PyPI - cartography - Versions diffs - 0.111.0rc1__py3-none-any.whl → 0.113.0__py3-none-any.whl - Mend

cartography 0.111.0rc1py3-none-any.whl → 0.113.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cartography might be problematic. Click here for more details.

Files changed (81) hide show

cartography/_version.py +2 -2
cartography/cli.py +57 -0
cartography/config.py +24 -0
cartography/data/indexes.cypher +0 -6
cartography/data/jobs/analysis/keycloak_inheritance.json +30 -0
cartography/intel/aws/apigateway.py +128 -17
cartography/intel/aws/apigatewayv2.py +116 -0
cartography/intel/aws/ec2/instances.py +3 -1
cartography/intel/aws/ec2/network_interfaces.py +1 -1
cartography/intel/aws/ec2/vpc_peerings.py +262 -125
cartography/intel/aws/resources.py +2 -0
cartography/intel/azure/__init__.py +35 -32
cartography/intel/azure/subscription.py +2 -2
cartography/intel/azure/tenant.py +39 -30
cartography/intel/azure/util/credentials.py +49 -174
cartography/intel/entra/__init__.py +47 -1
cartography/intel/entra/applications.py +220 -170
cartography/intel/entra/groups.py +41 -22
cartography/intel/entra/ou.py +28 -20
cartography/intel/entra/users.py +24 -18
cartography/intel/gcp/__init__.py +32 -11
cartography/intel/gcp/compute.py +47 -12
cartography/intel/gcp/dns.py +82 -169
cartography/intel/gcp/iam.py +66 -54
cartography/intel/gcp/storage.py +75 -159
cartography/intel/github/repos.py +19 -10
cartography/intel/github/util.py +12 -0
cartography/intel/keycloak/__init__.py +153 -0
cartography/intel/keycloak/authenticationexecutions.py +322 -0
cartography/intel/keycloak/authenticationflows.py +77 -0
cartography/intel/keycloak/clients.py +187 -0
cartography/intel/keycloak/groups.py +126 -0
cartography/intel/keycloak/identityproviders.py +94 -0
cartography/intel/keycloak/organizations.py +163 -0
cartography/intel/keycloak/realms.py +61 -0
cartography/intel/keycloak/roles.py +202 -0
cartography/intel/keycloak/scopes.py +73 -0
cartography/intel/keycloak/users.py +70 -0
cartography/intel/keycloak/util.py +47 -0
cartography/intel/kubernetes/__init__.py +26 -0
cartography/intel/kubernetes/eks.py +402 -0
cartography/intel/kubernetes/rbac.py +133 -0
cartography/models/aws/apigateway/apigatewayintegration.py +79 -0
cartography/models/aws/apigateway/apigatewaymethod.py +74 -0
cartography/models/aws/apigatewayv2/__init__.py +0 -0
cartography/models/aws/apigatewayv2/apigatewayv2.py +53 -0
cartography/models/aws/ec2/vpc_peering.py +157 -0
cartography/models/azure/principal.py +44 -0
cartography/models/azure/tenant.py +20 -0
cartography/models/gcp/dns.py +109 -0
cartography/models/gcp/iam.py +3 -0
cartography/models/gcp/storage/__init__.py +0 -0
cartography/models/gcp/storage/bucket.py +119 -0
cartography/models/keycloak/__init__.py +0 -0
cartography/models/keycloak/authenticationexecution.py +160 -0
cartography/models/keycloak/authenticationflow.py +54 -0
cartography/models/keycloak/client.py +177 -0
cartography/models/keycloak/group.py +101 -0
cartography/models/keycloak/identityprovider.py +89 -0
cartography/models/keycloak/organization.py +116 -0
cartography/models/keycloak/organizationdomain.py +73 -0
cartography/models/keycloak/realm.py +173 -0
cartography/models/keycloak/role.py +126 -0
cartography/models/keycloak/scope.py +73 -0
cartography/models/keycloak/user.py +51 -0
cartography/models/kubernetes/clusterrolebindings.py +40 -0
cartography/models/kubernetes/groups.py +107 -0
cartography/models/kubernetes/oidc.py +51 -0
cartography/models/kubernetes/rolebindings.py +40 -0
cartography/models/kubernetes/users.py +105 -0
cartography/sync.py +2 -0
cartography/util.py +10 -0
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/METADATA +9 -5
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/RECORD +78 -41
cartography/data/jobs/cleanup/aws_import_vpc_peering_cleanup.json +0 -45
cartography/data/jobs/cleanup/gcp_dns_cleanup.json +0 -29
cartography/data/jobs/cleanup/gcp_storage_bucket_cleanup.json +0 -29
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/WHEEL +0 -0
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/entry_points.txt +0 -0
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/licenses/LICENSE +0 -0
{cartography-0.111.0rc1.dist-info → cartography-0.113.0.dist-info}/top_level.txt +0 -0

cartography/intel/gcp/dns.py CHANGED Viewed

@@ -7,28 +7,20 @@ import neo4j
 from googleapiclient.discovery import HttpError
 from googleapiclient.discovery import Resource
-from cartography.util import run_cleanup_job
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.gcp.dns import GCPDNSZoneSchema
+from cartography.models.gcp.dns import GCPRecordSetSchema
 from cartography.util import timeit
 logger = logging.getLogger(__name__)
 @timeit
-def get_dns_zones(dns: Resource, project_id: str) -> List[Resource]:
-    """
-    Returns a list of DNS zones within the given project.
-    :type dns: The GCP DNS resource object
-    :param dns: The DNS resource object created by googleapiclient.discovery.build()
-    :type project_id: str
-    :param project_id: Current Google Project Id
-    :rtype: list
-    :return: List of DNS zones
-    """
+def get_dns_zones(dns: Resource, project_id: str) -> List[Dict]:
+    """Returns a list of DNS zones within the given project."""
     try:
-        zones = []
+        zones: List[Dict] = []
         request = dns.managedZones().list(project=project_id)
         while request is not None:
             response = request.execute()
@@ -47,40 +39,22 @@ def get_dns_zones(dns: Resource, project_id: str) -> List[Resource]:
         ):
             logger.warning(
                 (
-                    "Could not retrieve DNS zones on project %s due to permissions issues. Code: %s, Message: %s"
+                    "Could not retrieve DNS zones on project %s due to permissions issues. "
+                    "Code: %s, Message: %s"
                 ),
                 project_id,
                 err["code"],
                 err["message"],
             )
             return []
-        else:
-            raise
+        raise
 @timeit
-def get_dns_rrs(
-    dns: Resource,
-    dns_zones: List[Dict],
-    project_id: str,
-) -> List[Resource]:
-    """
-    Returns a list of DNS Resource Record Sets within the given project.
-    :type dns: The GCP DNS resource object
-    :param dns: The DNS resource object created by googleapiclient.discovery.build()
-    :type dns_zones: list
-    :param dns_zones: List of DNS zones for the project
-    :type project_id: str
-    :param project_id: Current Google Project Id
-    :rtype: list
-    :return: List of Resource Record Sets
-    """
+def get_dns_rrs(dns: Resource, dns_zones: List[Dict], project_id: str) -> List[Dict]:
+    """Returns a list of DNS Resource Record Sets within the given project."""
     try:
-        rrs: List[Resource] = []
+        rrs: List[Dict] = []
         for zone in dns_zones:
             request = dns.resourceRecordSets().list(
                 project=project_id,
@@ -104,16 +78,53 @@ def get_dns_rrs(
         ):
             logger.warning(
                 (
-                    "Could not retrieve DNS RRS on project %s due to permissions issues. Code: %s, Message: %s"
+                    "Could not retrieve DNS RRS on project %s due to permissions issues. "
+                    "Code: %s, Message: %s"
                 ),
                 project_id,
                 err["code"],
                 err["message"],
             )
             return []
-        else:
-            raise
-        raise e
+        raise
+@timeit
+def transform_dns_zones(dns_zones: List[Dict]) -> List[Dict]:
+    """Transform raw DNS zone responses into Neo4j-ready dicts."""
+    zones: List[Dict] = []
+    for z in dns_zones:
+        zones.append(
+            {
+                "id": z["id"],
+                "name": z.get("name"),
+                "dns_name": z.get("dnsName"),
+                "description": z.get("description"),
+                "visibility": z.get("visibility"),
+                "kind": z.get("kind"),
+                "nameservers": z.get("nameServers"),
+                "created_at": z.get("creationTime"),
+            }
+        )
+    return zones
+@timeit
+def transform_dns_rrs(dns_rrs: List[Dict]) -> List[Dict]:
+    """Transform raw DNS record set responses into Neo4j-ready dicts."""
+    records: List[Dict] = []
+    for r in dns_rrs:
+        records.append(
+            {
+                "id": r["name"],
+                "name": r["name"],
+                "type": r.get("type"),
+                "ttl": r.get("ttl"),
+                "data": r.get("rrdatas"),
+                "zone_id": r.get("zone"),
+            }
+        )
+    return records
 @timeit
@@ -123,102 +134,30 @@ def load_dns_zones(
     project_id: str,
     gcp_update_tag: int,
 ) -> None:
-    """
-    Ingest GCP DNS Zones into Neo4j
-    :type neo4j_session: Neo4j session object
-    :param neo4j session: The Neo4j session object
-    :type dns_resp: Dict
-    :param dns_resp: A DNS response object from the GKE API
-    :type project_id: str
-    :param project_id: Current Google Project Id
-    :type gcp_update_tag: timestamp
-    :param gcp_update_tag: The timestamp value to set our new Neo4j nodes with
-    :rtype: NoneType
-    :return: Nothing
-    """
-    ingest_records = """
-    UNWIND $records as record
-    MERGE(zone:GCPDNSZone{id:record.id})
-    ON CREATE SET
-        zone.firstseen = timestamp(),
-        zone.created_at = record.creationTime
-    SET
-        zone.name = record.name,
-        zone.dns_name = record.dnsName,
-        zone.description = record.description,
-        zone.visibility = record.visibility,
-        zone.kind = record.kind,
-        zone.nameservers = record.nameServers,
-        zone.lastupdated = $gcp_update_tag
-    WITH zone
-    MATCH (owner:GCPProject{id:$ProjectId})
-    MERGE (owner)-[r:RESOURCE]->(zone)
-    ON CREATE SET
-        r.firstseen = timestamp(),
-        r.lastupdated = $gcp_update_tag
-    """
-    neo4j_session.run(
-        ingest_records,
-        records=dns_zones,
-        ProjectId=project_id,
-        gcp_update_tag=gcp_update_tag,
+    """Ingest GCP DNS Zones into Neo4j."""
+    load(
+        neo4j_session,
+        GCPDNSZoneSchema(),
+        dns_zones,
+        lastupdated=gcp_update_tag,
+        PROJECT_ID=project_id,
     )
 @timeit
 def load_rrs(
     neo4j_session: neo4j.Session,
-    dns_rrs: List[Resource],
+    dns_rrs: List[Dict],
     project_id: str,
     gcp_update_tag: int,
 ) -> None:
-    """
-    Ingest GCP RRS into Neo4j
-    :type neo4j_session: Neo4j session object
-    :param neo4j session: The Neo4j session object
-    :type dns_rrs: list
-    :param dns_rrs: A list of RRS
-    :type project_id: str
-    :param project_id: Current Google Project Id
-    :type gcp_update_tag: timestamp
-    :param gcp_update_tag: The timestamp value to set our new Neo4j nodes with
-    :rtype: NoneType
-    :return: Nothing
-    """
-    ingest_records = """
-    UNWIND $records as record
-    MERGE(rrs:GCPRecordSet{id:record.name})
-    ON CREATE SET
-        rrs.firstseen = timestamp()
-    SET
-        rrs.name = record.name,
-        rrs.type = record.type,
-        rrs.ttl = record.ttl,
-        rrs.data = record.rrdatas,
-        rrs.lastupdated = $gcp_update_tag
-    WITH rrs, record
-    MATCH (zone:GCPDNSZone{id:record.zone})
-    MERGE (zone)-[r:HAS_RECORD]->(rrs)
-    ON CREATE SET
-        r.firstseen = timestamp(),
-        r.lastupdated = $gcp_update_tag
-    """
-    neo4j_session.run(
-        ingest_records,
-        records=dns_rrs,
-        gcp_update_tag=gcp_update_tag,
+    """Ingest GCP DNS Resource Record Sets into Neo4j."""
+    load(
+        neo4j_session,
+        GCPRecordSetSchema(),
+        dns_rrs,
+        lastupdated=gcp_update_tag,
+        PROJECT_ID=project_id,
     )
@@ -227,19 +166,14 @@ def cleanup_dns_records(
     neo4j_session: neo4j.Session,
     common_job_parameters: Dict,
 ) -> None:
-    """
-    Delete out-of-date GCP DNS Zones and RRS nodes and relationships
-    :type neo4j_session: The Neo4j session object
-    :param neo4j_session: The Neo4j session
-    :type common_job_parameters: dict
-    :param common_job_parameters: Dictionary of other job parameters to pass to Neo4j
-    :rtype: NoneType
-    :return: Nothing
-    """
-    run_cleanup_job("gcp_dns_cleanup.json", neo4j_session, common_job_parameters)
+    """Delete out-of-date GCP DNS Zones and Record Sets nodes and relationships."""
+    # Record sets depend on zones, so clean them up first.
+    GraphJob.from_node_schema(GCPRecordSetSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
+    GraphJob.from_node_schema(GCPDNSZoneSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
 @timeit
@@ -250,33 +184,12 @@ def sync(
     gcp_update_tag: int,
     common_job_parameters: Dict,
 ) -> None:
-    """
-    Get GCP DNS Zones and Resource Record Sets using the DNS resource object, ingest to Neo4j, and clean up old data.
-    :type neo4j_session: The Neo4j session object
-    :param neo4j_session: The Neo4j session
-    :type dns: The DNS resource object created by googleapiclient.discovery.build()
-    :param dns: The GCP DNS resource object
-    :type project_id: str
-    :param project_id: The project ID of the corresponding project
-    :type gcp_update_tag: timestamp
-    :param gcp_update_tag: The timestamp value to set our new Neo4j nodes with
-    :type common_job_parameters: dict
-    :param common_job_parameters: Dictionary of other job parameters to pass to Neo4j
-    :rtype: NoneType
-    :return: Nothing
-    """
+    """Get GCP DNS Zones and Record Sets, load them into Neo4j, and clean up old data."""
     logger.info("Syncing DNS records for project %s.", project_id)
-    # DNS ZONES
-    dns_zones = get_dns_zones(dns, project_id)
+    dns_zones_resp = get_dns_zones(dns, project_id)
+    dns_zones = transform_dns_zones(dns_zones_resp)
     load_dns_zones(neo4j_session, dns_zones, project_id, gcp_update_tag)
-    # RECORD SETS
-    dns_rrs = get_dns_rrs(dns, dns_zones, project_id)
+    dns_rrs_resp = get_dns_rrs(dns, dns_zones_resp, project_id)
+    dns_rrs = transform_dns_rrs(dns_rrs_resp)
     load_rrs(neo4j_session, dns_rrs, project_id, gcp_update_tag)
-    # TODO scope the cleanup to the current project - https://github.com/cartography-cncf/cartography/issues/381
     cleanup_dns_records(neo4j_session, common_job_parameters)

cartography/intel/gcp/iam.py CHANGED Viewed

@@ -90,6 +90,29 @@ def get_gcp_roles(iam_client: Resource, project_id: str) -> List[Dict]:
         return []
+def transform_gcp_service_accounts(
+    raw_accounts: List[Dict[str, Any]],
+    project_id: str,
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw GCP service accounts into loader-friendly dicts.
+    """
+    result: List[Dict[str, Any]] = []
+    for sa in raw_accounts:
+        result.append(
+            {
+                "id": sa["uniqueId"],
+                "email": sa.get("email"),
+                "displayName": sa.get("displayName"),
+                "oauth2ClientId": sa.get("oauth2ClientId"),
+                "uniqueId": sa.get("uniqueId"),
+                "disabled": sa.get("disabled", False),
+                "projectId": project_id,
+            },
+        )
+    return result
 @timeit
 def load_gcp_service_accounts(
     neo4j_session: neo4j.Session,
@@ -99,38 +122,55 @@ def load_gcp_service_accounts(
 ) -> None:
     """
     Load GCP service account data into Neo4j.
-    :param neo4j_session: The Neo4j session.
-    :param service_accounts: A list of service account data to load.
-    :param project_id: The GCP Project ID associated with the service accounts.
-    :param gcp_update_tag: The timestamp of the current sync run.
     """
     logger.debug(
         f"Loading {len(service_accounts)} service accounts for project {project_id}"
     )
-    transformed_service_accounts = []
-    for sa in service_accounts:
-        transformed_sa = {
-            "id": sa["uniqueId"],
-            "email": sa.get("email"),
-            "displayName": sa.get("displayName"),
-            "oauth2ClientId": sa.get("oauth2ClientId"),
-            "uniqueId": sa.get("uniqueId"),
-            "disabled": sa.get("disabled", False),
-            "projectId": project_id,
-        }
-        transformed_service_accounts.append(transformed_sa)
     load(
         neo4j_session,
         GCPServiceAccountSchema(),
-        transformed_service_accounts,
+        service_accounts,
         lastupdated=gcp_update_tag,
         projectId=project_id,
-        additional_labels=["GCPPrincipal"],
     )
+def transform_gcp_roles(
+    raw_roles: List[Dict[str, Any]],
+    project_id: str,
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw GCP roles into loader-friendly dicts.
+    """
+    result: List[Dict[str, Any]] = []
+    for role in raw_roles:
+        role_name = role["name"]
+        if role_name.startswith("roles/"):
+            role_type = (
+                "BASIC"
+                if role_name in ["roles/owner", "roles/editor", "roles/viewer"]
+                else "PREDEFINED"
+            )
+        else:
+            role_type = "CUSTOM"
+        result.append(
+            {
+                "id": role_name,
+                "name": role_name,
+                "title": role.get("title"),
+                "description": role.get("description"),
+                "deleted": role.get("deleted", False),
+                "etag": role.get("etag"),
+                "includedPermissions": role.get("includedPermissions", []),
+                "roleType": role_type,
+                "projectId": project_id,
+            },
+        )
+    return result
 @timeit
 def load_gcp_roles(
     neo4j_session: neo4j.Session,
@@ -140,41 +180,13 @@ def load_gcp_roles(
 ) -> None:
     """
     Load GCP role data into Neo4j.
-    :param neo4j_session: The Neo4j session.
-    :param roles: A list of role data to load.
-    :param project_id: The GCP Project ID associated with the roles.
-    :param gcp_update_tag: The timestamp of the current sync run.
     """
     logger.debug(f"Loading {len(roles)} roles for project {project_id}")
-    transformed_roles = []
-    for role in roles:
-        role_name = role["name"]
-        if role_name.startswith("roles/"):
-            if role_name in ["roles/owner", "roles/editor", "roles/viewer"]:
-                role_type = "BASIC"
-            else:
-                role_type = "PREDEFINED"
-        else:
-            role_type = "CUSTOM"
-        transformed_role = {
-            "id": role_name,
-            "name": role_name,
-            "title": role.get("title"),
-            "description": role.get("description"),
-            "deleted": role.get("deleted", False),
-            "etag": role.get("etag"),
-            "includedPermissions": role.get("includedPermissions", []),
-            "roleType": role_type,
-            "projectId": project_id,
-        }
-        transformed_roles.append(transformed_role)
     load(
         neo4j_session,
         GCPRoleSchema(),
-        transformed_roles,
+        roles,
         lastupdated=gcp_update_tag,
         projectId=project_id,
     )
@@ -224,18 +236,18 @@ def sync(
     """
     logger.info(f"Syncing GCP IAM for project {project_id}")
-    # Get and load service accounts
-    service_accounts = get_gcp_service_accounts(iam_client, project_id)
+    service_accounts_raw = get_gcp_service_accounts(iam_client, project_id)
     logger.info(
-        f"Found {len(service_accounts)} service accounts in project {project_id}"
+        f"Found {len(service_accounts_raw)} service accounts in project {project_id}"
     )
+    service_accounts = transform_gcp_service_accounts(service_accounts_raw, project_id)
     load_gcp_service_accounts(
         neo4j_session, service_accounts, project_id, gcp_update_tag
     )
-    # Get and load roles
-    roles = get_gcp_roles(iam_client, project_id)
-    logger.info(f"Found {len(roles)} roles in project {project_id}")
+    roles_raw = get_gcp_roles(iam_client, project_id)
+    logger.info(f"Found {len(roles_raw)} roles in project {project_id}")
+    roles = transform_gcp_roles(roles_raw, project_id)
     load_gcp_roles(neo4j_session, roles, project_id, gcp_update_tag)
     # Run cleanup

cartography 0.111.0rc1__py3-none-any.whl → 0.113.0__py3-none-any.whl

Potentially problematic release.

cartography 0.111.0rc1py3-none-any.whl → 0.113.0py3-none-any.whl