PyPI - cartography - Versions diffs - 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl - Mend

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (642) hide show

cartography/_version.py +16 -3
cartography/cli.py +466 -5
cartography/client/aws/__init__.py +19 -0
cartography/client/aws/ecr.py +51 -0
cartography/client/core/tx.py +357 -8
cartography/config.py +153 -0
cartography/data/azure_permission_relationships.yaml +20 -0
cartography/data/gcp_permission_relationships.yaml +21 -0
cartography/data/indexes.cypher +0 -186
cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json +2 -2
cartography/data/jobs/analysis/keycloak_inheritance.json +30 -0
cartography/data/jobs/cleanup/gcp_compute_vpc_cleanup.json +0 -12
cartography/data/jobs/cleanup/github_repos_cleanup.json +2 -0
cartography/driftdetect/cli.py +3 -2
cartography/graph/cleanupbuilder.py +198 -41
cartography/graph/job.py +54 -6
cartography/graph/querybuilder.py +528 -27
cartography/graph/statement.py +5 -1
cartography/intel/airbyte/__init__.py +105 -0
cartography/intel/airbyte/connections.py +120 -0
cartography/intel/airbyte/destinations.py +81 -0
cartography/intel/airbyte/organizations.py +59 -0
cartography/intel/airbyte/sources.py +78 -0
cartography/intel/airbyte/tags.py +64 -0
cartography/intel/airbyte/users.py +106 -0
cartography/intel/airbyte/util.py +122 -0
cartography/intel/airbyte/workspaces.py +63 -0
cartography/intel/aws/__init__.py +24 -9
cartography/intel/aws/acm.py +124 -0
cartography/intel/aws/apigateway.py +253 -22
cartography/intel/aws/apigatewayv2.py +116 -0
cartography/intel/aws/cloudtrail.py +17 -39
cartography/intel/aws/cloudtrail_management_events.py +962 -0
cartography/intel/aws/cloudwatch.py +150 -4
cartography/intel/aws/codebuild.py +132 -0
cartography/intel/aws/cognito.py +201 -0
cartography/intel/aws/config.py +7 -3
cartography/intel/aws/ec2/elastic_ip_addresses.py +3 -1
cartography/intel/aws/ec2/instances.py +25 -1
cartography/intel/aws/ec2/internet_gateways.py +4 -2
cartography/intel/aws/ec2/load_balancer_v2s.py +11 -5
cartography/intel/aws/ec2/network_interfaces.py +5 -1
cartography/intel/aws/ec2/reserved_instances.py +3 -1
cartography/intel/aws/ec2/security_groups.py +140 -122
cartography/intel/aws/ec2/snapshots.py +47 -84
cartography/intel/aws/ec2/subnets.py +37 -63
cartography/intel/aws/ec2/tgw.py +11 -5
cartography/intel/aws/ec2/volumes.py +1 -1
cartography/intel/aws/ec2/vpc.py +140 -124
cartography/intel/aws/ec2/vpc_peerings.py +262 -125
cartography/intel/aws/ecr.py +269 -98
cartography/intel/aws/ecr_image_layers.py +923 -0
cartography/intel/aws/ecs.py +251 -380
cartography/intel/aws/efs.py +179 -11
cartography/intel/aws/elasticache.py +102 -79
cartography/intel/aws/elasticsearch.py +13 -4
cartography/intel/aws/eventbridge.py +164 -0
cartography/intel/aws/glue.py +181 -0
cartography/intel/aws/guardduty.py +443 -0
cartography/intel/aws/iam.py +750 -493
cartography/intel/aws/identitycenter.py +605 -83
cartography/intel/aws/inspector.py +221 -105
cartography/intel/aws/kms.py +173 -201
cartography/intel/aws/lambda_function.py +272 -189
cartography/intel/aws/organizations.py +10 -9
cartography/intel/aws/permission_relationships.py +10 -20
cartography/intel/aws/rds.py +337 -446
cartography/intel/aws/redshift.py +9 -4
cartography/intel/aws/resourcegroupstaggingapi.py +78 -19
cartography/intel/aws/resources.py +18 -0
cartography/intel/aws/route53.py +386 -332
cartography/intel/aws/s3.py +322 -14
cartography/intel/aws/secretsmanager.py +81 -49
cartography/intel/aws/securityhub.py +3 -1
cartography/intel/aws/sns.py +62 -2
cartography/intel/aws/sqs.py +36 -90
cartography/intel/aws/ssm.py +3 -5
cartography/intel/azure/__init__.py +202 -48
cartography/intel/azure/aks.py +175 -0
cartography/intel/azure/app_service.py +105 -0
cartography/intel/azure/compute.py +59 -112
cartography/intel/azure/container_instances.py +95 -0
cartography/intel/azure/cosmosdb.py +222 -361
cartography/intel/azure/data_factory.py +85 -0
cartography/intel/azure/data_factory_dataset.py +128 -0
cartography/intel/azure/data_factory_linked_service.py +119 -0
cartography/intel/azure/data_factory_pipeline.py +142 -0
cartography/intel/azure/data_lake.py +124 -0
cartography/intel/azure/event_grid.py +94 -0
cartography/intel/azure/functions.py +124 -0
cartography/intel/azure/load_balancers.py +263 -0
cartography/intel/azure/logic_apps.py +101 -0
cartography/intel/azure/monitor.py +105 -0
cartography/intel/azure/network.py +467 -0
cartography/intel/azure/permission_relationships.py +466 -0
cartography/intel/azure/rbac.py +309 -0
cartography/intel/azure/resource_groups.py +82 -0
cartography/intel/azure/security_center.py +106 -0
cartography/intel/azure/sql.py +145 -292
cartography/intel/azure/storage.py +185 -262
cartography/intel/azure/subscription.py +21 -43
cartography/intel/azure/tenant.py +39 -30
cartography/intel/azure/util/common.py +13 -0
cartography/intel/azure/util/credentials.py +49 -174
cartography/intel/azure/util/tag.py +41 -0
cartography/intel/create_indexes.py +2 -1
cartography/intel/crowdstrike/spotlight.py +5 -2
cartography/intel/dns.py +5 -2
cartography/intel/entra/__init__.py +100 -1
cartography/intel/entra/app_role_assignments.py +284 -0
cartography/intel/entra/applications.py +182 -0
cartography/intel/entra/federation/__init__.py +0 -0
cartography/intel/entra/federation/aws_identity_center.py +77 -0
cartography/intel/entra/groups.py +198 -0
cartography/intel/entra/ou.py +48 -24
cartography/intel/entra/service_principals.py +217 -0
cartography/intel/entra/users.py +105 -57
cartography/intel/gcp/__init__.py +334 -396
cartography/intel/gcp/bigtable_app_profile.py +101 -0
cartography/intel/gcp/bigtable_backup.py +91 -0
cartography/intel/gcp/bigtable_cluster.py +93 -0
cartography/intel/gcp/bigtable_instance.py +86 -0
cartography/intel/gcp/bigtable_table.py +87 -0
cartography/intel/gcp/cai.py +292 -0
cartography/intel/gcp/clients.py +112 -0
cartography/intel/gcp/compute.py +128 -119
cartography/intel/gcp/crm/__init__.py +0 -0
cartography/intel/gcp/crm/folders.py +114 -0
cartography/intel/gcp/crm/orgs.py +70 -0
cartography/intel/gcp/crm/projects.py +120 -0
cartography/intel/gcp/dns.py +83 -169
cartography/intel/gcp/gke.py +72 -113
cartography/intel/gcp/iam.py +111 -91
cartography/intel/gcp/permission_relationships.py +394 -0
cartography/intel/gcp/policy_bindings.py +225 -0
cartography/intel/gcp/storage.py +75 -159
cartography/intel/github/__init__.py +62 -25
cartography/intel/github/commits.py +423 -0
cartography/intel/github/repos.py +463 -85
cartography/intel/github/teams.py +3 -3
cartography/intel/github/users.py +5 -0
cartography/intel/github/util.py +12 -0
cartography/intel/googleworkspace/__init__.py +193 -0
cartography/intel/googleworkspace/devices.py +254 -0
cartography/intel/googleworkspace/groups.py +568 -0
cartography/intel/googleworkspace/oauth_apps.py +259 -0
cartography/intel/googleworkspace/tenant.py +85 -0
cartography/intel/googleworkspace/users.py +138 -0
cartography/intel/gsuite/__init__.py +17 -9
cartography/intel/gsuite/groups.py +291 -0
cartography/intel/gsuite/users.py +142 -0
cartography/intel/jamf/computers.py +7 -1
cartography/intel/keycloak/__init__.py +153 -0
cartography/intel/keycloak/authenticationexecutions.py +322 -0
cartography/intel/keycloak/authenticationflows.py +77 -0
cartography/intel/keycloak/clients.py +187 -0
cartography/intel/keycloak/groups.py +126 -0
cartography/intel/keycloak/identityproviders.py +94 -0
cartography/intel/keycloak/organizations.py +163 -0
cartography/intel/keycloak/realms.py +61 -0
cartography/intel/keycloak/roles.py +202 -0
cartography/intel/keycloak/scopes.py +73 -0
cartography/intel/keycloak/users.py +70 -0
cartography/intel/keycloak/util.py +47 -0
cartography/intel/kubernetes/__init__.py +60 -14
cartography/intel/kubernetes/clusters.py +86 -0
cartography/intel/kubernetes/eks.py +402 -0
cartography/intel/kubernetes/namespaces.py +59 -57
cartography/intel/kubernetes/pods.py +168 -75
cartography/intel/kubernetes/rbac.py +597 -0
cartography/intel/kubernetes/secrets.py +95 -45
cartography/intel/kubernetes/services.py +131 -67
cartography/intel/kubernetes/util.py +142 -14
cartography/intel/oci/iam.py +23 -9
cartography/intel/oci/organizations.py +3 -1
cartography/intel/oci/utils.py +28 -5
cartography/intel/okta/applications.py +15 -5
cartography/intel/okta/awssaml.py +14 -10
cartography/intel/okta/factors.py +3 -1
cartography/intel/okta/groups.py +5 -2
cartography/intel/okta/organization.py +3 -1
cartography/intel/okta/origins.py +3 -1
cartography/intel/okta/roles.py +5 -2
cartography/intel/okta/users.py +10 -2
cartography/intel/ontology/__init__.py +44 -0
cartography/intel/ontology/devices.py +54 -0
cartography/intel/ontology/users.py +54 -0
cartography/intel/ontology/utils.py +176 -0
cartography/intel/pagerduty/escalation_policies.py +13 -6
cartography/intel/pagerduty/schedules.py +9 -4
cartography/intel/pagerduty/services.py +7 -3
cartography/intel/pagerduty/teams.py +5 -2
cartography/intel/pagerduty/users.py +3 -1
cartography/intel/pagerduty/vendors.py +3 -1
cartography/intel/scaleway/__init__.py +127 -0
cartography/intel/scaleway/iam/__init__.py +0 -0
cartography/intel/scaleway/iam/apikeys.py +71 -0
cartography/intel/scaleway/iam/applications.py +71 -0
cartography/intel/scaleway/iam/groups.py +71 -0
cartography/intel/scaleway/iam/users.py +71 -0
cartography/intel/scaleway/instances/__init__.py +0 -0
cartography/intel/scaleway/instances/flexibleips.py +86 -0
cartography/intel/scaleway/instances/instances.py +92 -0
cartography/intel/scaleway/projects.py +79 -0
cartography/intel/scaleway/storage/__init__.py +0 -0
cartography/intel/scaleway/storage/snapshots.py +86 -0
cartography/intel/scaleway/storage/volumes.py +84 -0
cartography/intel/scaleway/utils.py +37 -0
cartography/intel/sentinelone/__init__.py +75 -0
cartography/intel/sentinelone/account.py +140 -0
cartography/intel/sentinelone/agent.py +139 -0
cartography/intel/sentinelone/api.py +124 -0
cartography/intel/sentinelone/application.py +248 -0
cartography/intel/sentinelone/cve.py +119 -0
cartography/intel/sentinelone/utils.py +28 -0
cartography/intel/slack/__init__.py +78 -0
cartography/intel/slack/channels.py +80 -0
cartography/intel/slack/groups.py +90 -0
cartography/intel/slack/teams.py +65 -0
cartography/intel/slack/users.py +57 -0
cartography/intel/slack/utils.py +29 -0
cartography/intel/spacelift/__init__.py +161 -0
cartography/intel/spacelift/account.py +73 -0
cartography/intel/spacelift/ec2_ownership.py +280 -0
cartography/intel/spacelift/runs.py +463 -0
cartography/intel/spacelift/spaces.py +112 -0
cartography/intel/spacelift/stacks.py +119 -0
cartography/intel/spacelift/util.py +122 -0
cartography/intel/spacelift/workerpools.py +131 -0
cartography/intel/spacelift/workers.py +128 -0
cartography/intel/trivy/__init__.py +272 -0
cartography/intel/trivy/scanner.py +386 -0
cartography/models/airbyte/__init__.py +0 -0
cartography/models/airbyte/connection.py +138 -0
cartography/models/airbyte/destination.py +75 -0
cartography/models/airbyte/organization.py +19 -0
cartography/models/airbyte/source.py +75 -0
cartography/models/airbyte/stream.py +74 -0
cartography/models/airbyte/tag.py +69 -0
cartography/models/airbyte/user.py +115 -0
cartography/models/airbyte/workspace.py +46 -0
cartography/models/anthropic/apikey.py +4 -0
cartography/models/anthropic/user.py +4 -0
cartography/models/aws/acm/__init__.py +0 -0
cartography/models/aws/acm/certificate.py +75 -0
cartography/models/aws/apigateway/__init__.py +0 -0
cartography/models/aws/apigateway/apigatewaydeployment.py +74 -0
cartography/models/aws/apigateway/apigatewayintegration.py +79 -0
cartography/models/aws/apigateway/apigatewaymethod.py +74 -0
cartography/models/aws/apigatewayv2/__init__.py +0 -0
cartography/models/aws/apigatewayv2/apigatewayv2.py +53 -0
cartography/models/aws/cloudtrail/management_events.py +153 -0
cartography/models/aws/cloudtrail/trail.py +45 -0
cartography/models/aws/cloudwatch/log_metric_filter.py +79 -0
cartography/models/aws/cloudwatch/metric_alarm.py +53 -0
cartography/models/aws/codebuild/__init__.py +0 -0
cartography/models/aws/codebuild/project.py +49 -0
cartography/models/aws/cognito/__init__.py +0 -0
cartography/models/aws/cognito/identity_pool.py +70 -0
cartography/models/aws/cognito/user_pool.py +47 -0
cartography/models/aws/dynamodb/tables.py +2 -0
cartography/models/aws/ec2/instances.py +25 -1
cartography/models/aws/ec2/networkinterfaces.py +4 -0
cartography/models/aws/ec2/security_group_rules.py +109 -0
cartography/models/aws/ec2/security_groups.py +90 -0
cartography/models/aws/ec2/snapshots.py +58 -0
cartography/models/aws/ec2/subnet_instance.py +2 -0
cartography/models/aws/ec2/subnet_networkinterface.py +2 -0
cartography/models/aws/ec2/subnets.py +65 -0
cartography/models/aws/ec2/volumes.py +20 -0
cartography/models/aws/ec2/vpc.py +46 -0
cartography/models/aws/ec2/vpc_cidr.py +102 -0
cartography/models/aws/ec2/vpc_peering.py +157 -0
cartography/models/aws/ecr/__init__.py +0 -0
cartography/models/aws/ecr/image.py +146 -0
cartography/models/aws/ecr/image_layer.py +107 -0
cartography/models/aws/ecr/repository.py +72 -0
cartography/models/aws/ecr/repository_image.py +95 -0
cartography/models/aws/ecs/__init__.py +0 -0
cartography/models/aws/ecs/clusters.py +64 -0
cartography/models/aws/ecs/container_definitions.py +93 -0
cartography/models/aws/ecs/container_instances.py +84 -0
cartography/models/aws/ecs/containers.py +101 -0
cartography/models/aws/ecs/services.py +134 -0
cartography/models/aws/ecs/task_definitions.py +135 -0
cartography/models/aws/ecs/tasks.py +134 -0
cartography/models/aws/efs/access_point.py +77 -0
cartography/models/aws/efs/file_system.py +60 -0
cartography/models/aws/efs/mount_target.py +29 -2
cartography/models/aws/elasticache/__init__.py +0 -0
cartography/models/aws/elasticache/cluster.py +65 -0
cartography/models/aws/elasticache/topic.py +67 -0
cartography/models/aws/eventbridge/__init__.py +0 -0
cartography/models/aws/eventbridge/rule.py +77 -0
cartography/models/aws/eventbridge/target.py +71 -0
cartography/models/aws/glue/__init__.py +0 -0
cartography/models/aws/glue/connection.py +51 -0
cartography/models/aws/glue/job.py +69 -0
cartography/models/aws/guardduty/__init__.py +1 -0
cartography/models/aws/guardduty/detectors.py +50 -0
cartography/models/aws/guardduty/findings.py +121 -0
cartography/models/aws/iam/access_key.py +103 -0
cartography/models/aws/iam/account_role.py +24 -0
cartography/models/aws/iam/federated_principal.py +60 -0
cartography/models/aws/iam/group.py +60 -0
cartography/models/aws/iam/group_membership.py +27 -0
cartography/models/aws/iam/inline_policy.py +78 -0
cartography/models/aws/iam/managed_policy.py +51 -0
cartography/models/aws/iam/policy_statement.py +57 -0
cartography/models/aws/iam/role.py +83 -0
cartography/models/aws/iam/root_principal.py +52 -0
cartography/models/aws/iam/service_principal.py +30 -0
cartography/models/aws/iam/sts_assumerole_allow.py +38 -0
cartography/models/aws/iam/user.py +59 -0
cartography/models/aws/identitycenter/awsidentitycenter.py +1 -0
cartography/models/aws/identitycenter/awspermissionset.py +70 -0
cartography/models/aws/identitycenter/awssogroup.py +70 -0
cartography/models/aws/identitycenter/awsssouser.py +49 -9
cartography/models/aws/inspector/findings.py +37 -0
cartography/models/aws/inspector/packages.py +1 -31
cartography/models/aws/kms/__init__.py +0 -0
cartography/models/aws/kms/aliases.py +86 -0
cartography/models/aws/kms/grants.py +65 -0
cartography/models/aws/kms/keys.py +88 -0
cartography/models/aws/lambda_function/__init__.py +0 -0
cartography/models/aws/lambda_function/alias.py +74 -0
cartography/models/aws/lambda_function/event_source_mapping.py +88 -0
cartography/models/aws/lambda_function/lambda_function.py +91 -0
cartography/models/aws/lambda_function/layer.py +72 -0
cartography/models/aws/rds/__init__.py +0 -0
cartography/models/aws/rds/cluster.py +91 -0
cartography/models/aws/rds/event_subscription.py +146 -0
cartography/models/aws/rds/instance.py +156 -0
cartography/models/aws/rds/snapshot.py +108 -0
cartography/models/aws/rds/subnet_group.py +101 -0
cartography/models/aws/route53/__init__.py +0 -0
cartography/models/aws/route53/dnsrecord.py +235 -0
cartography/models/aws/route53/nameserver.py +63 -0
cartography/models/aws/route53/subzone.py +40 -0
cartography/models/aws/route53/zone.py +47 -0
cartography/models/aws/s3/notification.py +24 -0
cartography/models/aws/secretsmanager/secret.py +106 -0
cartography/models/aws/secretsmanager/secret_version.py +0 -2
cartography/models/aws/sns/topic_subscription.py +74 -0
cartography/models/aws/sqs/__init__.py +0 -0
cartography/models/aws/sqs/queue.py +89 -0
cartography/models/azure/__init__.py +0 -0
cartography/models/azure/aks_cluster.py +54 -0
cartography/models/azure/aks_nodepool.py +54 -0
cartography/models/azure/app_service.py +59 -0
cartography/models/azure/container_instance.py +57 -0
cartography/models/azure/cosmosdb/__init__.py +0 -0
cartography/models/azure/cosmosdb/account.py +77 -0
cartography/models/azure/cosmosdb/accountfailoverpolicy.py +77 -0
cartography/models/azure/cosmosdb/cassandrakeyspace.py +82 -0
cartography/models/azure/cosmosdb/cassandratable.py +81 -0
cartography/models/azure/cosmosdb/corspolicy.py +74 -0
cartography/models/azure/cosmosdb/dblocation.py +120 -0
cartography/models/azure/cosmosdb/mongodbcollection.py +82 -0
cartography/models/azure/cosmosdb/mongodbdatabase.py +78 -0
cartography/models/azure/cosmosdb/privateendpointconnection.py +81 -0
cartography/models/azure/cosmosdb/sqlcontainer.py +88 -0
cartography/models/azure/cosmosdb/sqldatabase.py +78 -0
cartography/models/azure/cosmosdb/tableresource.py +76 -0
cartography/models/azure/cosmosdb/virtualnetworkrule.py +78 -0
cartography/models/azure/data_factory/__init__.py +0 -0
cartography/models/azure/data_factory/data_factory.py +51 -0
cartography/models/azure/data_factory/data_factory_dataset.py +94 -0
cartography/models/azure/data_factory/data_factory_linked_service.py +78 -0
cartography/models/azure/data_factory/data_factory_pipeline.py +93 -0
cartography/models/azure/data_lake_filesystem.py +51 -0
cartography/models/azure/event_grid_topic.py +57 -0
cartography/models/azure/function_app.py +59 -0
cartography/models/azure/load_balancer/__init__.py +0 -0
cartography/models/azure/load_balancer/load_balancer.py +49 -0
cartography/models/azure/load_balancer/load_balancer_backend_pool.py +73 -0
cartography/models/azure/load_balancer/load_balancer_frontend_ip.py +75 -0
cartography/models/azure/load_balancer/load_balancer_inbound_nat_rule.py +78 -0
cartography/models/azure/load_balancer/load_balancer_rule.py +108 -0
cartography/models/azure/logic_apps.py +56 -0
cartography/models/azure/monitor.py +54 -0
cartography/models/azure/network_interface.py +112 -0
cartography/models/azure/network_security_group.py +50 -0
cartography/models/azure/permission_relationships.py +60 -0
cartography/models/azure/principal.py +41 -0
cartography/models/azure/public_ip_address.py +50 -0
cartography/models/azure/rbac.py +268 -0
cartography/models/azure/resource_groups.py +52 -0
cartography/models/azure/security_center.py +50 -0
cartography/models/azure/sql/__init__.py +0 -0
cartography/models/azure/sql/databasethreatdetectionpolicy.py +85 -0
cartography/models/azure/sql/elasticpool.py +77 -0
cartography/models/azure/sql/failovergroup.py +73 -0
cartography/models/azure/sql/recoverabledatabase.py +75 -0
cartography/models/azure/sql/replicationlink.py +81 -0
cartography/models/azure/sql/restorabledroppeddatabase.py +82 -0
cartography/models/azure/sql/restorepoint.py +74 -0
cartography/models/azure/sql/serveradadministrator.py +74 -0
cartography/models/azure/sql/serverdnsalias.py +71 -0
cartography/models/azure/sql/sqldatabase.py +85 -0
cartography/models/azure/sql/sqlserver.py +50 -0
cartography/models/azure/sql/transparentdataencryption.py +76 -0
cartography/models/azure/storage/__init__.py +0 -0
cartography/models/azure/storage/account.py +59 -0
cartography/models/azure/storage/blobcontainer.py +85 -0
cartography/models/azure/storage/blobservice.py +71 -0
cartography/models/azure/storage/fileservice.py +71 -0
cartography/models/azure/storage/fileshare.py +82 -0
cartography/models/azure/storage/queue.py +71 -0
cartography/models/azure/storage/queueservice.py +73 -0
cartography/models/azure/storage/table.py +72 -0
cartography/models/azure/storage/tableservice.py +73 -0
cartography/models/azure/subnet.py +101 -0
cartography/models/azure/subscription.py +47 -0
cartography/models/azure/tags/__init__.py +0 -0
cartography/models/azure/tags/storage_tag.py +40 -0
cartography/models/azure/tags/tag.py +37 -0
cartography/models/azure/tenant.py +17 -0
cartography/models/azure/virtual_network.py +49 -0
cartography/models/azure/vm/__init__.py +0 -0
cartography/models/azure/vm/datadisk.py +80 -0
cartography/models/azure/vm/disk.py +55 -0
cartography/models/azure/vm/snapshot.py +56 -0
cartography/models/azure/vm/virtualmachine.py +59 -0
cartography/models/bigfix/bigfix_computer.py +1 -1
cartography/models/cloudflare/member.py +4 -0
cartography/models/core/common.py +1 -0
cartography/models/core/nodes.py +15 -2
cartography/models/core/relationships.py +44 -0
cartography/models/crowdstrike/hosts.py +1 -1
cartography/models/digitalocean/droplet.py +2 -0
cartography/models/duo/endpoint.py +1 -1
cartography/models/duo/phone.py +2 -2
cartography/models/duo/user.py +4 -0
cartography/models/entra/app_role_assignment.py +115 -0
cartography/models/entra/application.py +49 -0
cartography/models/entra/entra_user_to_aws_sso.py +41 -0
cartography/models/entra/group.py +117 -0
cartography/models/entra/service_principal.py +104 -0
cartography/models/entra/user.py +42 -51
cartography/models/gcp/__init__.py +0 -0
cartography/models/gcp/bigtable/__init__.py +0 -0
cartography/models/gcp/bigtable/app_profile.py +94 -0
cartography/models/gcp/bigtable/backup.py +91 -0
cartography/models/gcp/bigtable/cluster.py +73 -0
cartography/models/gcp/bigtable/instance.py +52 -0
cartography/models/gcp/bigtable/table.py +69 -0
cartography/models/gcp/compute/__init__.py +0 -0
cartography/models/gcp/compute/subnet.py +74 -0
cartography/models/gcp/compute/vpc.py +50 -0
cartography/models/gcp/crm/__init__.py +0 -0
cartography/models/gcp/crm/folders.py +98 -0
cartography/models/gcp/crm/organizations.py +21 -0
cartography/models/gcp/crm/projects.py +100 -0
cartography/models/gcp/dns.py +109 -0
cartography/models/gcp/gke.py +69 -0
cartography/models/gcp/iam.py +3 -0
cartography/models/gcp/permission_relationships.py +61 -0
cartography/models/gcp/policy_bindings.py +93 -0
cartography/models/gcp/storage/__init__.py +0 -0
cartography/models/gcp/storage/bucket.py +119 -0
cartography/models/github/commits.py +63 -0
cartography/models/github/dependencies.py +73 -0
cartography/models/github/manifests.py +49 -0
cartography/models/github/users.py +10 -0
cartography/models/googleworkspace/__init__.py +0 -0
cartography/models/googleworkspace/device.py +132 -0
cartography/models/googleworkspace/group.py +382 -0
cartography/models/googleworkspace/oauth_app.py +124 -0
cartography/models/googleworkspace/tenant.py +30 -0
cartography/models/googleworkspace/user.py +113 -0
cartography/models/gsuite/__init__.py +0 -0
cartography/models/gsuite/group.py +218 -0
cartography/models/gsuite/tenant.py +29 -0
cartography/models/gsuite/user.py +107 -0
cartography/models/kandji/device.py +1 -2
cartography/models/keycloak/__init__.py +0 -0
cartography/models/keycloak/authenticationexecution.py +160 -0
cartography/models/keycloak/authenticationflow.py +54 -0
cartography/models/keycloak/client.py +179 -0
cartography/models/keycloak/group.py +101 -0
cartography/models/keycloak/identityprovider.py +89 -0
cartography/models/keycloak/organization.py +116 -0
cartography/models/keycloak/organizationdomain.py +73 -0
cartography/models/keycloak/realm.py +173 -0
cartography/models/keycloak/role.py +126 -0
cartography/models/keycloak/scope.py +73 -0
cartography/models/keycloak/user.py +55 -0
cartography/models/kubernetes/__init__.py +0 -0
cartography/models/kubernetes/clusterrolebindings.py +138 -0
cartography/models/kubernetes/clusterroles.py +52 -0
cartography/models/kubernetes/clusters.py +26 -0
cartography/models/kubernetes/containers.py +133 -0
cartography/models/kubernetes/groups.py +107 -0
cartography/models/kubernetes/namespaces.py +51 -0
cartography/models/kubernetes/oidc.py +51 -0
cartography/models/kubernetes/pods.py +80 -0
cartography/models/kubernetes/rolebindings.py +159 -0
cartography/models/kubernetes/roles.py +76 -0
cartography/models/kubernetes/secrets.py +79 -0
cartography/models/kubernetes/serviceaccounts.py +77 -0
cartography/models/kubernetes/services.py +108 -0
cartography/models/kubernetes/users.py +105 -0
cartography/models/lastpass/user.py +4 -0
cartography/models/ontology/__init__.py +0 -0
cartography/models/ontology/device.py +137 -0
cartography/models/ontology/mapping/__init__.py +76 -0
cartography/models/ontology/mapping/data/__init__.py +0 -0
cartography/models/ontology/mapping/data/apikeys.py +93 -0
cartography/models/ontology/mapping/data/computeinstance.py +95 -0
cartography/models/ontology/mapping/data/containers.py +88 -0
cartography/models/ontology/mapping/data/databases.py +182 -0
cartography/models/ontology/mapping/data/devices.py +194 -0
cartography/models/ontology/mapping/data/thirdpartyapps.py +140 -0
cartography/models/ontology/mapping/data/useraccounts.py +416 -0
cartography/models/ontology/mapping/data/users.py +63 -0
cartography/models/ontology/mapping/specs.py +85 -0
cartography/models/ontology/user.py +51 -0
cartography/models/openai/adminapikey.py +4 -0
cartography/models/openai/apikey.py +4 -0
cartography/models/openai/user.py +4 -0
cartography/models/scaleway/__init__.py +0 -0
cartography/models/scaleway/iam/__init__.py +0 -0
cartography/models/scaleway/iam/apikey.py +100 -0
cartography/models/scaleway/iam/application.py +52 -0
cartography/models/scaleway/iam/group.py +95 -0
cartography/models/scaleway/iam/user.py +64 -0
cartography/models/scaleway/instance/__init__.py +0 -0
cartography/models/scaleway/instance/flexibleip.py +52 -0
cartography/models/scaleway/instance/instance.py +120 -0
cartography/models/scaleway/organization.py +19 -0
cartography/models/scaleway/project.py +48 -0
cartography/models/scaleway/storage/__init__.py +0 -0
cartography/models/scaleway/storage/snapshot.py +78 -0
cartography/models/scaleway/storage/volume.py +51 -0
cartography/models/sentinelone/__init__.py +1 -0
cartography/models/sentinelone/account.py +40 -0
cartography/models/sentinelone/agent.py +50 -0
cartography/models/sentinelone/application.py +44 -0
cartography/models/sentinelone/application_version.py +96 -0
cartography/models/sentinelone/cve.py +73 -0
cartography/models/slack/__init__.py +0 -0
cartography/models/slack/channels.py +92 -0
cartography/models/slack/group.py +129 -0
cartography/models/slack/team.py +22 -0
cartography/models/slack/user.py +62 -0
cartography/models/snipeit/asset.py +2 -0
cartography/models/snipeit/user.py +4 -0
cartography/models/spacelift/__init__.py +0 -0
cartography/models/spacelift/cloudtrailevent.py +120 -0
cartography/models/spacelift/run.py +162 -0
cartography/models/spacelift/space.py +131 -0
cartography/models/spacelift/spaceliftaccount.py +31 -0
cartography/models/spacelift/spaceliftgitcommit.py +157 -0
cartography/models/spacelift/stack.py +96 -0
cartography/models/spacelift/user.py +63 -0
cartography/models/spacelift/worker.py +97 -0
cartography/models/spacelift/workerpool.py +90 -0
cartography/models/tailscale/device.py +2 -1
cartography/models/tailscale/user.py +6 -1
cartography/models/trivy/__init__.py +0 -0
cartography/models/trivy/findings.py +66 -0
cartography/models/trivy/fix.py +66 -0
cartography/models/trivy/package.py +71 -0
cartography/rules/README.md +1 -0
cartography/rules/__init__.py +0 -0
cartography/rules/cli.py +261 -0
cartography/rules/data/__init__.py +0 -0
cartography/rules/data/rules/__init__.py +46 -0
cartography/rules/data/rules/cloud_security_product_deactivated.py +49 -0
cartography/rules/data/rules/compute_instance_exposed.py +51 -0
cartography/rules/data/rules/database_instance_exposed.py +53 -0
cartography/rules/data/rules/delegation_boundary_modifiable.py +90 -0
cartography/rules/data/rules/identity_administration_privileges.py +100 -0
cartography/rules/data/rules/inactive_user_active_accounts.py +48 -0
cartography/rules/data/rules/malicious_npm_dependencies_shai_hulud.py +2222 -0
cartography/rules/data/rules/mfa_missing.py +46 -0
cartography/rules/data/rules/object_storage_public.py +100 -0
cartography/rules/data/rules/policy_administration_privileges.py +104 -0
cartography/rules/data/rules/unmanaged_accounts.py +43 -0
cartography/rules/data/rules/workload_identity_admin_capabilities.py +193 -0
cartography/rules/formatters.py +108 -0
cartography/rules/runners.py +216 -0
cartography/rules/spec/__init__.py +0 -0
cartography/rules/spec/model.py +267 -0
cartography/rules/spec/result.py +38 -0
cartography/sync.py +25 -5
cartography/util.py +101 -31
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/METADATA +61 -22
cartography-0.123.0.dist-info/RECORD +856 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/entry_points.txt +1 -0
cartography/data/jobs/cleanup/aws_dns_cleanup.json +0 -65
cartography/data/jobs/cleanup/aws_import_account_access_key_cleanup.json +0 -17
cartography/data/jobs/cleanup/aws_import_ec2_security_groupinfo_cleanup.json +0 -24
cartography/data/jobs/cleanup/aws_import_groups_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_identity_center_cleanup.json +0 -16
cartography/data/jobs/cleanup/aws_import_lambda_cleanup.json +0 -50
cartography/data/jobs/cleanup/aws_import_principals_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_rds_clusters_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_rds_instances_cleanup.json +0 -47
cartography/data/jobs/cleanup/aws_import_rds_snapshots_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_roles_cleanup.json +0 -13
cartography/data/jobs/cleanup/aws_import_secrets_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_snapshots_cleanup.json +0 -30
cartography/data/jobs/cleanup/aws_import_users_cleanup.json +0 -8
cartography/data/jobs/cleanup/aws_import_vpc_cleanup.json +0 -23
cartography/data/jobs/cleanup/aws_import_vpc_peering_cleanup.json +0 -45
cartography/data/jobs/cleanup/aws_kms_details.json +0 -10
cartography/data/jobs/cleanup/azure_cosmosdb_cassandra_keyspace_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_cors_details.json +0 -15
cartography/data/jobs/cleanup/azure_cosmosdb_mongodb_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_sql_database_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_cosmosdb_table_resources_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_database_account_cleanup.json +0 -85
cartography/data/jobs/cleanup/azure_import_disks_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_snapshots_cleanup.json +0 -15
cartography/data/jobs/cleanup/azure_import_virtual_machines_cleanup.json +0 -25
cartography/data/jobs/cleanup/azure_sql_server_cleanup.json +0 -125
cartography/data/jobs/cleanup/azure_storage_account_cleanup.json +0 -95
cartography/data/jobs/cleanup/azure_subscriptions_cleanup.json +0 -14
cartography/data/jobs/cleanup/azure_tenant_cleanup.json +0 -9
cartography/data/jobs/cleanup/gcp_compute_vpc_subnet_cleanup.json +0 -35
cartography/data/jobs/cleanup/gcp_crm_folder_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_crm_organization_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_crm_project_cleanup.json +0 -23
cartography/data/jobs/cleanup/gcp_dns_cleanup.json +0 -29
cartography/data/jobs/cleanup/gcp_gke_cluster_cleanup.json +0 -17
cartography/data/jobs/cleanup/gcp_storage_bucket_cleanup.json +0 -29
cartography/data/jobs/cleanup/gsuite_ingest_groups_cleanup.json +0 -23
cartography/data/jobs/cleanup/gsuite_ingest_users_cleanup.json +0 -11
cartography/data/jobs/cleanup/kubernetes_import_cleanup.json +0 -70
cartography/intel/gcp/crm.py +0 -355
cartography/intel/gsuite/api.py +0 -342
cartography-0.104.0rc2.dist-info/RECORD +0 -455
/cartography/data/jobs/{analysis → scoped_analysis}/aws_s3acl_analysis.json +0 -0
/cartography/models/aws/{apigateway.py → apigateway/apigateway.py} +0 -0
/cartography/models/aws/{apigatewaycertificate.py → apigateway/apigatewaycertificate.py} +0 -0
/cartography/models/aws/{apigatewayresource.py → apigateway/apigatewayresource.py} +0 -0
/cartography/models/aws/{apigatewaystage.py → apigateway/apigatewaystage.py} +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/WHEEL +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.104.0rc2.dist-info → cartography-0.123.0.dist-info}/top_level.txt +0 -0

cartography/intel/aws/cloudtrail_management_events.py ADDED Viewed

@@ -0,0 +1,962 @@
+import json
+import logging
+from datetime import datetime
+from datetime import timedelta
+from typing import Any
+from typing import Dict
+from typing import List
+import boto3
+import neo4j
+from cartography.client.core.tx import load_matchlinks
+from cartography.graph.job import GraphJob
+from cartography.intel.aws.ec2.util import get_botocore_config
+from cartography.models.aws.cloudtrail.management_events import AssumedRoleMatchLink
+from cartography.models.aws.cloudtrail.management_events import (
+    AssumedRoleWithSAMLMatchLink,
+)
+from cartography.models.aws.cloudtrail.management_events import (
+    GitHubRepoAssumeRoleWithWebIdentityMatchLink,
+)
+from cartography.util import aws_handle_regions
+from cartography.util import timeit
+logger = logging.getLogger(__name__)
+@timeit
+@aws_handle_regions
+def get_assume_role_events(
+    boto3_session: boto3.Session, region: str, lookback_hours: int
+) -> List[Dict[str, Any]]:
+    """
+    Fetch CloudTrail AssumeRole events from the specified time period.
+    Focuses specifically on standard AssumeRole events, excluding SAML and WebIdentity variants.
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type region: str
+    :param region: The AWS region to fetch events from
+    :type lookback_hours: int
+    :param lookback_hours: Number of hours back to retrieve events from
+    :rtype: List[Dict[str, Any]]
+    :return: List of CloudTrail AssumeRole events
+    """
+    client = boto3_session.client(
+        "cloudtrail", region_name=region, config=get_botocore_config()
+    )
+    # Calculate time range
+    end_time = datetime.utcnow()
+    start_time = end_time - timedelta(hours=lookback_hours)
+    logger.info(
+        f"Fetching CloudTrail AssumeRole events for region '{region}' "
+        f"from {start_time} to {end_time} ({lookback_hours} hours)"
+    )
+    paginator = client.get_paginator("lookup_events")
+    page_iterator = paginator.paginate(
+        LookupAttributes=[
+            {"AttributeKey": "EventName", "AttributeValue": "AssumeRole"}
+        ],
+        StartTime=start_time,
+        EndTime=end_time,
+        PaginationConfig={
+            "MaxItems": 10000,  # Reasonable limit to prevent excessive API calls
+            "PageSize": 50,  # CloudTrail API limit per page
+        },
+    )
+    all_events = []
+    for page in page_iterator:
+        all_events.extend(page.get("Events", []))
+    logger.info(f"Retrieved {len(all_events)} AssumeRole events from region '{region}'")
+    return all_events
+@timeit
+@aws_handle_regions
+def get_saml_role_events(
+    boto3_session: boto3.Session, region: str, lookback_hours: int
+) -> List[Dict[str, Any]]:
+    """
+    Fetch CloudTrail AssumeRoleWithSAML events from the specified time period.
+    Focuses specifically on SAML-based role assumption events.
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type region: str
+    :param region: The AWS region to fetch events from
+    :type lookback_hours: int
+    :param lookback_hours: Number of hours back to retrieve events from
+    :rtype: List[Dict[str, Any]]
+    :return: List of CloudTrail AssumeRoleWithSAML events
+    """
+    client = boto3_session.client(
+        "cloudtrail", region_name=region, config=get_botocore_config()
+    )
+    # Calculate time range
+    end_time = datetime.utcnow()
+    start_time = end_time - timedelta(hours=lookback_hours)
+    logger.info(
+        f"Fetching CloudTrail AssumeRoleWithSAML events for region '{region}' "
+        f"from {start_time} to {end_time} ({lookback_hours} hours)"
+    )
+    paginator = client.get_paginator("lookup_events")
+    page_iterator = paginator.paginate(
+        LookupAttributes=[
+            {"AttributeKey": "EventName", "AttributeValue": "AssumeRoleWithSAML"}
+        ],
+        StartTime=start_time,
+        EndTime=end_time,
+        PaginationConfig={
+            "MaxItems": 10000,  # Reasonable limit to prevent excessive API calls
+            "PageSize": 50,  # CloudTrail API limit per page
+        },
+    )
+    all_events = []
+    for page in page_iterator:
+        all_events.extend(page.get("Events", []))
+    logger.info(
+        f"Retrieved {len(all_events)} AssumeRoleWithSAML events from region '{region}'"
+    )
+    return all_events
+@timeit
+@aws_handle_regions
+def get_web_identity_role_events(
+    boto3_session: boto3.Session, region: str, lookback_hours: int
+) -> List[Dict[str, Any]]:
+    """
+    Fetch CloudTrail AssumeRoleWithWebIdentity events from the specified time period.
+    Focuses specifically on WebIdentity-based role assumption events.
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type region: str
+    :param region: The AWS region to fetch events from
+    :type lookback_hours: int
+    :param lookback_hours: Number of hours back to retrieve events from
+    :rtype: List[Dict[str, Any]]
+    :return: List of CloudTrail AssumeRoleWithWebIdentity events
+    """
+    client = boto3_session.client(
+        "cloudtrail", region_name=region, config=get_botocore_config()
+    )
+    # Calculate time range
+    end_time = datetime.utcnow()
+    start_time = end_time - timedelta(hours=lookback_hours)
+    logger.info(
+        f"Fetching CloudTrail AssumeRoleWithWebIdentity events for region '{region}' "
+        f"from {start_time} to {end_time} ({lookback_hours} hours)"
+    )
+    paginator = client.get_paginator("lookup_events")
+    page_iterator = paginator.paginate(
+        LookupAttributes=[
+            {"AttributeKey": "EventName", "AttributeValue": "AssumeRoleWithWebIdentity"}
+        ],
+        StartTime=start_time,
+        EndTime=end_time,
+        PaginationConfig={
+            "MaxItems": 10000,  # Reasonable limit to prevent excessive API calls
+            "PageSize": 50,  # CloudTrail API limit per page
+        },
+    )
+    all_events = []
+    for page in page_iterator:
+        all_events.extend(page.get("Events", []))
+    logger.info(
+        f"Retrieved {len(all_events)} AssumeRoleWithWebIdentity events from region '{region}'"
+    )
+    return all_events
+@timeit
+def transform_assume_role_events_to_role_assumptions(
+    events: List[Dict[str, Any]],
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw CloudTrail AssumeRole events into aggregated role assumption relationships.
+    Focuses specifically on standard AssumeRole events, providing optimized processing
+    for the most common role assumption scenario.
+    This function performs the complete transformation pipeline:
+    1. Extract role assumption events from CloudTrail AssumeRole data
+    2. Aggregate events by (source_principal, destination_principal) pairs
+    3. Return aggregated relationships ready for loading
+    :type events: List[Dict[str, Any]]
+    :param events: List of raw CloudTrail AssumeRole events from lookup_events API
+    :rtype: List[Dict[str, Any]]
+    :return: List of aggregated role assumption relationships ready for loading
+    """
+    aggregated: Dict[tuple, Dict[str, Any]] = {}
+    logger.info(
+        f"Transforming {len(events)} CloudTrail AssumeRole events to role assumptions"
+    )
+    for event in events:
+        cloudtrail_event = json.loads(event["CloudTrailEvent"])
+        # Skip events with null requestParameters since we can't extract roleArn
+        if not cloudtrail_event.get("requestParameters"):
+            logger.debug(
+                f"Skipping CloudTrail AssumeRole event due to missing requestParameters. Event: {event.get('EventId', 'unknown')}"
+            )
+            continue
+        if cloudtrail_event.get("userIdentity", {}).get("arn"):
+            source_principal = cloudtrail_event["userIdentity"]["arn"]
+            destination_principal = cloudtrail_event["requestParameters"]["roleArn"]
+        else:
+            logger.debug(
+                f"Skipping CloudTrail AssumeRole event due to missing UserIdentity.arn. Event: {event.get('EventId', 'unknown')}"
+            )
+            continue
+        destination_principal = cloudtrail_event["requestParameters"]["roleArn"]
+        normalized_source_principal = _convert_assumed_role_arn_to_role_arn(
+            source_principal
+        )
+        normalized_destination_principal = _convert_assumed_role_arn_to_role_arn(
+            destination_principal
+        )
+        event_time = event.get("EventTime")
+        key = (normalized_source_principal, normalized_destination_principal)
+        if key in aggregated:
+            aggregated[key]["times_used"] += 1
+            # Handle None values safely for time comparisons
+            if event_time:
+                existing_first = aggregated[key]["first_seen_in_time_window"]
+                existing_last = aggregated[key]["last_used"]
+                if existing_first is None or event_time < existing_first:
+                    aggregated[key]["first_seen_in_time_window"] = event_time
+                if existing_last is None or event_time > existing_last:
+                    aggregated[key]["last_used"] = event_time
+        else:
+            aggregated[key] = {
+                "source_principal_arn": normalized_source_principal,
+                "destination_principal_arn": normalized_destination_principal,
+                "times_used": 1,
+                "first_seen_in_time_window": event_time,
+                "last_used": event_time,
+            }
+    return list(aggregated.values())
+@timeit
+def transform_saml_role_events_to_role_assumptions(
+    events: List[Dict[str, Any]],
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw CloudTrail AssumeRoleWithSAML events into aggregated role assumption relationships.
+    Focuses specifically on SAML-based role assumption events, providing optimized processing
+    for federated identity scenarios.
+    This function performs the complete transformation pipeline:
+    1. Extract role assumption events from CloudTrail AssumeRoleWithSAML data
+    2. Aggregate events by (source_principal, destination_principal) pairs
+    3. Return aggregated relationships ready for loading
+    :type events: List[Dict[str, Any]]
+    :param events: List of raw CloudTrail AssumeRoleWithSAML events from lookup_events API
+    :rtype: List[Dict[str, Any]]
+    :return: List of aggregated SAML role assumption relationships ready for loading.
+             Each dict contains keys: source_principal_arn, destination_principal_arn,
+             times_used, first_seen_in_time_window, last_used
+    """
+    aggregated: Dict[tuple, Dict[str, Any]] = {}
+    logger.info(
+        f"Transforming {len(events)} CloudTrail AssumeRoleWithSAML events to role assumptions"
+    )
+    for event in events:
+        cloudtrail_event = json.loads(event["CloudTrailEvent"])
+        # Skip events with null requestParameters since we can't extract roleArn
+        if not cloudtrail_event.get("requestParameters"):
+            logger.debug(
+                f"Skipping CloudTrail AssumeRoleWithSAML event due to missing requestParameters. Event: {event.get('EventId', 'unknown')}"
+            )
+            continue
+        response_elements = cloudtrail_event.get("responseElements", {})
+        assumed_role_user = response_elements.get("assumedRoleUser", {})
+        if assumed_role_user.get("arn"):
+            assumed_role_arn = assumed_role_user["arn"]
+            # Extract username from assumed role ARN: arn:aws:sts::account:assumed-role/RoleName/username
+            source_principal = assumed_role_arn.split("/")[-1]
+            destination_principal = cloudtrail_event["requestParameters"]["roleArn"]
+        else:
+            logger.debug(
+                f"Skipping CloudTrail AssumeRoleWithSAML event due to missing assumedRoleUser.arn. Event: {event.get('EventId', 'unknown')}"
+            )
+            continue
+        event_time = event.get("EventTime")
+        key = (source_principal, destination_principal)
+        if key in aggregated:
+            aggregated[key]["times_used"] += 1
+            # Handle None values safely for time comparisons
+            if event_time:
+                existing_first = aggregated[key]["first_seen_in_time_window"]
+                existing_last = aggregated[key]["last_used"]
+                if existing_first is None or event_time < existing_first:
+                    aggregated[key]["first_seen_in_time_window"] = event_time
+                if existing_last is None or event_time > existing_last:
+                    aggregated[key]["last_used"] = event_time
+        else:
+            aggregated[key] = {
+                "source_principal_arn": source_principal,
+                "destination_principal_arn": destination_principal,
+                "times_used": 1,
+                "first_seen_in_time_window": event_time,
+                "last_used": event_time,
+            }
+    return list(aggregated.values())
+@timeit
+def transform_web_identity_role_events_to_role_assumptions(
+    events: List[Dict[str, Any]],
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw CloudTrail AssumeRoleWithWebIdentity events into aggregated role assumption relationships.
+    Focuses specifically on WebIdentity-based role assumption events, providing optimized processing
+    for federated web identity scenarios.
+    This function performs the complete transformation pipeline:
+    1. Extract role assumption events from CloudTrail AssumeRoleWithWebIdentity data
+    2. Aggregate events by (source_principal, destination_principal) pairs
+    3. Return aggregated relationships ready for loading
+    :type events: List[Dict[str, Any]]
+    :param events: List of raw CloudTrail AssumeRoleWithWebIdentity events from lookup_events API
+    :rtype: List[Dict[str, Any]]
+    :return: List of aggregated WebIdentity role assumption relationships ready for loading.
+             Each dict contains keys: source_repo_fullname, destination_principal_arn,
+             times_used, first_seen_in_time_window, last_used
+    """
+    github_aggregated: Dict[tuple, Dict[str, Any]] = {}
+    logger.info(
+        f"Transforming {len(events)} CloudTrail AssumeRoleWithWebIdentity events to role assumptions"
+    )
+    for event in events:
+        cloudtrail_event = json.loads(event["CloudTrailEvent"])
+        # Skip events with null requestParameters since we can't extract roleArn
+        if not cloudtrail_event.get("requestParameters"):
+            logger.debug(
+                f"Skipping CloudTrail AssumeRoleWithWebIdentity event due to missing requestParameters. Event: {event.get('EventId', 'unknown')}"
+            )
+            continue
+        user_identity = cloudtrail_event.get("userIdentity", {})
+        if user_identity.get("type") == "WebIdentityUser" and user_identity.get(
+            "userName"
+        ):
+            identity_provider = user_identity.get("identityProvider", "unknown")
+            destination_principal = cloudtrail_event["requestParameters"]["roleArn"]
+            event_time = event.get("EventTime")
+            # Only process GitHub Actions events
+            if "token.actions.githubusercontent.com" in identity_provider:
+                # Extract GitHub repo fullname from userName format: "repo:{organization}/{repository}:{context}"
+                user_name = user_identity.get("userName", "")
+                if not user_name:
+                    logger.debug(
+                        f"Missing userName in GitHub WebIdentity event: {event.get('EventId', 'unknown')}"
+                    )
+                    continue
+                github_repo = _extract_github_repo_from_username(user_name)
+                key = (github_repo, destination_principal)
+                if key in github_aggregated:
+                    github_aggregated[key]["times_used"] += 1
+                    # Handle None values safely for time comparisons
+                    if event_time:
+                        existing_first = github_aggregated[key][
+                            "first_seen_in_time_window"
+                        ]
+                        existing_last = github_aggregated[key]["last_used"]
+                        if existing_first is None or event_time < existing_first:
+                            github_aggregated[key][
+                                "first_seen_in_time_window"
+                            ] = event_time
+                        if existing_last is None or event_time > existing_last:
+                            github_aggregated[key]["last_used"] = event_time
+                else:
+                    github_aggregated[key] = {
+                        "source_repo_fullname": github_repo,
+                        "destination_principal_arn": destination_principal,
+                        "times_used": 1,
+                        "first_seen_in_time_window": event_time,
+                        "last_used": event_time,
+                    }
+            else:
+                # Skip non-GitHub events for now
+                continue
+        else:
+            continue
+    # Return aggregated relationships directly
+    return list(github_aggregated.values())
+@timeit
+def load_role_assumptions(
+    neo4j_session: neo4j.Session,
+    aggregated_role_assumptions: List[Dict[str, Any]],
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load aggregated role assumption relationships into Neo4j using MatchLink pattern.
+    Creates direct ASSUMED_ROLE relationships with aggregated properties:
+    (AWSUser|AWSRole|AWSPrincipal)-[:ASSUMED_ROLE {lastupdated, times_used, first_seen_in_time_window, last_used}]->(AWSRole)
+    Assumes that both source principals and destination roles already exist in the graph.
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session to use for database operations
+    :type aggregated_role_assumptions: List[Dict[str, Any]]
+    :param aggregated_role_assumptions: List of aggregated role assumption relationships from transform function
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type aws_update_tag: int
+    :param aws_update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Use MatchLink to create relationships between existing nodes
+    matchlink_schema = AssumedRoleMatchLink()
+    load_matchlinks(
+        neo4j_session,
+        matchlink_schema,
+        aggregated_role_assumptions,
+        lastupdated=aws_update_tag,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=current_aws_account_id,
+    )
+    logger.info(
+        f"Successfully loaded {len(aggregated_role_assumptions)} role assumption relationships"
+    )
+@timeit
+def load_saml_role_assumptions(
+    neo4j_session: neo4j.Session,
+    aggregated_role_assumptions: List[Dict[str, Any]],
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load aggregated SAML role assumption relationships into Neo4j using MatchLink pattern.
+    Creates direct ASSUMED_ROLE_WITH_SAML relationships with aggregated properties:
+    (AWSRole)-[:ASSUMED_ROLE_WITH_SAML {lastupdated, times_used, first_seen_in_time_window, last_used}]->(AWSRole)
+    Assumes that both source principals and destination roles already exist in the graph.
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session to use for database operations
+    :type aggregated_role_assumptions: List[Dict[str, Any]]
+    :param aggregated_role_assumptions: List of aggregated SAML role assumption relationships from transform function
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type aws_update_tag: int
+    :param aws_update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Use MatchLink to create relationships between existing nodes
+    matchlink_schema = AssumedRoleWithSAMLMatchLink()
+    load_matchlinks(
+        neo4j_session,
+        matchlink_schema,
+        aggregated_role_assumptions,
+        lastupdated=aws_update_tag,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=current_aws_account_id,
+    )
+    logger.info(
+        f"Successfully loaded {len(aggregated_role_assumptions)} SAML role assumption relationships"
+    )
+@timeit
+def load_web_identity_role_assumptions(
+    neo4j_session: neo4j.Session,
+    aggregated_role_assumptions: List[Dict[str, Any]],
+    current_aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load aggregated WebIdentity role assumption relationships into Neo4j using MatchLink pattern.
+    Creates direct ASSUMED_ROLE_WITH_WEB_IDENTITY relationships with aggregated properties:
+    (GitHubRepository)-[:ASSUMED_ROLE_WITH_WEB_IDENTITY {lastupdated, times_used, first_seen_in_time_window, last_used}]->(AWSRole)
+    Assumes that both source principals and destination roles already exist in the graph.
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session to use for database operations
+    :type aggregated_role_assumptions: List[Dict[str, Any]]
+    :param aggregated_role_assumptions: List of aggregated WebIdentity role assumption relationships from transform function
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type aws_update_tag: int
+    :param aws_update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Use MatchLink to create relationships between existing nodes
+    matchlink_schema = GitHubRepoAssumeRoleWithWebIdentityMatchLink()
+    load_matchlinks(
+        neo4j_session,
+        matchlink_schema,
+        aggregated_role_assumptions,
+        lastupdated=aws_update_tag,
+        _sub_resource_label="AWSAccount",
+        _sub_resource_id=current_aws_account_id,
+    )
+    logger.info(
+        f"Successfully loaded {len(aggregated_role_assumptions)} WebIdentity role assumption relationships"
+    )
+def _convert_assumed_role_arn_to_role_arn(assumed_role_arn: str) -> str:
+    """
+    Convert an assumed role ARN to the original role ARN.
+    Example:
+    Input:  "arn:aws:sts::123456789012:assumed-role/MyRole/session-name"
+    Output: "arn:aws:iam::123456789012:role/MyRole"
+    """
+    # Split the ARN into parts
+    arn_parts = assumed_role_arn.split(":")
+    if len(arn_parts) >= 6 and arn_parts[2] == "sts" and "assumed-role" in arn_parts[5]:
+        # Extract account ID and role name
+        account_id = arn_parts[4]
+        resource_part = arn_parts[5]  # "assumed-role/MyRole/session-name"
+        role_name = resource_part.split("/")[1]  # Extract "MyRole"
+        # Construct the IAM role ARN
+        return f"arn:aws:iam::{account_id}:role/{role_name}"
+    # Return original ARN if conversion fails
+    return assumed_role_arn
+def _extract_github_repo_from_username(user_name: str) -> str:
+    """
+    Extract GitHub repository fullname from CloudTrail userName field.
+    GitHub Actions CloudTrail events have userName in the format:
+    "repo:{organization}/{repository}:{context}"
+    """
+    if not user_name:
+        return ""
+    parts = user_name.split(":")
+    # Need at least 3 parts: ["repo", "{organization}/{repository}", "{context}"]
+    if len(parts) < 3 or parts[0] != "repo":
+        return ""
+    # Extract "{organization}/{repository}"
+    repo_fullname = parts[1]
+    # Validate it looks like "{organization}/{repository}" format
+    if repo_fullname.count("/") != 1:
+        return ""
+    # Ensure both organization and repo exist
+    owner, repo = repo_fullname.split("/")
+    if not owner or not repo:
+        return ""
+    return repo_fullname
+@timeit
+def cleanup(
+    neo4j_session: neo4j.Session, current_aws_account_id: str, update_tag: int
+) -> None:
+    """
+    Run CloudTrail management events cleanup job to remove stale ASSUMED_ROLE relationships.
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session to use for database operations
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type update_tag: int
+    :param update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    logger.info("Running CloudTrail management events cleanup job.")
+    matchlink_schema = AssumedRoleMatchLink()
+    cleanup_job = GraphJob.from_matchlink(
+        matchlink_schema,
+        "AWSAccount",
+        current_aws_account_id,
+        update_tag,
+    )
+    cleanup_job.run(neo4j_session)
+@timeit
+def sync_assume_role_events(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    """
+    Sync CloudTrail management events to create ASSUMED_ROLE relationships.
+    This function orchestrates the complete process:
+    1. Fetch CloudTrail management events region by region
+    2. Transform events into role assumption records per region
+    3. Load role assumption relationships into Neo4j for each region
+    4. Run cleanup after processing all regions
+    The resulting graph contains direct relationships like:
+    (AWSUser|AWSRole|AWSPrincipal)-[:ASSUMED_ROLE {times_used, first_seen_in_time_window, last_used, lastupdated}]->(AWSRole)
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type regions: List[str]
+    :param regions: List of AWS regions to sync
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type aws_update_tag: int
+    :param aws_update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Extract lookback hours from common_job_parameters (set by CLI parameter)
+    lookback_hours = common_job_parameters.get(
+        "aws_cloudtrail_management_events_lookback_hours"
+    )
+    if not lookback_hours:
+        logger.info(
+            "CloudTrail management events sync skipped - no lookback period specified"
+        )
+        return
+    logger.info(
+        f"Syncing {len(regions)} regions with {lookback_hours} hour lookback period"
+    )
+    total_role_assumptions = 0
+    # Process events region by region
+    for region in regions:
+        logger.info(f"Processing CloudTrail events for region {region}")
+        # Process AssumeRole events specifically
+        logger.info(f"Fetching AssumeRole events specifically for region {region}")
+        assume_role_events = get_assume_role_events(
+            boto3_session=boto3_session,
+            region=region,
+            lookback_hours=lookback_hours,
+        )
+        # Transform AssumeRole events to role assumptions
+        assume_role_assumptions = transform_assume_role_events_to_role_assumptions(
+            events=assume_role_events,
+        )
+        # Load AssumeRole assumptions for this region
+        load_role_assumptions(
+            neo4j_session=neo4j_session,
+            aggregated_role_assumptions=assume_role_assumptions,
+            current_aws_account_id=current_aws_account_id,
+            aws_update_tag=update_tag,
+        )
+        total_role_assumptions += len(assume_role_assumptions)
+        logger.info(
+            f"Loaded {len(assume_role_assumptions)} AssumeRole assumptions for region {region}"
+        )
+    # Run cleanup for stale relationships after processing all regions
+    cleanup(neo4j_session, current_aws_account_id, update_tag)
+    logger.info(
+        f"CloudTrail management events sync completed successfully. "
+        f"Processed {total_role_assumptions} total role assumption events across {len(regions)} regions."
+    )
+@timeit
+def sync_saml_role_events(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    """
+    Sync CloudTrail SAML management events to create ASSUMED_ROLE_WITH_SAML relationships.
+    This function orchestrates the complete process:
+    1. Fetch CloudTrail SAML management events region by region
+    2. Transform events into role assumption records per region
+    3. Load role assumption relationships into Neo4j for each region
+    The resulting graph contains direct relationships like:
+    (AWSRole)-[:ASSUMED_ROLE_WITH_SAML {times_used, first_seen_in_time_window, last_used, lastupdated}]->(AWSRole)
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type regions: List[str]
+    :param regions: List of AWS regions to sync
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type update_tag: int
+    :param update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Extract lookback hours from common_job_parameters (set by CLI parameter)
+    lookback_hours = common_job_parameters.get(
+        "aws_cloudtrail_management_events_lookback_hours"
+    )
+    if not lookback_hours:
+        logger.info(
+            "CloudTrail SAML management events sync skipped - no lookback period specified"
+        )
+        return
+    logger.info(
+        f"Syncing SAML events for {len(regions)} regions with {lookback_hours} hour lookback period"
+    )
+    total_saml_role_assumptions = 0
+    # Process events region by region
+    for region in regions:
+        logger.info(f"Processing CloudTrail SAML events for region {region}")
+        # Process AssumeRoleWithSAML events specifically
+        logger.info(
+            f"Fetching AssumeRoleWithSAML events specifically for region {region}"
+        )
+        saml_role_events = get_saml_role_events(
+            boto3_session=boto3_session,
+            region=region,
+            lookback_hours=lookback_hours,
+        )
+        # Transform AssumeRoleWithSAML events to role assumptions
+        saml_role_assumptions = transform_saml_role_events_to_role_assumptions(
+            events=saml_role_events,
+        )
+        # Load SAML role assumptions for this region
+        load_saml_role_assumptions(
+            neo4j_session=neo4j_session,
+            aggregated_role_assumptions=saml_role_assumptions,
+            current_aws_account_id=current_aws_account_id,
+            aws_update_tag=update_tag,
+        )
+        total_saml_role_assumptions += len(saml_role_assumptions)
+        logger.info(
+            f"Loaded {len(saml_role_assumptions)} SAML role assumptions for region {region}"
+        )
+    logger.info(
+        f"CloudTrail SAML management events sync completed successfully. "
+        f"Processed {total_saml_role_assumptions} total SAML role assumption events across {len(regions)} regions."
+    )
+@timeit
+def sync_web_identity_role_events(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    """
+    Sync CloudTrail WebIdentity management events to create ASSUMED_ROLE_WITH_WEB_IDENTITY relationships.
+    This function orchestrates the complete process:
+    1. Fetch CloudTrail WebIdentity management events region by region
+    2. Transform events into role assumption records per region
+    3. Load role assumption relationships into Neo4j for each region
+    The resulting graph contains direct relationships like:
+    (GitHubRepository)-[:ASSUMED_ROLE_WITH_WEB_IDENTITY {times_used, first_seen_in_time_window, last_used, lastupdated}]->(AWSRole)
+    :type neo4j_session: neo4j.Session
+    :param neo4j_session: The Neo4j session
+    :type boto3_session: boto3.Session
+    :param boto3_session: The boto3 session to use for API calls
+    :type regions: List[str]
+    :param regions: List of AWS regions to sync
+    :type current_aws_account_id: str
+    :param current_aws_account_id: The AWS account ID being synced
+    :type update_tag: int
+    :param update_tag: Timestamp tag for tracking data freshness
+    :rtype: None
+    """
+    # Extract lookback hours from common_job_parameters (set by CLI parameter)
+    lookback_hours = common_job_parameters.get(
+        "aws_cloudtrail_management_events_lookback_hours"
+    )
+    if not lookback_hours:
+        logger.info(
+            "CloudTrail WebIdentity management events sync skipped - no lookback period specified"
+        )
+        return
+    logger.info(
+        f"Syncing WebIdentity events for {len(regions)} regions with {lookback_hours} hour lookback period"
+    )
+    total_web_identity_role_assumptions = 0
+    # Process events region by region
+    for region in regions:
+        logger.info(f"Processing CloudTrail WebIdentity events for region {region}")
+        # Process AssumeRoleWithWebIdentity events specifically
+        logger.info(
+            f"Fetching AssumeRoleWithWebIdentity events specifically for region {region}"
+        )
+        web_identity_role_events = get_web_identity_role_events(
+            boto3_session=boto3_session,
+            region=region,
+            lookback_hours=lookback_hours,
+        )
+        # Transform AssumeRoleWithWebIdentity events to role assumptions
+        web_identity_role_assumptions = (
+            transform_web_identity_role_events_to_role_assumptions(
+                events=web_identity_role_events,
+            )
+        )
+        # Load WebIdentity role assumptions for this region
+        load_web_identity_role_assumptions(
+            neo4j_session=neo4j_session,
+            aggregated_role_assumptions=web_identity_role_assumptions,
+            current_aws_account_id=current_aws_account_id,
+            aws_update_tag=update_tag,
+        )
+        total_web_identity_role_assumptions += len(web_identity_role_assumptions)
+        logger.info(
+            f"Loaded {len(web_identity_role_assumptions)} WebIdentity role assumptions for region {region}"
+        )
+    logger.info(
+        f"CloudTrail WebIdentity management events sync completed successfully. "
+        f"Processed {total_web_identity_role_assumptions} total WebIdentity role assumption events across {len(regions)} regions."
+    )
+# Main sync function for when we decide to add more event types
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.Session,
+    regions: List[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    """
+    Main sync function for CloudTrail management events.
+    Syncs AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity events to create separate
+    relationship types in the graph for security analysis.
+    """
+    # Sync regular AssumeRole events
+    sync_assume_role_events(
+        neo4j_session=neo4j_session,
+        boto3_session=boto3_session,
+        regions=regions,
+        current_aws_account_id=current_aws_account_id,
+        update_tag=update_tag,
+        common_job_parameters=common_job_parameters,
+    )
+    # Sync SAML AssumeRoleWithSAML events
+    sync_saml_role_events(
+        neo4j_session=neo4j_session,
+        boto3_session=boto3_session,
+        regions=regions,
+        current_aws_account_id=current_aws_account_id,
+        update_tag=update_tag,
+        common_job_parameters=common_job_parameters,
+    )
+    # Sync WebIdentity AssumeRoleWithWebIdentity events
+    sync_web_identity_role_events(
+        neo4j_session=neo4j_session,
+        boto3_session=boto3_session,
+        regions=regions,
+        current_aws_account_id=current_aws_account_id,
+        update_tag=update_tag,
+        common_job_parameters=common_job_parameters,
+    )

cartography 0.104.0rc2__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography 0.104.0rc2py3-none-any.whl → 0.123.0py3-none-any.whl