_tests values (
+        $reportId,
+        $ordinal,
+        $testId,
+        $title,
+        $pillar,
+        $status,
+        $risk,
+        $impact,
+        $implementationCost,
+        $category,
+        $sfiPillar,
+        $skippedReason,
+        $skippedCode,
+        $minimumLicense::json,
+        $appliesTo::json,
+        $tags::json,
+        $relatedObjects::json,
+        $result,
+        $description,
+        $data::json
+      )`,
+      {
+        reportId,
+        ordinal,
+        testId: toNullableString(test.TestId) ?? String(ordinal),
+        title: test.TestTitle ?? null,
+        pillar: test.TestPillar ?? null,
+        status: test.TestStatus ?? null,
+        risk: test.TestRisk ?? null,
+        impact: test.TestImpact ?? null,
+        implementationCost: test.TestImplementationCost ?? null,
+        category: test.TestCategory ?? null,
+        sfiPillar: test.TestSfiPillar ?? null,
+        skippedReason: test.SkippedReason ?? null,
+        skippedCode: test.TestSkipped ?? null,
+        minimumLicense: JSON.stringify(toJsonArray(test.TestMinimumLicense)),
+        appliesTo: JSON.stringify(toJsonArray(test.TestAppliesTo)),
+        tags: JSON.stringify(toJsonArray(test.TestTags)),
+        relatedObjects: JSON.stringify(test.RelatedObjects ?? []),
+        result: test.TestResult ?? null,
+        description: test.TestDescription ?? null,
+        data: JSON.stringify(test)
+      }
+    );
+  }
+}
+export async function insertZeroTrustAssessmentRelatedObjectRows(
+  connection: DuckDBConnection,
+  reportId: string,
+  tests: ZeroTrustAssessmentTest[]
+): Promise<void> {
+  const servicePrincipalRelatedObjectIds = await readServicePrincipalRelatedObjectIds(connection);
+  for (const [testOrdinal, test] of tests.entries()) {
+    const relatedObjectIds = getRelatedObjectIds(
+      enrichRelatedObjectsWithServicePrincipalIds(test, servicePrincipalRelatedObjectIds)
+    );
+    for (const relatedObjectId of relatedObjectIds) {
+      await connection.run(
+        `insert into zta_test_related_objects values (
+          $reportId,
+          $testOrdinal,
+          $relatedObjectId
+        )`,
+        {
+          reportId,
+          testOrdinal,
+          relatedObjectId
+        }
+      );
+    }
+  }
+}
+export async function readZeroTrustAssessmentTestRows(
+  connection: DuckDBConnection,
+  reportId: string
+): Promise<ZeroTrustAssessmentTest[]> {
+  const rows = await readRows<{ data: string }>(
+    connection,
+    "select data from zta_tests where report_id = $reportId order by ordinal",
+    { reportId }
+  );
+  return rows.map((row) => JSON.parse(row.data) as ZeroTrustAssessmentTest);
+}
+export async function readZeroTrustAssessmentRemediationSummaries(
+  connection: DuckDBConnection
+): Promise<Map<string, ZtaRemediationSummary>> {
+  const rows = await readRows<{
+    related_object_id: string;
+    remediation_count_all: number;
+    remediation_failed_count: number;
+    max_risk_rank: number;
+  }>(
+    connection,
+    `
+      with latest_report as (
+        select id
+        from zta_report
+        order by executed_at desc nulls last, imported_at desc
+        limit 1
+      ),
+      related_tests as (
+        select distinct
+          lower(related.related_object_id) as related_object_id,
+          related.test_ordinal,
+          lower(coalesce(test.status, '')) as status,
+          case lower(coalesce(test.risk, ''))
+            when 'high' then 3
+            when 'medium' then 2
+            when 'low' then 1
+            else 0
+          end as risk_rank
+        from zta_test_related_objects related
+        join latest_report latest
+          on latest.id = related.report_id
+        join zta_tests test
+          on test.report_id = related.report_id
+          and test.ordinal = related.test_ordinal
+      ),
+      resolved_related_tests as (
+        select
+          lower(service_principal.id) as principal_id,
+          related_tests.test_ordinal,
+          related_tests.status,
+          related_tests.risk_rank
+        from related_tests
+        join entra_service_principals service_principal
+          on lower(service_principal.id) = related_tests.related_object_id
+        union
+        select
+          lower(service_principal.id) as principal_id,
+          related_tests.test_ordinal,
+          related_tests.status,
+          related_tests.risk_rank
+        from related_tests
+        join entra_applications application
+          on lower(application.id) = related_tests.related_object_id
+        join entra_service_principals service_principal
+          on lower(service_principal.app_id) = lower(application.app_id)
+      )
+      select
+        principal_id as related_object_id,
+        count(*) as remediation_count_all,
+        sum(case when status = 'failed' then 1 else 0 end) as remediation_failed_count,
+        max(risk_rank) as max_risk_rank
+      from resolved_related_tests
+      group by principal_id
+    `
+  );
+  return new Map(
+    rows.map((row) => [
+      row.related_object_id,
+      {
+        ztaRemediationCountAll: Number(row.remediation_count_all),
+        ztaRemediationFailedCount: Number(row.remediation_failed_count),
+        ztaMaxRisk: toRiskLevel(Number(row.max_risk_rank))
+      }
+    ])
+  );
+}
+async function readRows<Row extends Record<string, unknown>>(
+  connection: DuckDBConnection,
+  sql: string,
+  params?: Record<string, DuckDBValue>
+): Promise<Row[]> {
+  const reader = await connection.runAndReadAll(sql, params);
+  return reader.getRowObjectsJson() as Row[];
+}
+type ServicePrincipalRelatedObjectIds = {
+  servicePrincipalId: string;
+  applicationId: string | null;
+  tags: string[];
+};
+async function readServicePrincipalRelatedObjectIds(
+  connection: DuckDBConnection
+): Promise<Map<string, ServicePrincipalRelatedObjectIds>> {
+  const rows = await readRows<{ service_principal_id: string; application_id: string | null; tags: string | null }>(
+    connection,
+    `
+      select
+        lower(service_principal.id) as service_principal_id,
+        application.id as application_id,
+        service_principal.tags
+      from entra_service_principals service_principal
+      left join entra_applications application
+        on lower(application.app_id) = lower(service_principal.app_id)
+    `
+  );
+  const relatedObjectIds = new Map<string, ServicePrincipalRelatedObjectIds>();
+  for (const row of rows) {
+    const value = {
+      servicePrincipalId: row.service_principal_id,
+      applicationId: row.application_id,
+      tags: parseJsonArray<string>(row.tags)
+    };
+    relatedObjectIds.set(row.service_principal_id, value);
+    if (row.application_id) {
+      relatedObjectIds.set(row.application_id.toLowerCase(), value);
+    }
+  }
+  return relatedObjectIds;
+}
+function enrichRelatedObjectsWithServicePrincipalIds(
+  test: ZeroTrustAssessmentTest,
+  servicePrincipalRelatedObjectIds: Map<string, ServicePrincipalRelatedObjectIds>
+): ZeroTrustAssessmentTest {
+  if (!servicePrincipalRelatedObjectIds.size || !test.RelatedObjects?.length) {
+    return test;
+  }
+  const relatedObjects = test.RelatedObjects.map((relatedObject) => {
+    if (!relatedObject || typeof relatedObject !== "object" || Array.isArray(relatedObject)) {
+      return relatedObject;
+    }
+    const ids = resolveRelatedObjectIds(relatedObject, servicePrincipalRelatedObjectIds);
+    return ids === undefined
+      ? relatedObject
+      : {
+          ...relatedObject,
+          servicePrincipalId: ids.servicePrincipalId,
+          tags: ids.tags,
+          applicationId: ids.applicationId
+        };
+  });
+  return {
+    ...test,
+    RelatedObjects: relatedObjects
+  };
+}
+function resolveRelatedObjectIds(
+  relatedObject: ZtaRelatedObject,
+  servicePrincipalRelatedObjectIds: Map<string, ServicePrincipalRelatedObjectIds>
+): ServicePrincipalRelatedObjectIds | undefined {
+  for (const id of [
+    toNullableString(relatedObject.servicePrincipalId),
+    toNullableString(relatedObject.object_id),
+    toNullableString(relatedObject.id),
+    toNullableString(relatedObject.applicationId)
+  ]) {
+    const ids = id ? servicePrincipalRelatedObjectIds.get(id.toLowerCase()) : undefined;
+    if (ids !== undefined) {
+      return ids;
+    }
+  }
+  return undefined;
+}
+function toJsonArray(value: unknown): unknown[] {
+  if (Array.isArray(value)) {
+    return value;
+  }
+  return value == null || value === "" ? [] : [value];
+}
+function parseJsonArray<T>(value: string | null | undefined): T[] {
+  if (!value) {
+    return [];
+  }
+  const parsed = JSON.parse(value) as unknown;
+  return Array.isArray(parsed) ? (parsed as T[]) : [];
+}
+function toNullableString(value: unknown): string | null {
+  return value == null || value === "" ? null : String(value);
+}
+function normalizeZeroTrustAssessmentRiskFields(test: ZeroTrustAssessmentTest): ZeroTrustAssessmentTest {
+  return {
+    ...test,
+    TestImpact: normalizeRiskLevel(test.TestImpact),
+    TestRisk: normalizeRiskLevel(test.TestRisk)
+  };
+}
+function normalizeRiskLevel(value: string | null | undefined): string | null | undefined {
+  if (value == null) {
+    return value;
+  }
+  const normalized = value.trim().toLowerCase();
+  return normalized === "high" || normalized === "medium" || normalized === "low" || normalized === "none"
+    ? normalized
+    : value;
+}
+function getRelatedObjectIds(test: ZeroTrustAssessmentTest): string[] {
+  const ids = new Set<string>();
+  for (const relatedObject of test.RelatedObjects ?? []) {
+    if (!relatedObject || typeof relatedObject !== "object" || Array.isArray(relatedObject)) {
+      continue;
+    }
+    for (const id of [
+      toNullableString(relatedObject.object_id),
+      toNullableString(relatedObject.id),
+      toNullableString(relatedObject.servicePrincipalId),
+      toNullableString(relatedObject.applicationId)
+    ]) {
+      if (id) {
+        ids.add(id);
+      }
+    }
+  }
+  return [...ids];
+}
+function toRiskLevel(rank: number): ZtaRemediationSummary["ztaMaxRisk"] {
+  if (rank >= 3) {
+    return "high";
+  }
+  if (rank === 2) {
+    return "medium";
+  }
+  if (rank === 1) {
+    return "low";
+  }
+  return "none";
+}

package/src/providers/azure/runtime/zta/types.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import type { ZtaReportMeta, ZtaReportTest } from "../../../../core/azure/ztaReport";
+export type ZeroTrustAssessmentReport = ZtaReportMeta & {
+  Tests: ZeroTrustAssessmentTest[];
+};
+export type ZeroTrustAssessmentTest = ZtaReportTest;

package/src/providers/azure/runtime/zta/ztaReportMapper.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { ZtaReport } from "../../../../core/azure/ztaReport";
+import type { ZeroTrustAssessmentReport } from "./types";
+export function toZtaReport(report: ZeroTrustAssessmentReport): ZtaReport {
+  const { Tests, ...Meta } = report;
+  return {
+    Meta,
+    Tests: Tests ?? []
+  };
+}