PyPI - cartography - Versions diffs - 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl - Mend

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (642) hide show

cartography/_version.py +16 -3
cartography/cli.py +466 -5
cartography/client/aws/__init__.py +19 -0
cartography/client/aws/ecr.py +51 -0
cartography/client/core/tx.py +357 -8
cartography/config.py +153 -0
cartography/data/azure_permission_relationships.yaml +20 -0
cartography/data/gcp_permission_relationships.yaml +21 -0
cartography/data/indexes.cypher +0 -186
cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json +2 -2
cartography/data/jobs/analysis/keycloak_inheritance.json +30 -0
cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json +0 -12
cartography/data/jobs/cleanup/github_repos_cleanup.json +2 -0
cartography/driftdetect/cli.py +3 -2
cartography/graph/cleanupbuilder.py +198 -41
cartography/graph/job.py +54 -6
cartography/graph/querybuilder.py +528 -27
cartography/graph/statement.py +5 -1
cartography/intel/airbyte/__init__.py +105 -0
cartography/intel/airbyte/connections.py +120 -0
cartography/intel/airbyte/destinations.py +81 -0
cartography/intel/airbyte/organizations.py +59 -0
cartography/intel/airbyte/sources.py +78 -0
cartography/intel/airbyte/tags.py +64 -0
cartography/intel/airbyte/users.py +106 -0
cartography/intel/airbyte/util.py +122 -0
cartography/intel/airbyte/workspaces.py +63 -0
cartography/intel/aws/__init__.py +24 -9
cartography/intel/aws/acm.py +124 -0
cartography/intel/aws/apigateway.py +253 -22
cartography/intel/aws/apigatewayv2.py +116 -0
cartography/intel/aws/cloudtrail.py +17 -39
cartography/intel/aws/cloudtrail_management_events.py +962 -0
cartography/intel/aws/cloudwatch.py +150 -4
cartography/intel/aws/codebuild.py +132 -0
cartography/intel/aws/cognito.py +201 -0
cartography/intel/aws/config.py +7 -3
cartography/intel/aws/ec2/elastic_ip_addresses.py +3 -1
cartography/intel/aws/ec2/instances.py +25 -1
cartography/intel/aws/ec2/internet_gateways.py +4 -2
cartography/intel/aws/ec2/load_balancer_v2s.py +11 -5
cartography/intel/aws/ec2/network_interfaces.py +5 -1
cartography/intel/aws/ec2/reserved_instances.py +3 -1
cartography/intel/aws/ec2/security_groups.py +140 -122
cartography/intel/aws/ec2/snapshots.py +47 -84
cartography/intel/aws/ec2/subnets.py +37 -63
cartography/intel/aws/ec2/tgw.py +11 -5
cartography/intel/aws/ec2/volumes.py +1 -1
cartography/intel/aws/ec2/vpc.py +140 -124
cartography/intel/aws/ec2/vpc_peerings.py +262 -125
cartography/intel/aws/ecr.py +269 -98
cartography/intel/aws/ecr_image_layers.py +923 -0
cartography/intel/aws/ecs.py +251 -380
cartography/intel/aws/efs.py +179 -11
cartography/intel/aws/elasticache.py +102 -79
cartography/intel/aws/elasticsearch.py +13 -4
cartography/intel/aws/eventbridge.py +164 -0
cartography/intel/aws/glue.py +181 -0
cartography/intel/aws/guardduty.py +443 -0
cartography/intel/aws/iam.py +750 -493
cartography/intel/aws/identitycenter.py +605 -83
cartography/intel/aws/inspector.py +221 -105
cartography/intel/aws/kms.py +173 -201
cartography/intel/aws/lambda_function.py +272 -189
cartography/intel/aws/organizations.py +10 -9
cartography/intel/aws/permission_relationships.py +10 -20
cartography/intel/aws/rds.py +337 -446
cartography/intel/aws/redshift.py +9 -4
cartography/intel/aws/resourcegroupstaggingapi.py +78 -19
cartography/intel/aws/resources.py +18 -0
cartography/intel/aws/route53.py +386 -332
cartography/intel/aws/s3.py +322 -14
cartography/intel/aws/secretsmanager.py +81 -49
cartography/intel/aws/securityhub.py +3 -1
cartography/intel/aws/sns.py +62 -2
cartography/intel/aws/sqs.py +36 -90
cartography/intel/aws/ssm.py +3 -5
cartography/intel/azure/__init__.py +202 -48
cartography/intel/azure/aks.py +175 -0
cartography/intel/azure/app_service.py +105 -0
cartography/intel/azure/compute.py +59 -112
cartography/intel/azure/container_instances.py +95 -0
cartography/intel/azure/cosmosdb.py +222 -361
cartography/intel/azure/data_factory.py +85 -0
cartography/intel/azure/data_factory_dataset.py +128 -0
cartography/intel/azure/data_factory_linked_service.py +119 -0
cartography/intel/azure/data_factory_pipeline.py +142 -0
cartography/intel/azure/data_lake.py +124 -0
cartography/intel/azure/event_grid.py +94 -0
cartography/intel/azure/functions.py +124 -0
cartography/intel/azure/load_balancers.py +263 -0
cartography/intel/azure/logic_apps.py +101 -0
cartography/intel/azure/monitor.py +105 -0
cartography/intel/azure/network.py +467 -0
cartography/intel/azure/permission_relationships.py +466 -0
cartography/intel/azure/rbac.py +309 -0
cartography/intel/azure/resource_groups.py +82 -0
cartography/intel/azure/security_center.py +106 -0
cartography/intel/azure/sql.py +145 -292
cartography/intel/azure/storage.py +185 -262
cartography/intel/azure/subscription.py +21 -43
cartography/intel/azure/tenant.py +39 -30
cartography/intel/azure/util/common.py +13 -0
cartography/intel/azure/util/credentials.py +49 -174
cartography/intel/azure/util/tag.py +41 -0
cartography/intel/create_indexes.py +2 -1
cartography/intel/crowdstrike/spotlight.py +5 -2
cartography/intel/dns.py +5 -2
cartography/intel/entra/__init__.py +100 -1
cartography/intel/entra/app_role_assignments.py +284 -0
cartography/intel/entra/applications.py +182 -0
cartography/intel/entra/federation/__init__.py +0 -0
cartography/intel/entra/federation/aws_identity_center.py +77 -0
cartography/intel/entra/groups.py +198 -0
cartography/intel/entra/ou.py +48 -24
cartography/intel/entra/service_principals.py +217 -0
cartography/intel/entra/users.py +105 -57
cartography/intel/gcp/__init__.py +334 -396
cartography/intel/gcp/bigtable_app_profile.py +101 -0
cartography/intel/gcp/bigtable_backup.py +91 -0
cartography/intel/gcp/bigtable_cluster.py +93 -0
cartography/intel/gcp/bigtable_instance.py +86 -0
cartography/intel/gcp/bigtable_table.py +87 -0
cartography/intel/gcp/cai.py +292 -0
cartography/intel/gcp/clients.py +112 -0
cartography/intel/gcp/compute.py +128 -119
cartography/intel/gcp/crm/__init__.py +0 -0
cartography/intel/gcp/crm/folders.py +114 -0
cartography/intel/gcp/crm/orgs.py +70 -0
cartography/intel/gcp/crm/projects.py +120 -0
cartography/intel/gcp/dns.py +83 -169
cartography/intel/gcp/gke.py +72 -113
cartography/intel/gcp/iam.py +111 -91
cartography/intel/gcp/permission_relationships.py +394 -0
cartography/intel/gcp/policy_bindings.py +225 -0
cartography/intel/gcp/storage.py +75 -159
cartography/intel/github/__init__.py +62 -25
cartography/intel/github/commits.py +423 -0
cartography/intel/github/repos.py +463 -85
cartography/intel/github/teams.py +3 -3
cartography/intel/github/users.py +5 -0
cartography/intel/github/util.py +12 -0
cartography/intel/googleworkspace/__init__.py +193 -0
cartography/intel/googleworkspace/devices.py +254 -0
cartography/intel/googleworkspace/groups.py +568 -0
cartography/intel/googleworkspace/oauth_apps.py +259 -0
cartography/intel/googleworkspace/tenant.py +85 -0
cartography/intel/googleworkspace/users.py +138 -0
cartography/intel/gsuite/__init__.py +17 -9
cartography/intel/gsuite/groups.py +291 -0
cartography/intel/gsuite/users.py +142 -0
cartography/intel/jamf/computers.py +7 -1
cartography/intel/keycloak/__init__.py +153 -0
cartography/intel/keycloak/authenticationexecutions.py +322 -0
cartography/intel/keycloak/authenticationflows.py +77 -0
cartography/intel/keycloak/clients.py +187 -0
cartography/intel/keycloak/groups.py +126 -0
cartography/intel/keycloak/identityproviders.py +94 -0
cartography/intel/keycloak/organizations.py +163 -0
cartography/intel/keycloak/realms.py +61 -0
cartography/intel/keycloak/roles.py +202 -0
cartography/intel/keycloak/scopes.py +73 -0
cartography/intel/keycloak/users.py +70 -0
cartography/intel/keycloak/util.py +47 -0
cartography/intel/kubernetes/__init__.py +60 -14
cartography/intel/kubernetes/clusters.py +86 -0
cartography/intel/kubernetes/eks.py +402 -0
cartography/intel/kubernetes/namespaces.py +59 -57
cartography/intel/kubernetes/pods.py +168 -75
cartography/intel/kubernetes/rbac.py +597 -0
cartography/intel/kubernetes/secrets.py +95 -45
cartography/intel/kubernetes/services.py +131 -67
cartography/intel/kubernetes/util.py +142 -14
cartography/intel/oci/iam.py +23 -9
cartography/intel/oci/organizations.py +3 -1
cartography/intel/oci/utils.py +28 -5
cartography/intel/okta/applications.py +15 -5
cartography/intel/okta/awssaml.py +14 -10
cartography/intel/okta/factors.py +3 -1
cartography/intel/okta/groups.py +5 -2
cartography/intel/okta/organization.py +3 -1
cartography/intel/okta/origins.py +3 -1
cartography/intel/okta/roles.py +5 -2
cartography/intel/okta/users.py +10 -2
cartography/intel/ontology/__init__.py +44 -0
cartography/intel/ontology/devices.py +54 -0
cartography/intel/ontology/users.py +54 -0
cartography/intel/ontology/utils.py +176 -0
cartography/intel/pagerduty/escalation_policies.py +13 -6
cartography/intel/pagerduty/schedules.py +9 -4
cartography/intel/pagerduty/services.py +7 -3
cartography/intel/pagerduty/teams.py +5 -2
cartography/intel/pagerduty/users.py +3 -1
cartography/intel/pagerduty/vendors.py +3 -1
cartography/intel/scaleway/__init__.py +127 -0
cartography/intel/scaleway/iam/__init__.py +0 -0
cartography/intel/scaleway/iam/apikeys.py +71 -0
cartography/intel/scaleway/iam/applications.py +71 -0
cartography/intel/scaleway/iam/groups.py +71 -0
cartography/intel/scaleway/iam/users.py +71 -0
cartography/intel/scaleway/instances/__init__.py +0 -0
cartography/intel/scaleway/instances/flexibleips.py +86 -0
cartography/intel/scaleway/instances/instances.py +92 -0
cartography/intel/scaleway/projects.py +79 -0
cartography/intel/scaleway/storage/__init__.py +0 -0
cartography/intel/scaleway/storage/snapshots.py +86 -0
cartography/intel/scaleway/storage/volumes.py +84 -0
cartography/intel/scaleway/utils.py +37 -0
cartography/intel/sentinelone/__init__.py +75 -0
cartography/intel/sentinelone/account.py +140 -0
cartography/intel/sentinelone/agent.py +139 -0
cartography/intel/sentinelone/api.py +124 -0
cartography/intel/sentinelone/application.py +248 -0
cartography/intel/sentinelone/cve.py +119 -0
cartography/intel/sentinelone/utils.py +28 -0
cartography/intel/slack/__init__.py +78 -0
cartography/intel/slack/channels.py +80 -0
cartography/intel/slack/groups.py +90 -0
cartography/intel/slack/teams.py +65 -0
cartography/intel/slack/users.py +57 -0
cartography/intel/slack/utils.py +29 -0
cartography/intel/spacelift/__init__.py +161 -0
cartography/intel/spacelift/account.py +73 -0
cartography/intel/spacelift/ec2_ownership.py +280 -0
cartography/intel/spacelift/runs.py +463 -0
cartography/intel/spacelift/spaces.py +112 -0
cartography/intel/spacelift/stacks.py +119 -0
cartography/intel/spacelift/util.py +122 -0
cartography/intel/spacelift/workerpools.py +131 -0
cartography/intel/spacelift/workers.py +128 -0
cartography/intel/trivy/__init__.py +272 -0
cartography/intel/trivy/scanner.py +386 -0
cartography/models/airbyte/__init__.py +0 -0
cartography/models/airbyte/connection.py +138 -0
cartography/models/airbyte/destination.py +75 -0
cartography/models/airbyte/organization.py +19 -0
cartography/models/airbyte/source.py +75 -0
cartography/models/airbyte/stream.py +74 -0
cartography/models/airbyte/tag.py +69 -0
cartography/models/airbyte/user.py +115 -0
cartography/models/airbyte/workspace.py +46 -0
cartography/models/anthropic/apikey.py +4 -0
cartography/models/anthropic/user.py +4 -0
cartography/models/aws/acm/__init__.py +0 -0
cartography/models/aws/acm/certificate.py +75 -0
cartography/models/aws/apigateway/__init__.py +0 -0
cartography/models/aws/apigateway/apigatewaydeployment.py +74 -0
cartography/models/aws/apigateway/apigatewayintegration.py +79 -0
cartography/models/aws/apigateway/apigatewaymethod.py +74 -0
cartography/models/aws/apigatewayv2/__init__.py +0 -0
cartography/models/aws/apigatewayv2/apigatewayv2.py +53 -0
cartography/models/aws/cloudtrail/management_events.py +153 -0
cartography/models/aws/cloudtrail/trail.py +45 -0
cartography/models/aws/cloudwatch/log_metric_filter.py +79 -0
cartography/models/aws/cloudwatch/metric_alarm.py +53 -0
cartography/models/aws/codebuild/__init__.py +0 -0
cartography/models/aws/codebuild/project.py +49 -0
cartography/models/aws/cognito/__init__.py +0 -0
cartography/models/aws/cognito/identity_pool.py +70 -0
cartography/models/aws/cognito/user_pool.py +47 -0
cartography/models/aws/dynamodb/tables.py +2 -0
cartography/models/aws/ec2/instances.py +25 -1
cartography/models/aws/ec2/networkinterfaces.py +4 -0
cartography/models/aws/ec2/security_group_rules.py +109 -0
cartography/models/aws/ec2/security_groups.py +90 -0
cartography/models/aws/ec2/snapshots.py +58 -0
cartography/models/aws/ec2/subnet_instance.py +2 -0
cartography/models/aws/ec2/subnet_networkinterface.py +2 -0
cartography/models/aws/ec2/subnets.py +65 -0
cartography/models/aws/ec2/volumes.py +20 -0
cartography/models/aws/ec2/vpc.py +46 -0
cartography/models/aws/ec2/vpc_cidr.py +102 -0
cartography/models/aws/ec2/vpc_peering.py +157 -0
cartography/models/aws/ecr/__init__.py +0 -0
cartography/models/aws/ecr/image.py +146 -0
cartography/models/aws/ecr/image_layer.py +107 -0
cartography/models/aws/ecr/repository.py +72 -0
cartography/models/aws/ecr/repository_image.py +95 -0
cartography/models/aws/ecs/__init__.py +0 -0
cartography/models/aws/ecs/clusters.py +64 -0
cartography/models/aws/ecs/container_definitions.py +93 -0
cartography/models/aws/ecs/container_instances.py +84 -0
cartography/models/aws/ecs/containers.py +101 -0
cartography/models/aws/ecs/services.py +134 -0
cartography/models/aws/ecs/task_definitions.py +135 -0
cartography/models/aws/ecs/tasks.py +134 -0
cartography/models/aws/efs/access_point.py +77 -0
cartography/models/aws/efs/file_system.py +60 -0
cartography/models/aws/efs/mount_target.py +29 -2
cartography/models/aws/elasticache/__init__.py +0 -0
cartography/models/aws/elasticache/cluster.py +65 -0
cartography/models/aws/elasticache/topic.py +67 -0
cartography/models/aws/eventbridge/__init__.py +0 -0
cartography/models/aws/eventbridge/rule.py +77 -0
cartography/models/aws/eventbridge/target.py +71 -0
cartography/models/aws/glue/__init__.py +0 -0
cartography/models/aws/glue/connection.py +51 -0
cartography/models/aws/glue/job.py +69 -0
cartography/models/aws/guardduty/__init__.py +1 -0
cartography/models/aws/guardduty/detectors.py +50 -0
cartography/models/aws/guardduty/findings.py +121 -0
cartography/models/aws/iam/access_key.py +103 -0
cartography/models/aws/iam/account_role.py +24 -0
cartography/models/aws/iam/federated_principal.py +60 -0
cartography/models/aws/iam/group.py +60 -0
cartography/models/aws/iam/group_membership.py +27 -0
cartography/models/aws/iam/inline_policy.py +78 -0
cartography/models/aws/iam/managed_policy.py +51 -0
cartography/models/aws/iam/policy_statement.py +57 -0
cartography/models/aws/iam/role.py +83 -0
cartography/models/aws/iam/root_principal.py +52 -0
cartography/models/aws/iam/service_principal.py +30 -0
cartography/models/aws/iam/sts_assumerole_allow.py +38 -0
cartography/models/aws/iam/user.py +59 -0
cartography/models/aws/identitycenter/awsidentitycenter.py +1 -0
cartography/models/aws/identitycenter/awspermissionset.py +70 -0
cartography/models/aws/identitycenter/awssogroup.py +70 -0
cartography/models/aws/identitycenter/awsssouser.py +49 -9
cartography/models/aws/inspector/findings.py +37 -0
cartography/models/aws/inspector/packages.py +1 -31
cartography/models/aws/kms/__init__.py +0 -0
cartography/models/aws/kms/aliases.py +86 -0
cartography/models/aws/kms/grants.py +65 -0
cartography/models/aws/kms/keys.py +88 -0
cartography/models/aws/lambda_function/__init__.py +0 -0
cartography/models/aws/lambda_function/alias.py +74 -0
cartography/models/aws/lambda_function/event_source_mapping.py +88 -0
cartography/models/aws/lambda_function/lambda_function.py +91 -0
cartography/models/aws/lambda_function/layer.py +72 -0
cartography/models/aws/rds/__init__.py +0 -0
cartography/models/aws/rds/cluster.py +91 -0
cartography/models/aws/rds/event_subscription.py +146 -0
cartography/models/aws/rds/instance.py +156 -0
cartography/models/aws/rds/snapshot.py +108 -0
cartography/models/aws/rds/subnet_group.py +101 -0
cartography/models/aws/route53/__init__.py +0 -0
cartography/models/aws/route53/dnsrecord.py +235 -0
cartography/models/aws/route53/nameserver.py +63 -0
cartography/models/aws/route53/subzone.py +40 -0
cartography/models/aws/route53/zone.py +47 -0
cartography/models/aws/s3/notification.py +24 -0
cartography/models/aws/secretsmanager/secret.py +106 -0
cartography/models/aws/secretsmanager/secret_version.py +0 -2
cartography/models/aws/sns/topic_subscription.py +74 -0
cartography/models/aws/sqs/__init__.py +0 -0
cartography/models/aws/sqs/queue.py +89 -0
cartography/models/azure/__init__.py +0 -0
cartography/models/azure/aks_cluster.py +54 -0
cartography/models/azure/aks_nodepool.py +54 -0
cartography/models/azure/app_service.py +59 -0
cartography/models/azure/container_instance.py +57 -0
cartography/models/azure/cosmosdb/__init__.py +0 -0
cartography/models/azure/cosmosdb/account.py +77 -0
cartography/models/azure/cosmosdb/accountfailoverpolicy.py +77 -0
cartography/models/azure/cosmosdb/cassandrakeyspace.py +82 -0
cartography/models/azure/cosmosdb/cassandratable.py +81 -0
cartography/models/azure/cosmosdb/corspolicy.py +74 -0
cartography/models/azure/cosmosdb/dblocation.py +120 -0
cartography/models/azure/cosmosdb/mongodbcollection.py +82 -0
cartography/models/azure/cosmosdb/mongodbdatabase.py +78 -0
cartography/models/azure/cosmosdb/privateendpointconnection.py +81 -0
cartography/models/azure/cosmosdb/sqlcontainer.py +88 -0
cartography/models/azure/cosmosdb/sqldatabase.py +78 -0
cartography/models/azure/cosmosdb/tableresource.py +76 -0
cartography/models/azure/cosmosdb/virtualnetworkrule.py +78 -0
cartography/models/azure/data_factory/__init__.py +0 -0
cartography/models/azure/data_factory/data_factory.py +51 -0
cartography/models/azure/data_factory/data_factory_dataset.py +94 -0
cartography/models/azure/data_factory/data_factory_linked_service.py +78 -0
cartography/models/azure/data_factory/data_factory_pipeline.py +93 -0
cartography/models/azure/data_lake_filesystem.py +51 -0
cartography/models/azure/event_grid_topic.py +57 -0
cartography/models/azure/function_app.py +59 -0
cartography/models/azure/load_balancer/__init__.py +0 -0
cartography/models/azure/load_balancer/load_balancer.py +49 -0
cartography/models/azure/load_balancer/load_balancer_backend_pool.py +73 -0
cartography/models/azure/load_balancer/load_balancer_frontend_ip.py +75 -0
cartography/models/azure/load_balancer/load_balancer_inbound_nat_rule.py +78 -0
cartography/models/azure/load_balancer/load_balancer_rule.py +108 -0
cartography/models/azure/logic_apps.py +56 -0
cartography/models/azure/monitor.py +54 -0
cartography/models/azure/network_interface.py +112 -0
cartography/models/azure/network_security_group.py +50 -0
cartography/models/azure/permission_relationships.py +60 -0
cartography/models/azure/principal.py +41 -0
cartography/models/azure/public_ip_address.py +50 -0
cartography/models/azure/rbac.py +268 -0
cartography/models/azure/resource_groups.py +52 -0
cartography/models/azure/security_center.py +50 -0
cartography/models/azure/sql/__init__.py +0 -0
cartography/models/azure/sql/databasethreatdetectionpolicy.py +85 -0
cartography/models/azure/sql/elasticpool.py +77 -0
cartography/models/azure/sql/failovergroup.py +73 -0
cartography/models/azure/sql/recoverabledatabase.py +75 -0
cartography/models/azure/sql/replicationlink.py +81 -0
cartography/models/azure/sql/restorabledroppeddatabase.py +82 -0
cartography/models/azure/sql/restorepoint.py +74 -0
cartography/models/azure/sql/serveradadministrator.py +74 -0
cartography/models/azure/sql/serverdnsalias.py +71 -0
cartography/models/azure/sql/sqldatabase.py +85 -0
cartography/models/azure/sql/sqlserver.py +50 -0
cartography/models/azure/sql/transparentdataencryption.py +76 -0
cartography/models/azure/storage/__init__.py +0 -0
cartography/models/azure/storage/account.py +59 -0
cartography/models/azure/storage/blobcontainer.py +85 -0
cartography/models/azure/storage/blobservice.py +71 -0
cartography/models/azure/storage/fileservice.py +71 -0
cartography/models/azure/storage/fileshare.py +82 -0
cartography/models/azure/storage/queue.py +71 -0
cartography/models/azure/storage/queueservice.py +73 -0
cartography/models/azure/storage/table.py +72 -0
cartography/models/azure/storage/tableservice.py +73 -0
cartography/models/azure/subnet.py +101 -0
cartography/models/azure/subscription.py +47 -0
cartography/models/azure/tags/__init__.py +0 -0
cartography/models/azure/tags/storage_tag.py +40 -0
cartography/models/azure/tags/tag.py +37 -0
cartography/models/azure/tenant.py +17 -0
cartography/models/azure/virtual_network.py +49 -0
cartography/models/azure/vm/__init__.py +0 -0
cartography/models/azure/vm/datadisk.py +80 -0
cartography/models/azure/vm/disk.py +55 -0
cartography/models/azure/vm/snapshot.py +56 -0
cartography/models/azure/vm/virtualmachine.py +59 -0
cartography/models/bigfix/bigfix_computer.py +1 -1
cartography/models/cloudflare/member.py +4 -0
cartography/models/core/common.py +1 -0
cartography/models/core/nodes.py +15 -2
cartography/models/core/relationships.py +44 -0
cartography/models/crowdstrike/hosts.py +1 -1
cartography/models/digitalocean/droplet.py +2 -0
cartography/models/duo/endpoint.py +1 -1
cartography/models/duo/phone.py +2 -2
cartography/models/duo/user.py +4 -0
cartography/models/entra/app_role_assignment.py +115 -0
cartography/models/entra/application.py +49 -0
cartography/models/entra/entra_user_to_aws_sso.py +41 -0
cartography/models/entra/group.py +117 -0
cartography/models/entra/service_principal.py +104 -0
cartography/models/entra/user.py +42 -51
cartography/models/gcp/__init__.py +0 -0
cartography/models/gcp/bigtable/__init__.py +0 -0
cartography/models/gcp/bigtable/app_profile.py +94 -0
cartography/models/gcp/bigtable/backup.py +91 -0
cartography/models/gcp/bigtable/cluster.py +73 -0
cartography/models/gcp/bigtable/instance.py +52 -0
cartography/models/gcp/bigtable/table.py +69 -0
cartography/models/gcp/compute/__init__.py +0 -0
cartography/models/gcp/compute/subnet.py +74 -0
cartography/models/gcp/compute/vpc.py +50 -0
cartography/models/gcp/crm/__init__.py +0 -0
cartography/models/gcp/crm/folders.py +98 -0
cartography/models/gcp/crm/organizations.py +21 -0
cartography/models/gcp/crm/projects.py +100 -0
cartography/models/gcp/dns.py +109 -0
cartography/models/gcp/gke.py +69 -0
cartography/models/gcp/iam.py +3 -0
cartography/models/gcp/permission_relationships.py +61 -0
cartography/models/gcp/policy_bindings.py +93 -0
cartography/models/gcp/storage/__init__.py +0 -0
cartography/models/gcp/storage/bucket.py +119 -0
cartography/models/github/commits.py +63 -0
cartography/models/github/dependencies.py +73 -0
cartography/models/github/manifests.py +49 -0
cartography/models/github/users.py +10 -0
cartography/models/googleworkspace/__init__.py +0 -0
cartography/models/googleworkspace/device.py +132 -0
cartography/models/googleworkspace/group.py +382 -0
cartography/models/googleworkspace/oauth_app.py +124 -0
cartography/models/googleworkspace/tenant.py +30 -0
cartography/models/googleworkspace/user.py +113 -0
cartography/models/gsuite/__init__.py +0 -0
cartography/models/gsuite/group.py +218 -0
cartography/models/gsuite/tenant.py +29 -0
cartography/models/gsuite/user.py +107 -0
cartography/models/kandji/device.py +1 -2
cartography/models/keycloak/__init__.py +0 -0
cartography/models/keycloak/authenticationexecution.py +160 -0
cartography/models/keycloak/authenticationflow.py +54 -0
cartography/models/keycloak/client.py +179 -0
cartography/models/keycloak/group.py +101 -0
cartography/models/keycloak/identityprovider.py +89 -0
cartography/models/keycloak/organization.py +116 -0
cartography/models/keycloak/organizationdomain.py +73 -0
cartography/models/keycloak/realm.py +173 -0
cartography/models/keycloak/role.py +126 -0
cartography/models/keycloak/scope.py +73 -0
cartography/models/keycloak/user.py +55 -0
cartography/models/kubernetes/__init__.py +0 -0
cartography/models/kubernetes/clusterrolebindings.py +138 -0
cartography/models/kubernetes/clusterroles.py +52 -0
cartography/models/kubernetes/clusters.py +26 -0
cartography/models/kubernetes/containers.py +133 -0
cartography/models/kubernetes/groups.py +107 -0
cartography/models/kubernetes/namespaces.py +51 -0
cartography/models/kubernetes/oidc.py +51 -0
cartography/models/kubernetes/pods.py +80 -0
cartography/models/kubernetes/rolebindings.py +159 -0
cartography/models/kubernetes/roles.py +76 -0
cartography/models/kubernetes/secrets.py +79 -0
cartography/models/kubernetes/serviceaccounts.py +77 -0
cartography/models/kubernetes/services.py +108 -0
cartography/models/kubernetes/users.py +105 -0
cartography/models/lastpass/user.py +4 -0
cartography/models/ontology/__init__.py +0 -0
cartography/models/ontology/device.py +137 -0
cartography/models/ontology/mapping/__init__.py +76 -0
cartography/models/ontology/mapping/data/__init__.py +0 -0
cartography/models/ontology/mapping/data/apikeys.py +93 -0
cartography/models/ontology/mapping/data/computeinstance.py +95 -0
cartography/models/ontology/mapping/data/containers.py +88 -0
cartography/models/ontology/mapping/data/databases.py +182 -0
cartography/models/ontology/mapping/data/devices.py +194 -0
cartography/models/ontology/mapping/data/thirdpartyapps.py +140 -0
cartography/models/ontology/mapping/data/useraccounts.py +416 -0
cartography/models/ontology/mapping/data/users.py +63 -0
cartography/models/ontology/mapping/specs.py +85 -0
cartography/models/ontology/user.py +51 -0
cartography/models/openai/adminapikey.py +4 -0
cartography/models/openai/apikey.py +4 -0
cartography/models/openai/user.py +4 -0
cartography/models/scaleway/__init__.py +0 -0
cartography/models/scaleway/iam/__init__.py +0 -0
cartography/models/scaleway/iam/apikey.py +100 -0
cartography/models/scaleway/iam/application.py +52 -0
cartography/models/scaleway/iam/group.py +95 -0
cartography/models/scaleway/iam/user.py +64 -0
cartography/models/scaleway/instance/__init__.py +0 -0
cartography/models/scaleway/instance/flexibleip.py +52 -0
cartography/models/scaleway/instance/instance.py +120 -0
cartography/models/scaleway/organization.py +19 -0
cartography/models/scaleway/project.py +48 -0
cartography/models/scaleway/storage/__init__.py +0 -0
cartography/models/scaleway/storage/snapshot.py +78 -0
cartography/models/scaleway/storage/volume.py +51 -0
cartography/models/sentinelone/__init__.py +1 -0
cartography/models/sentinelone/account.py +40 -0
cartography/models/sentinelone/agent.py +50 -0
cartography/models/sentinelone/application.py +44 -0
cartography/models/sentinelone/application_version.py +96 -0
cartography/models/sentinelone/cve.py +73 -0
cartography/models/slack/__init__.py +0 -0
cartography/models/slack/channels.py +92 -0
cartography/models/slack/group.py +129 -0
cartography/models/slack/team.py +22 -0
cartography/models/slack/user.py +62 -0
cartography/models/snipeit/asset.py +2 -0
cartography/models/snipeit/user.py +4 -0
cartography/models/spacelift/__init__.py +0 -0
cartography/models/spacelift/cloudtrailevent.py +120 -0
cartography/models/spacelift/run.py +162 -0
cartography/models/spacelift/space.py +131 -0
cartography/models/spacelift/spaceliftaccount.py +31 -0
cartography/models/spacelift/spaceliftgitcommit.py +157 -0
cartography/models/spacelift/stack.py +96 -0
cartography/models/spacelift/user.py +63 -0
cartography/models/spacelift/worker.py +97 -0
cartography/models/spacelift/workerpool.py +90 -0
cartography/models/tailscale/device.py +2 -1
cartography/models/tailscale/user.py +6 -1
cartography/models/trivy/__init__.py +0 -0
cartography/models/trivy/findings.py +66 -0
cartography/models/trivy/fix.py +66 -0
cartography/models/trivy/package.py +71 -0
cartography/rules/README.md +1 -0
cartography/rules/__init__.py +0 -0
cartography/rules/cli.py +261 -0
cartography/rules/data/__init__.py +0 -0
cartography/rules/data/rules/__init__.py +46 -0
cartography/rules/data/rules/cloud_security_product_deactivated.py +49 -0
cartography/rules/data/rules/compute_instance_exposed.py +51 -0
cartography/rules/data/rules/database_instance_exposed.py +53 -0
cartography/rules/data/rules/delegation_boundary_modifiable.py +90 -0
cartography/rules/data/rules/identity_administration_privileges.py +100 -0
cartography/rules/data/rules/inactive_user_active_accounts.py +48 -0
cartography/rules/data/rules/malicious_npm_dependencies_shai_hulud.py +2222 -0
cartography/rules/data/rules/mfa_missing.py +46 -0
cartography/rules/data/rules/object_storage_public.py +100 -0
cartography/rules/data/rules/policy_administration_privileges.py +104 -0
cartography/rules/data/rules/unmanaged_accounts.py +43 -0
cartography/rules/data/rules/workload_identity_admin_capabilities.py +193 -0
cartography/rules/formatters.py +108 -0
cartography/rules/runners.py +216 -0
cartography/rules/spec/__init__.py +0 -0
cartography/rules/spec/model.py +267 -0
cartography/rules/spec/result.py +38 -0
cartography/sync.py +25 -5
cartography/util.py +101 -31
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/METADATA +61 -22
cartography-0.123.0.dist-info/RECORD +856 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/entry_points.txt +1 -0
cartography/data/jobs/cleanup/aws_dns_cleanup.json +0 -65
cartography/data/jobs/cleanup/aws_import_account_access_key_cleanup.json +0 -17
cartography/data/jobs/cleanup/aws_import_ec2_security_groupinfo_cleanup.json +0 -24
cartography/data/jobs/cleanup/aws_import_groups_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_identity_center_cleanup.json +0 -16
cartography/data/jobs/cleanup/aws_import_lambda_cleanup.json +0 -50
cartography/data/jobs/cleanup/aws_import_principals_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_rds_clusters_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_rds_instances_cleanup.json +0 -47
cartography/data/jobs/cleanup/aws_import_rds_snapshots_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_roles_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_secrets_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_snapshots_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_users_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_vpc_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_vpc_peering_cleanup.json +0 -45
cartography/data/jobs/cleanup/aws_kms_details.json +0 -10
cartography/data/jobs/cleanup/azure_cosmosdb_cassandra_keyspace_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_cors_details.json +0 -15
cartography/data/jobs/cleanup/azure_cosmosdb_mongodb_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_sql_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_table_resources_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_database_account_cleanup.json +0 -85
cartography/data/jobs/cleanup/azure_import_disks_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_snapshots_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_virtual_machines_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_sql_server_cleanup.json +0 -125
cartography/data/jobs/cleanup/azure_storage_account_cleanup.json +0 -95
cartography/data/jobs/cleanup/azure_subscriptions_cleanup.json +0 -14
cartography/data/jobs/cleanup/azure_tenant_cleanup.json +0 -9
cartography/data/jobs/cleanup/gcp_compute_vpc_subnet_cleanup.json +0 -35
cartography/data/jobs/cleanup/gcp_crm_folder_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_crm_organization_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_crm_project_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_dns_cleanup.json +0 -29
cartography/data/jobs/cleanup/gcp_gke_cluster_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_storage_bucket_cleanup.json +0 -29
cartography/data/jobs/cleanup/gsuite_ingest_groups_cleanup.json +0 -23
cartography/data/jobs/cleanup/gsuite_ingest_users_cleanup.json +0 -11
cartography/data/jobs/cleanup/kubernetes_import_cleanup.json +0 -70
cartography/intel/gcp/crm.py +0 -355
cartography/intel/gsuite/api.py +0 -342
cartography-0.104.0rc2.dist-info/RECORD +0 -455
/cartography/data/jobs/{analysis → scoped_analysis}/aws_s3acl_analysis.json +0 -0
/cartography/models/aws/{apigateway.py → apigateway/apigateway.py} +0 -0
/cartography/models/aws/{apigatewaycertificate.py → apigateway/apigatewaycertificate.py} +0 -0
/cartography/models/aws/{apigatewayresource.py → apigateway/apigatewayresource.py} +0 -0
/cartography/models/aws/{apigatewaystage.py → apigateway/apigatewaystage.py} +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/WHEEL +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/top_level.txt +0 -0

cartography/intel/aws/identitycenter.py CHANGED Viewed

@@ -1,12 +1,13 @@
 import logging
 from typing import Any
-from typing import Dict
-from typing import List
 import boto3
+import botocore.exceptions
 import neo4j
 from cartography.client.core.tx import load
+from cartography.client.core.tx import load_matchlinks
+from cartography.client.core.tx import read_list_of_dicts_tx
 from cartography.graph.job import GraphJob
 from cartography.models.aws.identitycenter.awsidentitycenter import (
     AWSIdentityCenterInstanceSchema,
@@ -14,20 +15,38 @@ from cartography.models.aws.identitycenter.awsidentitycenter import (
 from cartography.models.aws.identitycenter.awspermissionset import (
     AWSPermissionSetSchema,
 )
+from cartography.models.aws.identitycenter.awspermissionset import (
+    AWSRoleToSSOGroupMatchLink,
+)
+from cartography.models.aws.identitycenter.awspermissionset import (
+    AWSRoleToSSOUserMatchLink,
+)
+from cartography.models.aws.identitycenter.awssogroup import AWSSSOGroupSchema
 from cartography.models.aws.identitycenter.awsssouser import AWSSSOUserSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 logger = logging.getLogger(__name__)
+def _is_permission_set_sync_unsupported_error(
+    error: botocore.exceptions.ClientError,
+) -> bool:
+    """Return True when the Identity Center instance does not support permission sets."""
+    error_info = error.response.get("Error", {})
+    if error_info.get("Code") != "ValidationException":
+        return False
+    message = error_info.get("Message", "").lower()
+    return "not supported for this identity center instance" in message
 @timeit
 @aws_handle_regions
 def get_identity_center_instances(
     boto3_session: boto3.session.Session,
     region: str,
-) -> List[Dict]:
+) -> list[dict[str, Any]]:
     """
     Get all AWS IAM Identity Center instances in the current region
     """
@@ -44,7 +63,7 @@ def get_identity_center_instances(
 @timeit
 def load_identity_center_instances(
     neo4j_session: neo4j.Session,
-    instance_data: List[Dict],
+    instance_data: list[dict[str, Any]],
     region: str,
     current_aws_account_id: str,
     aws_update_tag: int,
@@ -71,7 +90,7 @@ def get_permission_sets(
     boto3_session: boto3.session.Session,
     instance_arn: str,
     region: str,
-) -> List[Dict]:
+) -> list[dict[str, Any]]:
     """
     Get all permission sets for a given Identity Center instance
     """
@@ -88,18 +107,37 @@ def get_permission_sets(
             )
             permission_set = details.get("PermissionSet", {})
             if permission_set:
-                permission_set["RoleHint"] = (
-                    f":role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_{permission_set.get('Name')}"
-                )
                 permission_sets.append(permission_set)
     return permission_sets
+def transform_permission_sets(
+    permission_sets: list[dict[str, Any]],
+    region: str,
+) -> list[dict[str, Any]]:
+    """
+    Transform permission sets by adding the RoleHint based on region.
+    AWS SSO roles in us-east-1 don't include region in the ARN path,
+    but roles in other regions do: /aws-reserved/sso.amazonaws.com/{region}/AWSReservedSSO_*
+    """
+    for permission_set in permission_sets:
+        if region == "us-east-1":
+            permission_set["RoleHint"] = (
+                f":role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_{permission_set.get('Name')}"
+            )
+        else:
+            permission_set["RoleHint"] = (
+                f":role/aws-reserved/sso.amazonaws.com/{region}/AWSReservedSSO_{permission_set.get('Name')}"
+            )
+    return permission_sets
 @timeit
 def load_permission_sets(
     neo4j_session: neo4j.Session,
-    permission_sets: List[Dict],
+    permission_sets: list[dict[str, Any]],
     instance_arn: str,
     region: str,
     aws_account_id: str,
@@ -120,6 +158,8 @@ def load_permission_sets(
         InstanceArn=instance_arn,
         Region=region,
         AWS_ID=aws_account_id,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=aws_account_id,
     )
@@ -129,7 +169,7 @@ def get_sso_users(
     boto3_session: boto3.session.Session,
     identity_store_id: str,
     region: str,
-) -> List[Dict]:
+) -> list[dict[str, Any]]:
     """
     Get all SSO users for a given Identity Store
     """
@@ -140,17 +180,117 @@ def get_sso_users(
     for page in paginator.paginate(IdentityStoreId=identity_store_id):
         user_page = page.get("Users", [])
         for user in user_page:
-            if user.get("ExternalIds", None):
-                user["ExternalId"] = user.get("ExternalIds")[0].get("Id")
             users.append(user)
     return users
+@timeit
+@aws_handle_regions
+def get_sso_groups(
+    boto3_session: boto3.session.Session,
+    identity_store_id: str,
+    region: str,
+) -> list[dict[str, Any]]:
+    """
+    Get all SSO groups for a given Identity Store
+    """
+    client = boto3_session.client("identitystore", region_name=region)
+    groups: list[dict[str, Any]] = []
+    paginator = client.get_paginator("list_groups")
+    for page in paginator.paginate(IdentityStoreId=identity_store_id):
+        group_page = page.get("Groups", [])
+        for group in group_page:
+            groups.append(group)
+    return groups
+def transform_sso_users(
+    users: list[dict[str, Any]],
+    user_group_memberships: dict[str, list[str]] | None = None,
+    user_permissionsets: list[dict[str, Any]] | None = None,
+) -> list[dict[str, Any]]:
+    """
+    Transform SSO users to match the expected schema, optionally including group memberships
+    and permission set assignments.
+    Args:
+        users: List of SSO users from AWS API
+        user_group_memberships: Optional mapping of UserId -> [GroupIds]
+        user_permissionsets: Optional list of permission set assignments with shape:
+            [{UserId: str, PermissionSetArn: str, AccountId: str}, ...]
+    Returns:
+        Transformed users with MemberOfGroups and AssignedPermissionSets fields added
+    """
+    # Build mapping from UserId to list of PermissionSetArns
+    user_permission_sets: dict[str, list[str]] = {}
+    if user_permissionsets:
+        for assignment in user_permissionsets:
+            user_id = assignment["UserId"]
+            perm_set = assignment["PermissionSetArn"]
+            user_permission_sets.setdefault(user_id, []).append(perm_set)
+    # Transform users
+    transformed_users = []
+    for user in users:
+        if user.get("ExternalIds"):
+            user["ExternalId"] = user["ExternalIds"][0].get("Id")
+        # Add group memberships if provided
+        if user_group_memberships:
+            user["MemberOfGroups"] = user_group_memberships.get(user["UserId"], [])
+        # Add direct permission set assignments if available
+        if user_permission_sets:
+            user["AssignedPermissionSets"] = user_permission_sets.get(
+                user["UserId"], []
+            )
+        transformed_users.append(user)
+    return transformed_users
+def transform_sso_groups(
+    groups: list[dict[str, Any]],
+    group_role_assignments: list[dict[str, Any]] | None = None,
+) -> list[dict[str, Any]]:
+    """
+    Transform SSO groups to match the expected schema, optionally including permission set assignments.
+    Args:
+        groups: List of SSO groups from AWS API
+        group_role_assignments: Optional list of role assignments with shape:
+            [{GroupId: str, PermissionSetArn: str, AccountId: str}, ...]
+    Returns:
+        Transformed groups with AssignedPermissionSets field added
+    """
+    # Build mapping from GroupId to list of PermissionSetArns
+    group_permission_sets: dict[str, list[str]] = {}
+    if group_role_assignments:
+        for assignment in group_role_assignments:
+            group_id = assignment["GroupId"]
+            perm_set = assignment["PermissionSetArn"]
+            group_permission_sets.setdefault(group_id, []).append(perm_set)
+    # Transform groups
+    transformed_groups: list[dict[str, Any]] = []
+    for group in groups:
+        if group.get("ExternalIds"):
+            group["ExternalId"] = group["ExternalIds"][0].get("Id")
+        # Add permission set assignments if available
+        if group_permission_sets:
+            group["AssignedPermissionSets"] = group_permission_sets.get(
+                group["GroupId"], []
+            )
+        transformed_groups.append(group)
+    return transformed_groups
 @timeit
 def load_sso_users(
     neo4j_session: neo4j.Session,
-    users: List[Dict],
+    users: list[dict[str, Any]],
     identity_store_id: str,
     region: str,
     aws_account_id: str,
@@ -174,21 +314,49 @@ def load_sso_users(
     )
+@timeit
+def load_sso_groups(
+    neo4j_session: neo4j.Session,
+    groups: list[dict[str, Any]],
+    identity_store_id: str,
+    region: str,
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load SSO groups into the graph
+    """
+    logger.info(
+        f"Loading {len(groups)} SSO groups for identity store {identity_store_id} in region {region}",
+    )
+    load(
+        neo4j_session,
+        AWSSSOGroupSchema(),
+        groups,
+        lastupdated=aws_update_tag,
+        IdentityStoreId=identity_store_id,
+        AWS_ID=aws_account_id,
+        Region=region,
+    )
 @timeit
 @aws_handle_regions
-def get_role_assignments(
+def get_user_permissionsets(
     boto3_session: boto3.session.Session,
-    users: List[Dict],
+    users: list[dict[str, Any]],
     instance_arn: str,
     region: str,
-) -> List[Dict]:
+) -> list[dict[str, Any]]:
     """
-    Get role assignments for SSO users
+    Get permissionsets for SSO users, taking into account which accounts the user is assigned to.
+    Although a permissionset can be assigned to multiple accounts, it is possible for the user
+    to be assigned to just a subset of those!
     """
-    logger.info(f"Getting role assignments for {len(users)} users")
+    logger.info(f"Getting permissionsets for {len(users)} users")
     client = boto3_session.client("sso-admin", region_name=region)
-    role_assignments = []
+    user_permissionsets = []
     for user in users:
         user_id = user["UserId"]
@@ -199,7 +367,7 @@ def get_role_assignments(
             PrincipalType="USER",
         ):
             for assignment in page.get("AccountAssignments", []):
-                role_assignments.append(
+                user_permissionsets.append(
                     {
                         "UserId": user_id,
                         "PermissionSetArn": assignment.get("PermissionSetArn"),
@@ -207,40 +375,198 @@ def get_role_assignments(
                     },
                 )
-    return role_assignments
+    return user_permissionsets
+@timeit
+@aws_handle_regions
+def get_group_permissionsets(
+    boto3_session: boto3.session.Session,
+    groups: list[dict[str, Any]],
+    instance_arn: str,
+    region: str,
+) -> list[dict[str, Any]]:
+    """
+    Get permissionsets for SSO groups, taking into account which accounts the group is assigned to.
+    """
+    logger.info(f"Getting permissionsets for {len(groups)} groups")
+    client = boto3_session.client("sso-admin", region_name=region)
+    group_permissionsets: list[dict[str, Any]] = []
+    for group in groups:
+        group_id = group["GroupId"]
+        paginator = client.get_paginator("list_account_assignments_for_principal")
+        for page in paginator.paginate(
+            InstanceArn=instance_arn,
+            PrincipalId=group_id,
+            PrincipalType="GROUP",
+        ):
+            for assignment in page.get("AccountAssignments", []):
+                group_permissionsets.append(
+                    {
+                        "GroupId": group_id,
+                        "PermissionSetArn": assignment.get("PermissionSetArn"),
+                        "AccountId": assignment.get("AccountId"),
+                    }
+                )
+    return group_permissionsets
+@timeit
+@aws_handle_regions
+def get_user_group_memberships(
+    boto3_session: boto3.session.Session,
+    identity_store_id: str,
+    groups: list[dict[str, Any]],
+    region: str,
+) -> dict[str, list[str]]:
+    """
+    Return a mapping of UserId -> [GroupIds] for all group memberships in the identity store.
+    """
+    client = boto3_session.client("identitystore", region_name=region)
+    user_groups: dict[str, list[str]] = {}
+    for group in groups:
+        group_id = group["GroupId"]
+        paginator = client.get_paginator("list_group_memberships")
+        for page in paginator.paginate(
+            IdentityStoreId=identity_store_id, GroupId=group_id
+        ):
+            for membership in page.get("GroupMemberships", []):
+                member = membership.get("MemberId", {})
+                user_id = member.get("UserId")
+                if user_id:
+                    user_groups.setdefault(user_id, []).append(group_id)
+    return user_groups
 @timeit
-def load_role_assignments(
+def _get_permset_roles(
     neo4j_session: neo4j.Session,
-    role_assignments: List[Dict],
-    aws_update_tag: int,
-) -> None:
+    permset_ids: list[str],
+) -> dict[tuple[str, str], str]:
+    """
+    Given a list of permission set ARNs, return a mapping of (permission set ARN, account ID) to role ARN
+    based on the ASSIGNED_TO_ROLE relationship in the graph.
     """
-    Load role assignments into the graph
-    """
-    logger.info(f"Loading {len(role_assignments)} role assignments")
-    if role_assignments:
-        neo4j_session.run(
-            """
-            UNWIND $role_assignments AS ra
-            MATCH (acc:AWSAccount{id:ra.AccountId}) -[:RESOURCE]->
-            (role:AWSRole)<-[:ASSIGNED_TO_ROLE]-
-            (permset:AWSPermissionSet {id: ra.PermissionSetArn})
-            MATCH (sso:AWSSSOUser {id: ra.UserId})
-            MERGE (role)-[r:ALLOWED_BY]->(sso)
-            SET r.lastupdated = $aws_update_tag,
-            r.permission_set_arn = ra.PermissionSetArn
-            """,
-            role_assignments=role_assignments,
-            aws_update_tag=aws_update_tag,
+    query = """
+    MATCH (role:AWSRole)<-[:ASSIGNED_TO_ROLE]-(permset:AWSPermissionSet)
+    MATCH (account:AWSAccount)-[:RESOURCE]->(role)
+    WHERE permset.arn IN $PermSetIds
+    RETURN permset.arn AS PermissionSetArn, role.arn AS RoleArn, account.id AS AccountId
+    """
+    permset_to_role = neo4j_session.execute_read(
+        read_list_of_dicts_tx,
+        query,
+        PermSetIds=permset_ids,
+    )
+    return {
+        (entry["PermissionSetArn"], entry["AccountId"]): entry["RoleArn"]
+        for entry in permset_to_role
+    }
+@timeit
+def get_principal_roles(
+    neo4j_session: neo4j.Session,
+    principal_assignments: list[dict[str, Any]],
+) -> list[dict[str, Any]]:
+    """
+    At this point we've established that the principal has access to a given account
+    via a given permission set, and now we need to find the exact role in the account
+    it has access to.
+    :param neo4j_session: neo4j.Session
+    :param principal_assignments: either a list of {
+                "UserId": str
+                "AccountId": str,
+                "PermissionSetArn": str,
+            }, or a list of {
+                "GroupId": str,
+                "AccountId": str,
+                "PermissionSetArn": str,
+            }
+    :return: either a list of {
+        "UserId": str,
+        "AccountId": str,
+        "PermissionSetArn": str,
+        "RoleArn": str
+    } or,
+    a list of  {
+        "GroupId": str,
+        "AccountId": str,
+        "PermissionSetArn": str,
+        "RoleArn": str
+    }
+    """
+    # Get unique permission set ARNs from role assignments
+    permset_ids = list({pa["PermissionSetArn"] for pa in principal_assignments})
+    permset_to_role = _get_permset_roles(neo4j_session, permset_ids)
+    unmatched = 0
+    # Use the lookup table to enrich assignments with exact role ARNs
+    principal_roles = []
+    for assignment in principal_assignments:
+        lookup_key = (assignment["PermissionSetArn"], assignment["AccountId"])
+        role_arn = permset_to_role.get(lookup_key)
+        if not role_arn:
+            unmatched += 1
+        principal_roles.append(
+            {
+                **assignment,
+                "RoleArn": role_arn,
+            }
         )
+    if unmatched > 0:
+        logger.info(
+            f"Identity Center: {unmatched} of {len(principal_assignments)} principal assignments "
+            "did not match a role. This usually means IAM roles for some permission sets/accounts "
+            "have not been ingested yet. Re-run the IAM sync, and then the Identity Center sync to fix."
+        )
+    return principal_roles
+@timeit
+def load_user_roles(
+    neo4j_session: neo4j.Session,
+    user_roles: list[dict[str, Any]],
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(user_roles)} user roles")
+    load_matchlinks(
+        neo4j_session,
+        AWSRoleToSSOUserMatchLink(),
+        user_roles,
+        lastupdated=aws_update_tag,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=aws_account_id,
+    )
+@timeit
+def load_group_roles(
+    neo4j_session: neo4j.Session,
+    group_roles: list[dict[str, Any]],
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    logger.info(f"Loading {len(group_roles)} group roles")
+    load_matchlinks(
+        neo4j_session,
+        AWSRoleToSSOGroupMatchLink(),
+        group_roles,
+        lastupdated=aws_update_tag,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=aws_account_id,
+    )
 @timeit
 def cleanup(
     neo4j_session: neo4j.Session,
-    common_job_parameters: Dict[str, Any],
+    common_job_parameters: dict[str, Any],
 ) -> None:
     GraphJob.from_node_schema(
         AWSIdentityCenterInstanceSchema(),
@@ -252,24 +578,249 @@ def cleanup(
     GraphJob.from_node_schema(AWSSSOUserSchema(), common_job_parameters).run(
         neo4j_session,
     )
-    run_cleanup_job(
-        "aws_import_identity_center_cleanup.json",
+    GraphJob.from_node_schema(AWSSSOGroupSchema(), common_job_parameters).run(
         neo4j_session,
-        common_job_parameters,
     )
+    # Clean up role assignment MatchLinks
+    GraphJob.from_matchlink(
+        AWSRoleToSSOUserMatchLink(),
+        "AWSAccount",
+        common_job_parameters["AWS_ID"],
+        common_job_parameters["UPDATE_TAG"],
+    ).run(neo4j_session)
+    GraphJob.from_matchlink(
+        AWSRoleToSSOGroupMatchLink(),
+        "AWSAccount",
+        common_job_parameters["AWS_ID"],
+        common_job_parameters["UPDATE_TAG"],
+    ).run(neo4j_session)
+def _sync_permission_sets(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    instance_arn: str,
+    region: str,
+    current_aws_account_id: str,
+    update_tag: int,
+) -> bool:
+    """
+    Sync permission sets for an Identity Center instance.
+    Returns:
+        True if permission set sync is supported, False for account-scoped instances
+        that don't support permission sets.
+    """
+    try:
+        permission_sets = get_permission_sets(boto3_session, instance_arn, region)
+        # Transform permission sets to add RoleHint for fuzzy matching to IAM roles
+        permission_sets = transform_permission_sets(permission_sets, region)
+        load_permission_sets(
+            neo4j_session,
+            permission_sets,
+            instance_arn,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
+        return True
+    except botocore.exceptions.ClientError as error:
+        if _is_permission_set_sync_unsupported_error(error):
+            logger.warning(
+                "Skipping permission set sync for Identity Center instance %s in region %s "
+                "because the instance does not support permission sets. "
+                "Will attempt to sync users and groups only.",
+                instance_arn,
+                region,
+            )
+            return False
+        raise
+def _sync_groups_and_users(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    instance_arn: str,
+    identity_store_id: str,
+    region: str,
+    permission_set_sync_supported: bool,
+    current_aws_account_id: str,
+    update_tag: int,
+) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
+    """
+    Sync groups and users for an Identity Center instance.
+    Groups are synced first so that user->group membership edges can be created.
+    Permission set assignments are fetched (if supported) and used to enrich
+    the user/group nodes with HAS_PERMISSION_SET relationships, then returned
+    for later role assignment creation.
+    Args:
+        permission_set_sync_supported: If True, fetches and enriches permission set assignments
+    Returns:
+        (user_permission_set_assignments, group_permission_set_assignments)
+        These are the raw assignment data needed for creating ALLOWED_BY relationships.
+        Will be empty lists if permission_set_sync_supported is False.
+    """
+    # Fetch groups first to avoid interleaving between groups and users
+    groups = get_sso_groups(boto3_session, identity_store_id, region)
+    # Get permission set assignments for groups (if permission sets are supported)
+    group_permissionsets_raw: list[dict[str, Any]] = []
+    if permission_set_sync_supported:
+        group_permissionsets_raw = get_group_permissionsets(
+            boto3_session,
+            groups,
+            instance_arn,
+            region,
+        )
+    # Transform and load groups with their permission set assignments FIRST
+    # so that user->group membership edges can attach in the same run.
+    transformed_groups = transform_sso_groups(groups, group_permissionsets_raw)
+    load_sso_groups(
+        neo4j_session,
+        transformed_groups,
+        identity_store_id,
+        region,
+        current_aws_account_id,
+        update_tag,
+    )
+    # Handle users AFTER groups exist
+    users = get_sso_users(boto3_session, identity_store_id, region)
+    user_group_memberships = get_user_group_memberships(
+        boto3_session,
+        identity_store_id,
+        groups,
+        region,
+    )
+    # Get direct permission set assignments for users (if permission sets are supported)
+    user_permissionsets_raw: list[dict[str, Any]] = []
+    if permission_set_sync_supported:
+        user_permissionsets_raw = get_user_permissionsets(
+            boto3_session,
+            users,
+            instance_arn,
+            region,
+        )
+    # Transform and load users with their group memberships AFTER groups exist
+    transformed_users = transform_sso_users(
+        users,
+        user_group_memberships,
+        user_permissionsets_raw,
+    )
+    load_sso_users(
+        neo4j_session,
+        transformed_users,
+        identity_store_id,
+        region,
+        current_aws_account_id,
+        update_tag,
+    )
+    # Return the raw assignment data for role assignment creation
+    return user_permissionsets_raw, group_permissionsets_raw
+def _sync_role_assignments(
+    neo4j_session: neo4j.Session,
+    user_permissionsets_raw: list[dict[str, Any]],
+    group_permissionsets_raw: list[dict[str, Any]],
+    current_aws_account_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Create ALLOWED_BY relationships between IAM roles and SSO principals.
+    This enriches the raw permission set assignment data with exact role ARNs
+    from the graph (using the composite key lookup), then creates the MatchLink
+    relationships.
+    Note: This must be called AFTER groups and users are loaded so that the
+    MatchLinks can find the existing AWSSSOUser/AWSSSOGroup nodes when creating
+    the ALLOWED_BY edges.
+    """
+    user_roles = get_principal_roles(neo4j_session, user_permissionsets_raw)
+    load_user_roles(neo4j_session, user_roles, current_aws_account_id, update_tag)
+    group_roles = get_principal_roles(neo4j_session, group_permissionsets_raw)
+    load_group_roles(neo4j_session, group_roles, current_aws_account_id, update_tag)
+def _sync_instance(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    instance: dict[str, Any],
+    region: str,
+    current_aws_account_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Sync a single Identity Center instance.
+    This syncs permission sets (if supported), groups, users, and role assignments
+    in the correct order to ensure all relationships can be created.
+    """
+    instance_arn = instance["InstanceArn"]
+    identity_store_id = instance["IdentityStoreId"]
+    # Sync permission sets (may not be supported for account-scoped instances)
+    permission_set_sync_supported = _sync_permission_sets(
+        neo4j_session,
+        boto3_session,
+        instance_arn,
+        region,
+        current_aws_account_id,
+        update_tag,
+    )
+    # Sync groups and users (always happens, but enriched with permission sets if available)
+    user_assignments, group_assignments = _sync_groups_and_users(
+        neo4j_session,
+        boto3_session,
+        instance_arn,
+        identity_store_id,
+        region,
+        permission_set_sync_supported,
+        current_aws_account_id,
+        update_tag,
+    )
+    # Create role assignment relationships (only if permission sets are supported)
+    if permission_set_sync_supported:
+        _sync_role_assignments(
+            neo4j_session,
+            user_assignments,
+            group_assignments,
+            current_aws_account_id,
+            update_tag,
+        )
 @timeit
 def sync_identity_center_instances(
     neo4j_session: neo4j.Session,
     boto3_session: boto3.session.Session,
-    regions: List[str],
+    regions: list[str],
     current_aws_account_id: str,
     update_tag: int,
-    common_job_parameters: Dict,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     """
-    Sync Identity Center instances, their permission sets, and SSO users
+    Sync Identity Center instances across all specified regions.
+    For each instance, syncs:
+    1. Permission sets (if supported by the instance type)
+    2. Groups and users (with permission set assignments if available)
+    3. Role assignment relationships (ALLOWED_BY edges from roles to principals)
+    Account-scoped Identity Center instances don't support permission sets and will
+    skip step 1 and 3, but still sync users and groups.
     """
     logger.info(f"Syncing Identity Center instances for regions {regions}")
     for region in regions:
@@ -283,42 +834,13 @@ def sync_identity_center_instances(
             update_tag,
         )
-        # For each instance, get and load its permission sets and SSO users
         for instance in instances:
-            instance_arn = instance["InstanceArn"]
-            identity_store_id = instance["IdentityStoreId"]
-            permission_sets = get_permission_sets(boto3_session, instance_arn, region)
-            load_permission_sets(
-                neo4j_session,
-                permission_sets,
-                instance_arn,
-                region,
-                current_aws_account_id,
-                update_tag,
-            )
-            users = get_sso_users(boto3_session, identity_store_id, region)
-            load_sso_users(
+            _sync_instance(
                 neo4j_session,
-                users,
-                identity_store_id,
-                region,
-                current_aws_account_id,
-                update_tag,
-            )
-            # Get and load role assignments
-            role_assignments = get_role_assignments(
                 boto3_session,
-                users,
-                instance_arn,
+                instance,
                 region,
-            )
-            load_role_assignments(
-                neo4j_session,
-                role_assignments,
+                current_aws_account_id,
                 update_tag,
             )

cartography 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl