npm - ownerlens - Versions diffs - 0.1.0 - Mend

ownerlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (144) hide show

package/src/components/azure/AzureComponent.tsx ADDED Viewed

@@ -0,0 +1,189 @@
+import { useState } from "react";
+import type { ZtaRelatedObject } from "../../core/azure/ztaReport";
+import type { ColumnFilters } from "../../report/components/reportTableControls";
+import { Tabs, TabsList, TabsTrigger } from "../../report/components/ui/tabs";
+import { AzureRbacComponent } from "./AzureRbacComponent";
+import { ClosableAzureTab } from "./ClosableAzureTab";
+import { EntraPermissionsComponent } from "./EntraPermissionsComponent";
+import { ManagedIdentityComponent } from "./ManagedIdentityComponent";
+import { ResourceGroupComponent } from "./ResourceGroupComponent";
+import { ServicePrincipalComponent } from "./ServicePrincipalComponent";
+import type { AzureRbacPrincipalSelection, EntraPermissionsPrincipalSelection } from "./ServicePrincipalFieldRenderers";
+import { ZtaComponent } from "./ZtaComponent";
+type AzureView =
+  | "servicePrincipals"
+  | "managedIdentities"
+  | "resourceGroups"
+  | "zeroTrustAssessment"
+  | "azureRbac"
+  | "entraPermissions";
+type PrincipalObjectFilter = {
+  objectId: string;
+  view: Extract<AzureView, "servicePrincipals" | "managedIdentities">;
+};
+type AzureRbacTab = AzureRbacPrincipalSelection & {
+  returnView: Extract<AzureView, "servicePrincipals" | "managedIdentities">;
+};
+type EntraPermissionsTab = EntraPermissionsPrincipalSelection & {
+  returnView: Extract<AzureView, "servicePrincipals" | "managedIdentities">;
+};
+export function AzureComponent() {
+  const [activeView, setActiveView] = useState<AzureView>("servicePrincipals");
+  const [azureRbacTab, setAzureRbacTab] = useState<AzureRbacTab | null>(null);
+  const [entraPermissionsTab, setEntraPermissionsTab] = useState<EntraPermissionsTab | null>(null);
+  const [principalObjectFilter, setPrincipalObjectFilter] = useState<PrincipalObjectFilter | null>(null);
+  const [ztaRelatedObjectFilter, setZtaRelatedObjectFilter] = useState<string | null>(null);
+  function openRelatedPrincipal(relatedObject: ZtaRelatedObject) {
+    const objectId = relatedObject.id ?? relatedObject.object_id;
+    if (!objectId) {
+      return;
+    }
+    const view = relatedObject.servicePrincipalType === "ManagedIdentity" ? "managedIdentities" : "servicePrincipals";
+    setPrincipalObjectFilter({ objectId, view });
+    setActiveView(view);
+  }
+  function openZtaRelatedObject(objectId: string) {
+    setZtaRelatedObjectFilter(objectId);
+    setActiveView("zeroTrustAssessment");
+  }
+  function openAzureRbac(
+    principal: AzureRbacPrincipalSelection,
+    returnView: Extract<AzureView, "servicePrincipals" | "managedIdentities">
+  ) {
+    setAzureRbacTab({ ...principal, returnView });
+    setActiveView("azureRbac");
+  }
+  function openEntraPermissions(
+    principal: EntraPermissionsPrincipalSelection,
+    returnView: Extract<AzureView, "servicePrincipals" | "managedIdentities">
+  ) {
+    setEntraPermissionsTab({ ...principal, returnView });
+    setActiveView("entraPermissions");
+  }
+  function closeAzureRbac() {
+    const nextView = azureRbacTab?.returnView ?? "servicePrincipals";
+    setAzureRbacTab(null);
+    if (activeView === "azureRbac") {
+      setActiveView(nextView);
+    }
+  }
+  function closeEntraPermissions() {
+    const nextView = entraPermissionsTab?.returnView ?? "servicePrincipals";
+    setEntraPermissionsTab(null);
+    if (activeView === "entraPermissions") {
+      setActiveView(nextView);
+    }
+  }
+  return (
+    <section className="flex flex-col">
+      <Tabs className="relative z-10 -mb-px gap-0" value={activeView} onValueChange={(value) => setActiveView(value as AzureView)}>
+        <TabsList aria-label="Azure data" className="w-fit max-w-full items-end gap-1 rounded-none bg-transparent p-0 shadow-none">
+          <TabsTrigger className={azureTabTriggerClassName} value="resourceGroups">
+            Resource groups
+          </TabsTrigger>
+          <TabsTrigger className={azureTabTriggerClassName} value="servicePrincipals">
+            Service principals
+          </TabsTrigger>
+          <TabsTrigger className={azureTabTriggerClassName} value="managedIdentities">
+            Managed identities
+          </TabsTrigger>
+          <TabsTrigger className={azureTabTriggerClassName} value="zeroTrustAssessment">
+            Zero Trust Assessment
+          </TabsTrigger>
+          {azureRbacTab ? (
+            <ClosableAzureTab
+              active={activeView === "azureRbac"}
+              closeLabel={`Close ${azureRbacTab.displayName} Azure RBAC tab`}
+              label={azureRbacTab.displayName}
+              onClose={closeAzureRbac}
+              value="azureRbac"
+            />
+          ) : null}
+          {entraPermissionsTab ? (
+            <ClosableAzureTab
+              active={activeView === "entraPermissions"}
+              closeLabel={`Close ${entraPermissionsTab.displayName} Entra permissions tab`}
+              label={`${entraPermissionsTab.displayName} permissions`}
+              onClose={closeEntraPermissions}
+              value="entraPermissions"
+            />
+          ) : null}
+        </TabsList>
+      </Tabs>
+      <div className="relative z-0">
+        {activeView === "resourceGroups" ? <ResourceGroupComponent /> : null}
+        {activeView === "servicePrincipals" ? (
+          <ServicePrincipalComponent
+            initialFilters={getPrincipalObjectFilters(principalObjectFilter, "servicePrincipals")}
+            onAzureRbacClick={(principal) => openAzureRbac(principal, "servicePrincipals")}
+            onEntraPermissionsClick={(principal) => openEntraPermissions(principal, "servicePrincipals")}
+            onZtaRemediationsClick={openZtaRelatedObject}
+          />
+        ) : null}
+        {activeView === "managedIdentities" ? (
+          <ManagedIdentityComponent
+            initialFilters={getPrincipalObjectFilters(principalObjectFilter, "managedIdentities")}
+            onAzureRbacClick={(principal) => openAzureRbac(principal, "managedIdentities")}
+            onEntraPermissionsClick={(principal) => openEntraPermissions(principal, "managedIdentities")}
+            onZtaRemediationsClick={openZtaRelatedObject}
+          />
+        ) : null}
+        {activeView === "zeroTrustAssessment" ? (
+          <ZtaComponent initialFilters={getZtaRelatedObjectFilters(ztaRelatedObjectFilter)} onRelatedObjectClick={openRelatedPrincipal} />
+        ) : null}
+        {activeView === "azureRbac" && azureRbacTab ? (
+          <AzureRbacComponent key={azureRbacTab.objectId} servicePrincipalId={azureRbacTab.objectId} />
+        ) : null}
+        {activeView === "entraPermissions" && entraPermissionsTab ? (
+          <EntraPermissionsComponent key={entraPermissionsTab.objectId} principalId={entraPermissionsTab.objectId} />
+        ) : null}
+      </div>
+    </section>
+  );
+}
+const azureTabTriggerClassName =
+  "rounded-b-none border border-transparent border-b-border bg-muted/70 shadow-none hover:bg-muted data-[state=active]:border-border data-[state=active]:border-b-card data-[state=active]:bg-card data-[state=active]:shadow-none";
+function getZtaRelatedObjectFilters(objectId: string | null): ColumnFilters | undefined {
+  if (!objectId) {
+    return undefined;
+  }
+  return {
+    RelatedObjects: {
+      type: "text",
+      value: objectId
+    }
+  };
+}
+function getPrincipalObjectFilters(
+  principalObjectFilter: PrincipalObjectFilter | null,
+  view: PrincipalObjectFilter["view"]
+): ColumnFilters | undefined {
+  if (!principalObjectFilter || principalObjectFilter.view !== view) {
+    return undefined;
+  }
+  return {
+    id: {
+      type: "text",
+      value: principalObjectFilter.objectId
+    }
+  };
+}

package/src/components/azure/AzureRbacComponent.tsx ADDED Viewed

@@ -0,0 +1,104 @@
+import { useCallback } from "react";
+import type { AzureRbac } from "../../core/azure/azureRbac";
+import { GenericTable } from "../../report/components/GenericTable";
+import type { ColumnFilters } from "../../report/components/reportTableControls";
+import type { ReportFieldDescriptor } from "../../report/reportTypes";
+import type { PermissionRiskLevel } from "../../core/risk/types";
+import { readAzureRbac } from "./api";
+const permissionRiskLevelOptions: PermissionRiskLevel[] = ["high", "medium", "low", "none"];
+const azureScopeTypeOptions = ["ManagementGroup", "Subscription", "ResourceGroup", "Resource", "Unknown"];
+const azurePrincipalTypeOptions = ["User", "Group", "ServicePrincipal", "ForeignGroup", "Device", "ManagedIdentity"];
+const azureRbacFields: ReportFieldDescriptor<AzureRbac>[] = [
+  {
+    id: "accessDisplayName",
+    label: "Access",
+    valueType: "text",
+    getValue: (assignment) => assignment.accessDisplayName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "accessRisk",
+    label: "Risk",
+    valueType: "riskLevel",
+    getValue: (assignment) => assignment.accessRisk,
+    filter: { kind: "multiSelect", options: permissionRiskLevelOptions }
+  },
+  {
+    id: "roleDefinitionName",
+    label: "Role",
+    valueType: "text",
+    getValue: (assignment) => assignment.roleDefinitionName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "accessScopeType",
+    label: "Scope type",
+    valueType: "text",
+    getValue: (assignment) => assignment.accessScopeType,
+    filter: { kind: "multiSelect", options: azureScopeTypeOptions }
+  },
+  {
+    id: "subscriptionName",
+    label: "Subscription",
+    valueType: "text",
+    getValue: (assignment) => assignment.subscriptionName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "accessResourceGroup",
+    label: "Resource group",
+    valueType: "text",
+    getValue: (assignment) => assignment.accessResourceGroup,
+    filter: { kind: "text" }
+  },
+  {
+    id: "scopeResourceName",
+    label: "Resource",
+    valueType: "text",
+    getValue: (assignment) => assignment.scopeResourceName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "principalType",
+    label: "Principal type",
+    valueType: "text",
+    getValue: (assignment) => assignment.principalType,
+    filter: { kind: "multiSelect", options: azurePrincipalTypeOptions }
+  },
+  {
+    id: "scope",
+    label: "Scope",
+    valueType: "text",
+    getValue: (assignment) => assignment.scope,
+    filter: { kind: "text" }
+  },
+  {
+    id: "roleAssignmentId",
+    label: "Assignment ID",
+    valueType: "text",
+    getValue: (assignment) => assignment.roleAssignmentId,
+    filter: { kind: "text" }
+  }
+];
+export function AzureRbacComponent({ servicePrincipalId }: { servicePrincipalId: string }) {
+  const loadPage = useCallback(
+    ({ filters, page, signal }: { filters: ColumnFilters; page: number; signal: AbortSignal }) =>
+      readAzureRbac({ filters, page, servicePrincipalId, signal }),
+    [servicePrincipalId]
+  );
+  return (
+    <GenericTable
+      emptyMessage="No Azure RBAC assignments match the filter."
+      fields={azureRbacFields}
+      getRowKey={(row) => row.roleAssignmentId ?? `${row.servicePrincipalId}:${row.scope}:${row.roleDefinitionId ?? row.roleDefinitionName ?? ""}`}
+      loadPage={loadPage}
+      loadingMessage="Loading Azure RBAC assignments..."
+      minWidthClassName="min-w-[2200px]"
+    />
+  );
+}

package/src/components/azure/ClosableAzureTab.tsx ADDED Viewed

@@ -0,0 +1,42 @@
+import { X } from "lucide-react";
+import { cn } from "../../lib/utils";
+import { TabsTrigger } from "../../report/components/ui/tabs";
+type ClosableAzureTabProps = {
+  active: boolean;
+  closeLabel: string;
+  label: string;
+  onClose: () => void;
+  value: "azureRbac" | "entraPermissions";
+};
+export function ClosableAzureTab({ active, closeLabel, label, onClose, value }: ClosableAzureTabProps) {
+  return (
+    <span
+      className={cn(
+        "inline-flex min-h-8 max-w-full items-center overflow-hidden rounded-t-sm rounded-b-none border border-transparent border-b-border bg-muted/70 transition-colors hover:bg-muted",
+        active && "border-border border-b-card bg-card"
+      )}
+    >
+      <TabsTrigger
+        className="min-w-0 max-w-64 flex-1 justify-start overflow-hidden rounded-r-none border-0 bg-transparent pr-2 shadow-none data-[state=active]:bg-transparent data-[state=active]:shadow-none"
+        value={value}
+      >
+        <span className="truncate">{label}</span>
+      </TabsTrigger>
+      <button
+        aria-label={closeLabel}
+        className={cn(
+          "mr-1 inline-flex h-6 w-6 shrink-0 items-center justify-center rounded-sm text-muted-foreground transition-colors hover:bg-secondary hover:text-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring",
+          active && "text-foreground"
+        )}
+        title={closeLabel}
+        type="button"
+        onClick={onClose}
+      >
+        <X aria-hidden="true" className="h-3.5 w-3.5" />
+      </button>
+    </span>
+  );
+}

package/src/components/azure/EntraPermissionsComponent.tsx ADDED Viewed

@@ -0,0 +1,194 @@
+import { useEffect, useMemo, useState } from "react";
+import { GenericTable } from "../../report/components/GenericTable";
+import type { ReportFieldDescriptor } from "../../report/reportTypes";
+import type { PermissionRiskLevel } from "../../core/risk/types";
+import { readEntraPermissions, type EntraPrincipalPermissionsResponse } from "./api";
+type EntraPermissionRow = {
+  id: string;
+  permissionType: "OAuth2 permission grant" | "App role assignment";
+  resourceDisplayName: string | null;
+  resourceId: string;
+  permissionDisplayName: string | null;
+  permissionValue: string;
+  consentType: string | null;
+  risk: PermissionRiskLevel | null;
+  principalDisplayName: string | null;
+  principalId: string | null;
+};
+type LoadState =
+  | {
+      status: "loading";
+    }
+  | {
+      status: "ready";
+    }
+  | {
+      status: "error";
+      message: string;
+    };
+const permissionTypeOptions: EntraPermissionRow["permissionType"][] = ["OAuth2 permission grant", "App role assignment"];
+const consentTypeOptions = ["AllPrincipals", "Principal"];
+const permissionRiskLevelOptions: PermissionRiskLevel[] = ["high", "medium", "low", "none"];
+const entraPermissionFields: ReportFieldDescriptor<EntraPermissionRow>[] = [
+  {
+    id: "permissionType",
+    label: "Type",
+    valueType: "text",
+    getValue: (permission) => permission.permissionType,
+    filter: { kind: "multiSelect", options: permissionTypeOptions }
+  },
+  {
+    id: "permissionDisplayName",
+    label: "Permission",
+    valueType: "text",
+    getValue: (permission) => permission.permissionDisplayName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "permissionValue",
+    label: "Value",
+    valueType: "text",
+    getValue: (permission) => permission.permissionValue,
+    filter: { kind: "text" }
+  },
+  {
+    id: "resourceDisplayName",
+    label: "Resource",
+    valueType: "text",
+    getValue: (permission) => permission.resourceDisplayName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "resourceId",
+    label: "Resource ID",
+    valueType: "text",
+    getValue: (permission) => permission.resourceId,
+    filter: { kind: "text" }
+  },
+  {
+    id: "consentType",
+    label: "Consent",
+    valueType: "text",
+    getValue: (permission) => permission.consentType,
+    filter: { kind: "multiSelect", options: consentTypeOptions }
+  },
+  {
+    id: "risk",
+    label: "Risk",
+    valueType: "riskLevel",
+    getValue: (permission) => permission.risk,
+    filter: { kind: "multiSelect", options: permissionRiskLevelOptions }
+  },
+  {
+    id: "principalDisplayName",
+    label: "Principal",
+    valueType: "text",
+    getValue: (permission) => permission.principalDisplayName,
+    filter: { kind: "text" }
+  },
+  {
+    id: "principalId",
+    label: "Principal ID",
+    valueType: "text",
+    getValue: (permission) => permission.principalId,
+    filter: { kind: "text" }
+  },
+  {
+    id: "id",
+    label: "Assignment ID",
+    valueType: "text",
+    getValue: (permission) => permission.id,
+    filter: { kind: "text" }
+  }
+];
+export function EntraPermissionsComponent({ principalId }: { principalId: string }) {
+  const [permissions, setPermissions] = useState<EntraPrincipalPermissionsResponse | null>(null);
+  const [loadState, setLoadState] = useState<LoadState>({ status: "loading" });
+  useEffect(() => {
+    const controller = new AbortController();
+    async function loadPermissions() {
+      setLoadState({ status: "loading" });
+      try {
+        setPermissions(await readEntraPermissions({ principalId, signal: controller.signal }));
+        setLoadState({ status: "ready" });
+      } catch (error) {
+        if (error instanceof DOMException && error.name === "AbortError") {
+          return;
+        }
+        setPermissions(null);
+        setLoadState({
+          status: "error",
+          message: error instanceof Error ? error.message : "Could not load Entra permissions."
+        });
+      }
+    }
+    loadPermissions();
+    return () => controller.abort();
+  }, [principalId]);
+  const rows = useMemo(() => (permissions ? mapPermissionsToRows(permissions) : []), [permissions]);
+  if (!permissions && loadState.status === "loading") {
+    return <div className="rounded-md border bg-card p-4 text-sm text-muted-foreground">Loading Entra permissions...</div>;
+  }
+  if (!permissions && loadState.status === "error") {
+    return <div className="rounded-md border border-destructive/40 bg-card p-4 text-sm text-destructive">{loadState.message}</div>;
+  }
+  return (
+    <>
+      {loadState.status === "error" ? (
+        <div className="rounded-md border border-destructive/40 bg-card p-4 text-sm text-destructive">{loadState.message}</div>
+      ) : null}
+      <GenericTable
+        emptyMessage="No Entra permissions match the filter."
+        fields={entraPermissionFields}
+        getRowKey={(row) => `${row.permissionType}:${row.id}`}
+        minWidthClassName="min-w-[1800px]"
+        rows={rows}
+      />
+    </>
+  );
+}
+function mapPermissionsToRows(permissions: EntraPrincipalPermissionsResponse): EntraPermissionRow[] {
+  return [
+    ...permissions.oauth2PermissionGrants.map((grant) => ({
+      id: grant.id,
+      permissionType: "OAuth2 permission grant" as const,
+      resourceDisplayName: null,
+      resourceId: grant.resourceId,
+      permissionDisplayName: null,
+      permissionValue: grant.scope,
+      consentType: grant.consentType,
+      risk: grant.risk,
+      principalDisplayName: null,
+      principalId: grant.principalId
+    })),
+    ...permissions.appRoleAssignments.map((assignment) => ({
+      id: assignment.id,
+      permissionType: "App role assignment" as const,
+      resourceDisplayName: assignment.resourceDisplayName,
+      resourceId: assignment.resourceId,
+      permissionDisplayName: assignment.appRoleDisplayName,
+      permissionValue: assignment.appRoleValue ?? assignment.appRoleId,
+      consentType: null,
+      risk: null,
+      principalDisplayName: assignment.principalDisplayName,
+      principalId: assignment.principalId
+    }))
+  ];
+}