PyPI - cartography - Versions diffs - 0.102.0rc2__py3-none-any.whl → 0.103.0__py3-none-any.whl - Mend

cartography 0.102.0rc2py3-none-any.whl → 0.103.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cartography might be problematic. Click here for more details.

Files changed (297) hide show

cartography/__main__.py +1 -2
cartography/_version.py +2 -2
cartography/cli.py +376 -249
cartography/client/core/tx.py +39 -18
cartography/config.py +28 -0
cartography/driftdetect/__main__.py +1 -2
cartography/driftdetect/add_shortcut.py +10 -2
cartography/driftdetect/cli.py +71 -75
cartography/driftdetect/detect_deviations.py +7 -3
cartography/driftdetect/get_states.py +20 -8
cartography/driftdetect/model.py +5 -5
cartography/driftdetect/serializers.py +8 -6
cartography/driftdetect/storage.py +2 -2
cartography/graph/cleanupbuilder.py +35 -15
cartography/graph/job.py +46 -17
cartography/graph/querybuilder.py +165 -80
cartography/graph/statement.py +35 -26
cartography/intel/analysis.py +4 -1
cartography/intel/aws/__init__.py +114 -55
cartography/intel/aws/apigateway.py +134 -63
cartography/intel/aws/cloudtrail.py +127 -0
cartography/intel/aws/cloudwatch.py +93 -0
cartography/intel/aws/config.py +56 -20
cartography/intel/aws/dynamodb.py +108 -40
cartography/intel/aws/ec2/__init__.py +2 -2
cartography/intel/aws/ec2/auto_scaling_groups.py +181 -78
cartography/intel/aws/ec2/elastic_ip_addresses.py +41 -13
cartography/intel/aws/ec2/images.py +49 -20
cartography/intel/aws/ec2/instances.py +234 -136
cartography/intel/aws/ec2/internet_gateways.py +40 -11
cartography/intel/aws/ec2/key_pairs.py +44 -20
cartography/intel/aws/ec2/launch_templates.py +101 -59
cartography/intel/aws/ec2/load_balancer_v2s.py +104 -39
cartography/intel/aws/ec2/load_balancers.py +82 -42
cartography/intel/aws/ec2/network_acls.py +89 -65
cartography/intel/aws/ec2/network_interfaces.py +146 -87
cartography/intel/aws/ec2/reserved_instances.py +45 -16
cartography/intel/aws/ec2/route_tables.py +138 -98
cartography/intel/aws/ec2/security_groups.py +71 -21
cartography/intel/aws/ec2/snapshots.py +61 -22
cartography/intel/aws/ec2/subnets.py +54 -18
cartography/intel/aws/ec2/tgw.py +100 -34
cartography/intel/aws/ec2/util.py +1 -1
cartography/intel/aws/ec2/volumes.py +69 -41
cartography/intel/aws/ec2/vpc.py +37 -12
cartography/intel/aws/ec2/vpc_peerings.py +83 -24
cartography/intel/aws/ecr.py +88 -32
cartography/intel/aws/ecs.py +83 -47
cartography/intel/aws/efs.py +93 -0
cartography/intel/aws/eks.py +55 -29
cartography/intel/aws/elasticache.py +42 -18
cartography/intel/aws/elasticsearch.py +57 -20
cartography/intel/aws/emr.py +61 -23
cartography/intel/aws/iam.py +401 -145
cartography/intel/aws/iam_instance_profiles.py +22 -22
cartography/intel/aws/identitycenter.py +71 -37
cartography/intel/aws/inspector.py +159 -89
cartography/intel/aws/kms.py +92 -38
cartography/intel/aws/lambda_function.py +103 -34
cartography/intel/aws/organizations.py +30 -10
cartography/intel/aws/permission_relationships.py +133 -51
cartography/intel/aws/rds.py +249 -85
cartography/intel/aws/redshift.py +107 -46
cartography/intel/aws/resourcegroupstaggingapi.py +120 -66
cartography/intel/aws/resources.py +57 -46
cartography/intel/aws/route53.py +108 -61
cartography/intel/aws/s3.py +168 -83
cartography/intel/aws/s3accountpublicaccessblock.py +157 -0
cartography/intel/aws/secretsmanager.py +24 -12
cartography/intel/aws/securityhub.py +20 -9
cartography/intel/aws/sns.py +166 -0
cartography/intel/aws/sqs.py +60 -28
cartography/intel/aws/ssm.py +70 -30
cartography/intel/aws/util/arns.py +7 -7
cartography/intel/aws/util/common.py +31 -4
cartography/intel/azure/__init__.py +78 -19
cartography/intel/azure/compute.py +101 -27
cartography/intel/azure/cosmosdb.py +496 -170
cartography/intel/azure/sql.py +296 -105
cartography/intel/azure/storage.py +322 -113
cartography/intel/azure/subscription.py +39 -23
cartography/intel/azure/tenant.py +13 -4
cartography/intel/azure/util/credentials.py +95 -55
cartography/intel/bigfix/__init__.py +2 -2
cartography/intel/bigfix/computers.py +93 -65
cartography/intel/cloudflare/__init__.py +74 -0
cartography/intel/cloudflare/accounts.py +57 -0
cartography/intel/cloudflare/dnsrecords.py +64 -0
cartography/intel/cloudflare/members.py +75 -0
cartography/intel/cloudflare/roles.py +65 -0
cartography/intel/cloudflare/zones.py +64 -0
cartography/intel/create_indexes.py +3 -2
cartography/intel/crowdstrike/__init__.py +11 -9
cartography/intel/crowdstrike/endpoints.py +5 -1
cartography/intel/crowdstrike/spotlight.py +8 -3
cartography/intel/cve/__init__.py +46 -13
cartography/intel/cve/feed.py +48 -12
cartography/intel/digitalocean/__init__.py +22 -13
cartography/intel/digitalocean/compute.py +75 -108
cartography/intel/digitalocean/management.py +44 -80
cartography/intel/digitalocean/platform.py +48 -43
cartography/intel/dns.py +36 -10
cartography/intel/duo/__init__.py +21 -16
cartography/intel/duo/api_host.py +14 -9
cartography/intel/duo/endpoints.py +50 -45
cartography/intel/duo/groups.py +18 -14
cartography/intel/duo/phones.py +37 -34
cartography/intel/duo/tokens.py +26 -23
cartography/intel/duo/users.py +54 -50
cartography/intel/duo/web_authn_credentials.py +30 -25
cartography/intel/entra/__init__.py +25 -7
cartography/intel/entra/ou.py +112 -0
cartography/intel/entra/users.py +69 -63
cartography/intel/gcp/__init__.py +185 -49
cartography/intel/gcp/compute.py +418 -231
cartography/intel/gcp/crm.py +96 -43
cartography/intel/gcp/dns.py +60 -19
cartography/intel/gcp/gke.py +72 -38
cartography/intel/gcp/iam.py +61 -41
cartography/intel/gcp/storage.py +84 -55
cartography/intel/github/__init__.py +13 -11
cartography/intel/github/repos.py +270 -137
cartography/intel/github/teams.py +170 -88
cartography/intel/github/users.py +70 -39
cartography/intel/github/util.py +36 -34
cartography/intel/gsuite/__init__.py +47 -26
cartography/intel/gsuite/api.py +73 -30
cartography/intel/jamf/__init__.py +19 -1
cartography/intel/jamf/computers.py +30 -7
cartography/intel/jamf/util.py +7 -2
cartography/intel/kandji/__init__.py +6 -3
cartography/intel/kandji/devices.py +14 -8
cartography/intel/kubernetes/namespaces.py +7 -4
cartography/intel/kubernetes/pods.py +7 -4
cartography/intel/kubernetes/services.py +8 -4
cartography/intel/lastpass/__init__.py +2 -2
cartography/intel/lastpass/users.py +23 -12
cartography/intel/oci/__init__.py +44 -11
cartography/intel/oci/iam.py +134 -38
cartography/intel/oci/organizations.py +13 -6
cartography/intel/oci/utils.py +43 -20
cartography/intel/okta/__init__.py +66 -15
cartography/intel/okta/applications.py +42 -20
cartography/intel/okta/awssaml.py +93 -33
cartography/intel/okta/factors.py +16 -4
cartography/intel/okta/groups.py +56 -29
cartography/intel/okta/organization.py +5 -1
cartography/intel/okta/origins.py +6 -2
cartography/intel/okta/roles.py +15 -5
cartography/intel/okta/users.py +20 -8
cartography/intel/okta/utils.py +6 -4
cartography/intel/openai/__init__.py +86 -0
cartography/intel/openai/adminapikeys.py +90 -0
cartography/intel/openai/apikeys.py +96 -0
cartography/intel/openai/projects.py +94 -0
cartography/intel/openai/serviceaccounts.py +82 -0
cartography/intel/openai/users.py +78 -0
cartography/intel/openai/util.py +29 -0
cartography/intel/pagerduty/__init__.py +8 -7
cartography/intel/pagerduty/escalation_policies.py +18 -6
cartography/intel/pagerduty/schedules.py +12 -4
cartography/intel/pagerduty/services.py +11 -4
cartography/intel/pagerduty/teams.py +8 -3
cartography/intel/pagerduty/users.py +3 -1
cartography/intel/pagerduty/vendors.py +3 -1
cartography/intel/semgrep/__init__.py +24 -6
cartography/intel/semgrep/dependencies.py +50 -28
cartography/intel/semgrep/deployment.py +3 -1
cartography/intel/semgrep/findings.py +42 -18
cartography/intel/snipeit/__init__.py +17 -3
cartography/intel/snipeit/asset.py +12 -6
cartography/intel/snipeit/user.py +8 -5
cartography/intel/snipeit/util.py +9 -4
cartography/intel/tailscale/__init__.py +77 -0
cartography/intel/tailscale/acls.py +146 -0
cartography/intel/tailscale/devices.py +127 -0
cartography/intel/tailscale/postureintegrations.py +81 -0
cartography/intel/tailscale/tailnets.py +76 -0
cartography/intel/tailscale/users.py +80 -0
cartography/intel/tailscale/utils.py +132 -0
cartography/models/aws/apigateway.py +21 -17
cartography/models/aws/apigatewaycertificate.py +28 -22
cartography/models/aws/apigatewayresource.py +28 -20
cartography/models/aws/apigatewaystage.py +33 -25
cartography/models/aws/cloudtrail/__init__.py +0 -0
cartography/models/aws/cloudtrail/trail.py +61 -0
cartography/models/aws/cloudwatch/__init__.py +0 -0
cartography/models/aws/cloudwatch/loggroup.py +52 -0
cartography/models/aws/dynamodb/gsi.py +30 -22
cartography/models/aws/dynamodb/tables.py +25 -17
cartography/models/aws/ec2/auto_scaling_groups.py +102 -82
cartography/models/aws/ec2/images.py +36 -34
cartography/models/aws/ec2/instances.py +51 -45
cartography/models/aws/ec2/keypair.py +21 -16
cartography/models/aws/ec2/keypair_instance.py +28 -21
cartography/models/aws/ec2/launch_configurations.py +30 -26
cartography/models/aws/ec2/launch_template_versions.py +48 -38
cartography/models/aws/ec2/launch_templates.py +21 -17
cartography/models/aws/ec2/load_balancer_listeners.py +27 -23
cartography/models/aws/ec2/load_balancers.py +47 -37
cartography/models/aws/ec2/network_acl_rules.py +38 -30
cartography/models/aws/ec2/network_acls.py +38 -29
cartography/models/aws/ec2/networkinterface_instance.py +52 -39
cartography/models/aws/ec2/networkinterfaces.py +53 -37
cartography/models/aws/ec2/privateip_networkinterface.py +32 -22
cartography/models/aws/ec2/reservations.py +18 -14
cartography/models/aws/ec2/route_table_associations.py +44 -34
cartography/models/aws/ec2/route_tables.py +50 -43
cartography/models/aws/ec2/routes.py +45 -37
cartography/models/aws/ec2/securitygroup_instance.py +29 -20
cartography/models/aws/ec2/securitygroup_networkinterface.py +24 -15
cartography/models/aws/ec2/subnet_instance.py +24 -19
cartography/models/aws/ec2/subnet_networkinterface.py +40 -31
cartography/models/aws/ec2/volumes.py +47 -40
cartography/models/aws/efs/__init__.py +0 -0
cartography/models/aws/efs/mount_target.py +52 -0
cartography/models/aws/eks/clusters.py +23 -21
cartography/models/aws/emr.py +32 -30
cartography/models/aws/iam/instanceprofile.py +33 -24
cartography/models/aws/identitycenter/awsidentitycenter.py +18 -14
cartography/models/aws/identitycenter/awspermissionset.py +37 -29
cartography/models/aws/identitycenter/awsssouser.py +23 -21
cartography/models/aws/inspector/findings.py +77 -65
cartography/models/aws/inspector/packages.py +35 -29
cartography/models/aws/s3/__init__.py +0 -0
cartography/models/aws/s3/account_public_access_block.py +51 -0
cartography/models/aws/sns/__init__.py +0 -0
cartography/models/aws/sns/topic.py +50 -0
cartography/models/aws/ssm/instance_information.py +51 -39
cartography/models/aws/ssm/instance_patch.py +32 -26
cartography/models/bigfix/bigfix_computer.py +42 -38
cartography/models/bigfix/bigfix_root.py +3 -3
cartography/models/cloudflare/__init__.py +0 -0
cartography/models/cloudflare/account.py +25 -0
cartography/models/cloudflare/dnsrecord.py +55 -0
cartography/models/cloudflare/member.py +82 -0
cartography/models/cloudflare/role.py +44 -0
cartography/models/cloudflare/zone.py +59 -0
cartography/models/core/common.py +12 -10
cartography/models/core/nodes.py +5 -2
cartography/models/core/relationships.py +14 -6
cartography/models/crowdstrike/hosts.py +37 -35
cartography/models/cve/cve.py +34 -32
cartography/models/cve/cve_feed.py +6 -6
cartography/models/digitalocean/__init__.py +0 -0
cartography/models/digitalocean/account.py +21 -0
cartography/models/digitalocean/droplet.py +56 -0
cartography/models/digitalocean/project.py +48 -0
cartography/models/duo/api_host.py +3 -3
cartography/models/duo/endpoint.py +43 -41
cartography/models/duo/group.py +14 -14
cartography/models/duo/phone.py +27 -27
cartography/models/duo/token.py +16 -16
cartography/models/duo/user.py +46 -44
cartography/models/duo/web_authn_credential.py +27 -19
cartography/models/entra/ou.py +48 -0
cartography/models/entra/tenant.py +24 -18
cartography/models/entra/user.py +64 -48
cartography/models/gcp/iam.py +23 -23
cartography/models/github/orgs.py +5 -4
cartography/models/github/teams.py +37 -31
cartography/models/github/users.py +34 -23
cartography/models/kandji/device.py +22 -16
cartography/models/kandji/tenant.py +6 -4
cartography/models/lastpass/tenant.py +3 -3
cartography/models/lastpass/user.py +32 -28
cartography/models/openai/__init__.py +0 -0
cartography/models/openai/adminapikey.py +90 -0
cartography/models/openai/apikey.py +84 -0
cartography/models/openai/organization.py +17 -0
cartography/models/openai/project.py +70 -0
cartography/models/openai/serviceaccount.py +50 -0
cartography/models/openai/user.py +49 -0
cartography/models/semgrep/dependencies.py +36 -24
cartography/models/semgrep/deployment.py +5 -5
cartography/models/semgrep/findings.py +58 -42
cartography/models/semgrep/locations.py +27 -21
cartography/models/snipeit/asset.py +30 -21
cartography/models/snipeit/tenant.py +6 -4
cartography/models/snipeit/user.py +19 -12
cartography/models/tailscale/__init__.py +0 -0
cartography/models/tailscale/device.py +95 -0
cartography/models/tailscale/group.py +86 -0
cartography/models/tailscale/postureintegration.py +58 -0
cartography/models/tailscale/tag.py +102 -0
cartography/models/tailscale/tailnet.py +29 -0
cartography/models/tailscale/user.py +52 -0
cartography/stats.py +3 -3
cartography/sync.py +113 -31
cartography/util.py +84 -62
{cartography-0.102.0rc2.dist-info → cartography-0.103.0.dist-info}/METADATA +8 -15
cartography-0.103.0.dist-info/RECORD +442 -0
{cartography-0.102.0rc2.dist-info → cartography-0.103.0.dist-info}/WHEEL +1 -1
cartography-0.102.0rc2.dist-info/RECORD +0 -381
{cartography-0.102.0rc2.dist-info → cartography-0.103.0.dist-info}/entry_points.txt +0 -0
{cartography-0.102.0rc2.dist-info → cartography-0.103.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.102.0rc2.dist-info → cartography-0.103.0.dist-info}/top_level.txt +0 -0

cartography/intel/aws/apigateway.py CHANGED Viewed

@@ -15,7 +15,9 @@ from policyuniverse.policy import Policy
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
 from cartography.models.aws.apigateway import APIGatewayRestAPISchema
-from cartography.models.aws.apigatewaycertificate import APIGatewayClientCertificateSchema
+from cartography.models.aws.apigatewaycertificate import (
+    APIGatewayClientCertificateSchema,
+)
 from cartography.models.aws.apigatewayresource import APIGatewayResourceSchema
 from cartography.models.aws.apigatewaystage import APIGatewayStageSchema
 from cartography.util import aws_handle_regions
@@ -26,24 +28,29 @@ logger = logging.getLogger(__name__)
 @timeit
 @aws_handle_regions
-def get_apigateway_rest_apis(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
-    client = boto3_session.client('apigateway', region_name=region)
-    paginator = client.get_paginator('get_rest_apis')
+def get_apigateway_rest_apis(
+    boto3_session: boto3.session.Session,
+    region: str,
+) -> List[Dict]:
+    client = boto3_session.client("apigateway", region_name=region)
+    paginator = client.get_paginator("get_rest_apis")
     apis: List[Any] = []
     for page in paginator.paginate():
-        apis.extend(page['items'])
+        apis.extend(page["items"])
     return apis
 @timeit
 @aws_handle_regions
 def get_rest_api_details(
-        boto3_session: boto3.session.Session, rest_apis: List[Dict], region: str,
+    boto3_session: boto3.session.Session,
+    rest_apis: List[Dict],
+    region: str,
 ) -> List[Tuple[Any, Any, Any, Any, Any]]:
     """
     Iterates over all API Gateway REST APIs.
     """
-    client = boto3_session.client('apigateway', region_name=region)
+    client = boto3_session.client("apigateway", region_name=region)
     apis = []
     for api in rest_apis:
         stages = get_rest_api_stages(api, client)
@@ -51,7 +58,7 @@ def get_rest_api_details(
         certificate = get_rest_api_client_certificate(stages, client)
         resources = get_rest_api_resources(api, client)
         policy = get_rest_api_policy(api, client)
-        apis.append((api['id'], stages, certificate, resources, policy))
+        apis.append((api["id"], stages, certificate, resources, policy))
     return apis
@@ -61,27 +68,34 @@ def get_rest_api_stages(api: Dict, client: botocore.client.BaseClient) -> Any:
     Gets the REST API Stage Resources.
     """
     try:
-        stages = client.get_stages(restApiId=api['id'])
+        stages = client.get_stages(restApiId=api["id"])
     except ClientError as e:
         logger.warning(f'Failed to retrieve Stages for Api Id - {api["id"]} - {e}')
         raise
-    return stages['item']
+    return stages["item"]
 @timeit
-def get_rest_api_client_certificate(stages: Dict, client: botocore.client.BaseClient) -> Optional[Any]:
+def get_rest_api_client_certificate(
+    stages: Dict,
+    client: botocore.client.BaseClient,
+) -> Optional[Any]:
     """
     Gets the current ClientCertificate resource if present, else returns None.
     """
     response = None
     for stage in stages:
-        if 'clientCertificateId' in stage:
+        if "clientCertificateId" in stage:
             try:
-                response = client.get_client_certificate(clientCertificateId=stage['clientCertificateId'])
-                response['stageName'] = stage['stageName']
+                response = client.get_client_certificate(
+                    clientCertificateId=stage["clientCertificateId"],
+                )
+                response["stageName"] = stage["stageName"]
             except ClientError as e:
-                logger.warning(f"Failed to retrive Client Certificate for Stage {stage['stageName']} - {e}")
+                logger.warning(
+                    f"Failed to retrieve Client Certificate for Stage {stage['stageName']} - {e}",
+                )
                 raise
         else:
             return []
@@ -95,10 +109,10 @@ def get_rest_api_resources(api: Dict, client: botocore.client.BaseClient) -> Lis
     Gets the collection of Resource resources.
     """
     resources: List[Any] = []
-    paginator = client.get_paginator('get_resources')
-    response_iterator = paginator.paginate(restApiId=api['id'])
+    paginator = client.get_paginator("get_resources")
+    response_iterator = paginator.paginate(restApiId=api["id"])
     for page in response_iterator:
-        resources.extend(page['items'])
+        resources.extend(page["items"])
     return resources
@@ -108,34 +122,35 @@ def get_rest_api_policy(api: Dict, client: botocore.client.BaseClient) -> Any:
     """
     Gets the REST API policy. Returns policy string or None if no policy is present.
     """
-    policy = api['policy'] if 'policy' in api and api['policy'] else None
+    policy = api["policy"] if "policy" in api and api["policy"] else None
     return policy
 def transform_apigateway_rest_apis(
-    rest_apis: List[Dict], resource_policies: List[Dict], region: str, current_aws_account_id: str, aws_update_tag: int,
+    rest_apis: List[Dict],
+    resource_policies: List[Dict],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
 ) -> List[Dict]:
     """
     Transform API Gateway REST API data for ingestion, including policy analysis
     """
     # Create a mapping of api_id to policy data for easier lookup
-    policy_map = {
-        policy['api_id']: policy
-        for policy in resource_policies
-    }
+    policy_map = {policy["api_id"]: policy for policy in resource_policies}
     transformed_apis = []
     for api in rest_apis:
-        policy_data = policy_map.get(api['id'], {})
+        policy_data = policy_map.get(api["id"], {})
         transformed_api = {
-            'id': api['id'],
-            'createdDate': str(api['createdDate']) if 'createdDate' in api else None,
-            'version': api.get('version'),
-            'minimumCompressionSize': api.get('minimumCompressionSize'),
-            'disableExecuteApiEndpoint': api.get('disableExecuteApiEndpoint'),
+            "id": api["id"],
+            "createdDate": str(api["createdDate"]) if "createdDate" in api else None,
+            "version": api.get("version"),
+            "minimumCompressionSize": api.get("minimumCompressionSize"),
+            "disableExecuteApiEndpoint": api.get("disableExecuteApiEndpoint"),
             # Set defaults in the transform function
-            'anonymous_access': policy_data.get('internet_accessible', False),
-            'anonymous_actions': policy_data.get('accessible_actions', []),
+            "anonymous_access": policy_data.get("internet_accessible", False),
+            "anonymous_actions": policy_data.get("accessible_actions", []),
             # TODO Issue #1452: clarify internet exposure vs anonymous access
         }
         transformed_apis.append(transformed_api)
@@ -145,7 +160,10 @@ def transform_apigateway_rest_apis(
 @timeit
 def load_apigateway_rest_apis(
-    neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str,
+    neo4j_session: neo4j.Session,
+    data: List[Dict],
+    region: str,
+    current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
     """
@@ -167,21 +185,26 @@ def transform_apigateway_stages(stages: List[Dict], update_tag: int) -> List[Dic
     """
     stage_data = []
     for stage in stages:
-        stage['createdDate'] = str(stage['createdDate'])
-        stage['arn'] = f"arn:aws:apigateway:::{stage['apiId']}/{stage['stageName']}"
+        stage["createdDate"] = str(stage["createdDate"])
+        stage["arn"] = f"arn:aws:apigateway:::{stage['apiId']}/{stage['stageName']}"
         stage_data.append(stage)
     return stage_data
-def transform_apigateway_certificates(certificates: List[Dict], update_tag: int) -> List[Dict]:
+def transform_apigateway_certificates(
+    certificates: List[Dict],
+    update_tag: int,
+) -> List[Dict]:
     """
     Transform API Gateway Client Certificate data for ingestion
     """
     cert_data = []
     for certificate in certificates:
-        certificate['createdDate'] = str(certificate['createdDate'])
-        certificate['expirationDate'] = str(certificate.get('expirationDate'))
-        certificate['stageArn'] = f"arn:aws:apigateway:::{certificate['apiId']}/{certificate['stageName']}"
+        certificate["createdDate"] = str(certificate["createdDate"])
+        certificate["expirationDate"] = str(certificate.get("expirationDate"))
+        certificate["stageArn"] = (
+            f"arn:aws:apigateway:::{certificate['apiId']}/{certificate['stageName']}"
+        )
         cert_data.append(certificate)
     return cert_data
@@ -199,21 +222,23 @@ def transform_rest_api_details(
     for api_id, stage, certificate, resource, _ in stages_certificate_resources:
         if len(stage) > 0:
             for s in stage:
-                s['apiId'] = api_id
-                s['createdDate'] = str(s['createdDate'])
-                s['arn'] = f"arn:aws:apigateway:::{api_id}/{s['stageName']}"
+                s["apiId"] = api_id
+                s["createdDate"] = str(s["createdDate"])
+                s["arn"] = f"arn:aws:apigateway:::{api_id}/{s['stageName']}"
             stages.extend(stage)
         if certificate:
-            certificate['apiId'] = api_id
-            certificate['createdDate'] = str(certificate['createdDate'])
-            certificate['expirationDate'] = str(certificate.get('expirationDate'))
-            certificate['stageArn'] = f"arn:aws:apigateway:::{api_id}/{certificate['stageName']}"
+            certificate["apiId"] = api_id
+            certificate["createdDate"] = str(certificate["createdDate"])
+            certificate["expirationDate"] = str(certificate.get("expirationDate"))
+            certificate["stageArn"] = (
+                f"arn:aws:apigateway:::{api_id}/{certificate['stageName']}"
+            )
             certificates.append(certificate)
         if len(resource) > 0:
             for r in resource:
-                r['apiId'] = api_id
+                r["apiId"] = api_id
             resources.extend(resource)
     return stages, certificates, resources
@@ -221,13 +246,17 @@ def transform_rest_api_details(
 @timeit
 def load_rest_api_details(
-    neo4j_session: neo4j.Session, stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
-    aws_account_id: str, update_tag: int,
+    neo4j_session: neo4j.Session,
+    stages_certificate_resources: List[Tuple[Any, Any, Any, Any, Any]],
+    aws_account_id: str,
+    update_tag: int,
 ) -> None:
     """
     Transform and load Stage, Client Certificate, and Resource data
     """
-    stages, certificates, resources = transform_rest_api_details(stages_certificate_resources)
+    stages, certificates, resources = transform_rest_api_details(
+        stages_certificate_resources,
+    )
     load(
         neo4j_session,
@@ -274,7 +303,7 @@ def parse_policy(api_id: str, policy: Policy) -> Optional[Dict[Any, Any]]:
             else:
                 return None
         except json.JSONDecodeError:
-            logger.warn(f"failed to decode policy json : {policy}")
+            logger.warning(f"failed to decode policy json : {policy}")
             return None
     else:
         return None
@@ -289,29 +318,48 @@ def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
     logger.info("Running API Gateway cleanup job.")
     # Clean up certificates first
-    cleanup_job = GraphJob.from_node_schema(APIGatewayClientCertificateSchema(), common_job_parameters)
+    cleanup_job = GraphJob.from_node_schema(
+        APIGatewayClientCertificateSchema(),
+        common_job_parameters,
+    )
     cleanup_job.run(neo4j_session)
     # Then stages
-    cleanup_job = GraphJob.from_node_schema(APIGatewayStageSchema(), common_job_parameters)
+    cleanup_job = GraphJob.from_node_schema(
+        APIGatewayStageSchema(),
+        common_job_parameters,
+    )
     cleanup_job.run(neo4j_session)
     # Then resources
-    cleanup_job = GraphJob.from_node_schema(APIGatewayResourceSchema(), common_job_parameters)
+    cleanup_job = GraphJob.from_node_schema(
+        APIGatewayResourceSchema(),
+        common_job_parameters,
+    )
     cleanup_job.run(neo4j_session)
     # Finally REST APIs
-    cleanup_job = GraphJob.from_node_schema(APIGatewayRestAPISchema(), common_job_parameters)
+    cleanup_job = GraphJob.from_node_schema(
+        APIGatewayRestAPISchema(),
+        common_job_parameters,
+    )
     cleanup_job.run(neo4j_session)
 @timeit
 def sync_apigateway_rest_apis(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, region: str, current_aws_account_id: str,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    region: str,
+    current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
     rest_apis = get_apigateway_rest_apis(boto3_session, region)
-    stages_certificate_resources = get_rest_api_details(boto3_session, rest_apis, region)
+    stages_certificate_resources = get_rest_api_details(
+        boto3_session,
+        rest_apis,
+        region,
+    )
     # Extract policies and transform the data
     policies = []
@@ -327,16 +375,39 @@ def sync_apigateway_rest_apis(
         current_aws_account_id,
         aws_update_tag,
     )
-    load_apigateway_rest_apis(neo4j_session, transformed_apis, region, current_aws_account_id, aws_update_tag)
-    load_rest_api_details(neo4j_session, stages_certificate_resources, current_aws_account_id, aws_update_tag)
+    load_apigateway_rest_apis(
+        neo4j_session,
+        transformed_apis,
+        region,
+        current_aws_account_id,
+        aws_update_tag,
+    )
+    load_rest_api_details(
+        neo4j_session,
+        stages_certificate_resources,
+        current_aws_account_id,
+        aws_update_tag,
+    )
 @timeit
 def sync(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
 ) -> None:
     for region in regions:
-        logger.info(f"Syncing AWS APIGateway Rest APIs for region '{region}' in account '{current_aws_account_id}'.")
-        sync_apigateway_rest_apis(neo4j_session, boto3_session, region, current_aws_account_id, update_tag)
+        logger.info(
+            f"Syncing AWS APIGateway Rest APIs for region '{region}' in account '{current_aws_account_id}'.",
+        )
+        sync_apigateway_rest_apis(
+            neo4j_session,
+            boto3_session,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/cloudtrail.py ADDED Viewed

@@ -0,0 +1,127 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+import boto3
+import botocore.exceptions
+import neo4j
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.intel.aws.ec2.util import get_botocore_config
+from cartography.models.aws.cloudtrail.trail import CloudTrailTrailSchema
+from cartography.util import aws_handle_regions
+from cartography.util import timeit
+logger = logging.getLogger(__name__)
+@timeit
+@aws_handle_regions
+def get_cloudtrail_trails(
+    boto3_session: boto3.Session, region: str
+) -> List[Dict[str, Any]]:
+    client = boto3_session.client(
+        "cloudtrail", region_name=region, config=get_botocore_config()
+    )
+    paginator = client.get_paginator("list_trails")
+    trails = []
+    for page in paginator.paginate():
+        trails.extend(page["Trails"])
+    # CloudTrail multi-region trails are shown in list_trails,
+    # but the get_trail call only works in the home region
+    trails_filtered = [trail for trail in trails if trail.get("HomeRegion") == region]
+    return trails_filtered
+@timeit
+def get_cloudtrail_trail(
+    boto3_session: boto3.Session,
+    region: str,
+    trail_name: str,
+) -> Dict[str, Any]:
+    client = boto3_session.client(
+        "cloudtrail", region_name=region, config=get_botocore_config()
+    )
+    trail_details: Dict[str, Any] = {}
+    try:
+        response = client.get_trail(Name=trail_name)
+        trail_details = response["Trail"]
+    except botocore.exceptions.ClientError as e:
+        code = e.response["Error"]["Code"]
+        msg = e.response["Error"]["Message"]
+        logger.warning(
+            f"Could not run CloudTrail get_trail due to boto3 error {code}: {msg}. Skipping.",
+        )
+    return trail_details
+@timeit
+def load_cloudtrail_trails(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    logger.info(
+        f"Loading CloudTrail {len(data)} trails for region '{region}' into graph.",
+    )
+    load(
+        neo4j_session,
+        CloudTrailTrailSchema(),
+        data,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    logger.debug("Running CloudTrail cleanup job.")
+    cleanup_job = GraphJob.from_node_schema(
+        CloudTrailTrailSchema(), common_job_parameters
+    )
+    cleanup_job.run(neo4j_session)
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    for region in regions:
+        logger.info(
+            f"Syncing CloudTrail for region '{region}' in account '{current_aws_account_id}'.",
+        )
+        trails = get_cloudtrail_trails(boto3_session, region)
+        trail_data: List[Dict[str, Any]] = []
+        for trail in trails:
+            trail_name = trail["Name"]
+            trail_details = get_cloudtrail_trail(
+                boto3_session,
+                region,
+                trail_name,
+            )
+            if trail_details:
+                trail_data.append(trail_details)
+        load_cloudtrail_trails(
+            neo4j_session,
+            trail_data,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/cloudwatch.py ADDED Viewed

@@ -0,0 +1,93 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+import boto3
+import neo4j
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.intel.aws.ec2.util import get_botocore_config
+from cartography.models.aws.cloudwatch.loggroup import CloudWatchLogGroupSchema
+from cartography.util import aws_handle_regions
+from cartography.util import timeit
+logger = logging.getLogger(__name__)
+@timeit
+@aws_handle_regions
+def get_cloudwatch_log_groups(
+    boto3_session: boto3.Session, region: str
+) -> List[Dict[str, Any]]:
+    client = boto3_session.client(
+        "cloudwatch", region_name=region, config=get_botocore_config()
+    )
+    paginator = client.get_paginator("describe_log_groups")
+    logGroups = []
+    for page in paginator.paginate():
+        logGroups.extend(page["logGroups"])
+    return logGroups
+@timeit
+def load_cloudwatch_log_groups(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    region: str,
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    logger.info(
+        f"Loading CloudWatch {len(data)} log groups for region '{region}' into graph.",
+    )
+    load(
+        neo4j_session,
+        CloudWatchLogGroupSchema(),
+        data,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    logger.debug("Running CloudWatch cleanup job.")
+    cleanup_job = GraphJob.from_node_schema(
+        CloudWatchLogGroupSchema(), common_job_parameters
+    )
+    cleanup_job.run(neo4j_session)
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    for region in regions:
+        logger.info(
+            f"Syncing CloudWatch for region '{region}' in account '{current_aws_account_id}'.",
+        )
+        logGroups = get_cloudwatch_log_groups(boto3_session, region)
+        group_data: List[Dict[str, Any]] = []
+        for logGroup in logGroups:
+            group_data.append(logGroup)
+        load_cloudwatch_log_groups(
+            neo4j_session,
+            group_data,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+    cleanup(neo4j_session, common_job_parameters)

cartography 0.102.0rc2__py3-none-any.whl → 0.103.0__py3-none-any.whl

Potentially problematic release.

cartography 0.102.0rc2py3-none-any.whl → 0.103.0py3-none-any.whl