cartography 0.112.0__py3-none-any.whl → 0.114.0__py3-none-any.whl

cartography/intel/gcp/iam.py

@@ -90,6 +90,29 @@ def get_gcp_roles(iam_client: Resource, project_id: str) -> List[Dict]:
         return []
 
 
+def transform_gcp_service_accounts(
+    raw_accounts: List[Dict[str, Any]],
+    project_id: str,
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw GCP service accounts into loader-friendly dicts.
+    """
+    result: List[Dict[str, Any]] = []
+    for sa in raw_accounts:
+        result.append(
+            {
+                "id": sa["uniqueId"],
+                "email": sa.get("email"),
+                "displayName": sa.get("displayName"),
+                "oauth2ClientId": sa.get("oauth2ClientId"),
+                "uniqueId": sa.get("uniqueId"),
+                "disabled": sa.get("disabled", False),
+                "projectId": project_id,
+            },
+        )
+    return result
+
+
 @timeit
 def load_gcp_service_accounts(
     neo4j_session: neo4j.Session,
@@ -99,38 +122,55 @@ def load_gcp_service_accounts(
 ) -> None:
     """
     Load GCP service account data into Neo4j.
-
-    :param neo4j_session: The Neo4j session.
-    :param service_accounts: A list of service account data to load.
-    :param project_id: The GCP Project ID associated with the service accounts.
-    :param gcp_update_tag: The timestamp of the current sync run.
     """
     logger.debug(
         f"Loading {len(service_accounts)} service accounts for project {project_id}"
     )
-    transformed_service_accounts = []
-    for sa in service_accounts:
-        transformed_sa = {
-            "id": sa["uniqueId"],
-            "email": sa.get("email"),
-            "displayName": sa.get("displayName"),
-            "oauth2ClientId": sa.get("oauth2ClientId"),
-            "uniqueId": sa.get("uniqueId"),
-            "disabled": sa.get("disabled", False),
-            "projectId": project_id,
-        }
-        transformed_service_accounts.append(transformed_sa)
 
     load(
         neo4j_session,
         GCPServiceAccountSchema(),
-        transformed_service_accounts,
+        service_accounts,
         lastupdated=gcp_update_tag,
         projectId=project_id,
-        additional_labels=["GCPPrincipal"],
     )
 
 
+def transform_gcp_roles(
+    raw_roles: List[Dict[str, Any]],
+    project_id: str,
+) -> List[Dict[str, Any]]:
+    """
+    Transform raw GCP roles into loader-friendly dicts.
+    """
+    result: List[Dict[str, Any]] = []
+    for role in raw_roles:
+        role_name = role["name"]
+        if role_name.startswith("roles/"):
+            role_type = (
+                "BASIC"
+                if role_name in ["roles/owner", "roles/editor", "roles/viewer"]
+                else "PREDEFINED"
+            )
+        else:
+            role_type = "CUSTOM"
+
+        result.append(
+            {
+                "id": role_name,
+                "name": role_name,
+                "title": role.get("title"),
+                "description": role.get("description"),
+                "deleted": role.get("deleted", False),
+                "etag": role.get("etag"),
+                "includedPermissions": role.get("includedPermissions", []),
+                "roleType": role_type,
+                "projectId": project_id,
+            },
+        )
+    return result
+
+
 @timeit
 def load_gcp_roles(
     neo4j_session: neo4j.Session,
@@ -140,41 +180,13 @@ def load_gcp_roles(
 ) -> None:
     """
     Load GCP role data into Neo4j.
-
-    :param neo4j_session: The Neo4j session.
-    :param roles: A list of role data to load.
-    :param project_id: The GCP Project ID associated with the roles.
-    :param gcp_update_tag: The timestamp of the current sync run.
     """
     logger.debug(f"Loading {len(roles)} roles for project {project_id}")
-    transformed_roles = []
-    for role in roles:
-        role_name = role["name"]
-        if role_name.startswith("roles/"):
-            if role_name in ["roles/owner", "roles/editor", "roles/viewer"]:
-                role_type = "BASIC"
-            else:
-                role_type = "PREDEFINED"
-        else:
-            role_type = "CUSTOM"
-
-        transformed_role = {
-            "id": role_name,
-            "name": role_name,
-            "title": role.get("title"),
-            "description": role.get("description"),
-            "deleted": role.get("deleted", False),
-            "etag": role.get("etag"),
-            "includedPermissions": role.get("includedPermissions", []),
-            "roleType": role_type,
-            "projectId": project_id,
-        }
-        transformed_roles.append(transformed_role)
 
     load(
         neo4j_session,
         GCPRoleSchema(),
-        transformed_roles,
+        roles,
         lastupdated=gcp_update_tag,
         projectId=project_id,
     )
@@ -224,18 +236,18 @@ def sync(
     """
     logger.info(f"Syncing GCP IAM for project {project_id}")
 
-    # Get and load service accounts
-    service_accounts = get_gcp_service_accounts(iam_client, project_id)
+    service_accounts_raw = get_gcp_service_accounts(iam_client, project_id)
     logger.info(
-        f"Found {len(service_accounts)} service accounts in project {project_id}"
+        f"Found {len(service_accounts_raw)} service accounts in project {project_id}"
     )
+    service_accounts = transform_gcp_service_accounts(service_accounts_raw, project_id)
     load_gcp_service_accounts(
         neo4j_session, service_accounts, project_id, gcp_update_tag
     )
 
-    # Get and load roles
-    roles = get_gcp_roles(iam_client, project_id)
-    logger.info(f"Found {len(roles)} roles in project {project_id}")
+    roles_raw = get_gcp_roles(iam_client, project_id)
+    logger.info(f"Found {len(roles_raw)} roles in project {project_id}")
+    roles = transform_gcp_roles(roles_raw, project_id)
     load_gcp_roles(neo4j_session, roles, project_id, gcp_update_tag)
 
     # Run cleanup

cartography/intel/gcp/storage.py

@@ -1,13 +1,17 @@
 import logging
 from typing import Dict
 from typing import List
+from typing import Tuple
 
 import neo4j
 from googleapiclient.discovery import HttpError
 from googleapiclient.discovery import Resource
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
 from cartography.intel.gcp import compute
-from cartography.util import run_cleanup_job
+from cartography.models.gcp.storage.bucket import GCPBucketLabelSchema
+from cartography.models.gcp.storage.bucket import GCPBucketSchema
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -58,165 +62,85 @@ def get_gcp_buckets(storage: Resource, project_id: str) -> Dict:
 
 
 @timeit
-def transform_gcp_buckets(bucket_res: Dict) -> List[Dict]:
+def transform_gcp_buckets_and_labels(bucket_res: Dict) -> Tuple[List[Dict], List[Dict]]:
     """
-    Transform the GCP Storage Bucket response object for Neo4j ingestion
+    Transform the GCP Storage Bucket response object for Neo4j ingestion.
 
-    :type bucket_res: The GCP storage resource object (https://cloud.google.com/storage/docs/json_api/v1/buckets)
-    :param bucket_res: The return data
-
-    :rtype: list
-    :return: List of buckets ready for ingestion to Neo4j
+    :param bucket_res: The raw GCP bucket response.
+    :return: A tuple of (buckets, bucket_labels) ready for ingestion to Neo4j.
     """
 
-    bucket_list = []
+    buckets: List[Dict] = []
+    labels: List[Dict] = []
     for b in bucket_res.get("items", []):
-        bucket = {}
-        bucket["etag"] = b.get("etag")
-        bucket["iam_config_bucket_policy_only"] = (
-            b.get("iamConfiguration", {})
-            .get("bucketPolicyOnly", {})
-            .get("enabled", None)
-        )
-        bucket["id"] = b["id"]
-        bucket["labels"] = [(key, val) for (key, val) in b.get("labels", {}).items()]
-        bucket["owner_entity"] = b.get("owner", {}).get("entity")
-        bucket["owner_entity_id"] = b.get("owner", {}).get("entityId")
-        bucket["kind"] = b.get("kind")
-        bucket["location"] = b.get("location")
-        bucket["location_type"] = b.get("locationType")
-        bucket["meta_generation"] = b.get("metageneration", None)
-        bucket["project_number"] = b["projectNumber"]
-        bucket["self_link"] = b.get("selfLink")
-        bucket["storage_class"] = b.get("storageClass")
-        bucket["time_created"] = b.get("timeCreated")
-        bucket["updated"] = b.get("updated")
-        bucket["versioning_enabled"] = b.get("versioning", {}).get("enabled", None)
-        bucket["default_event_based_hold"] = b.get("defaultEventBasedHold", None)
-        bucket["retention_period"] = b.get("retentionPolicy", {}).get(
-            "retentionPeriod",
-            None,
-        )
-        bucket["default_kms_key_name"] = b.get("encryption", {}).get(
-            "defaultKmsKeyName",
-        )
-        bucket["log_bucket"] = b.get("logging", {}).get("logBucket")
-        bucket["requester_pays"] = b.get("billing", {}).get("requesterPays", None)
-        bucket_list.append(bucket)
-    return bucket_list
+        bucket = {
+            "iam_config_bucket_policy_only": (
+                b.get("iamConfiguration", {}).get("bucketPolicyOnly", {}).get("enabled")
+            ),
+            "id": b["id"],
+            # Preserve legacy bucket_id field for compatibility
+            "bucket_id": b["id"],
+            "owner_entity": b.get("owner", {}).get("entity"),
+            "owner_entity_id": b.get("owner", {}).get("entityId"),
+            "kind": b.get("kind"),
+            "location": b.get("location"),
+            "location_type": b.get("locationType"),
+            "meta_generation": b.get("metageneration"),
+            "project_number": b.get("projectNumber"),
+            "self_link": b.get("selfLink"),
+            "storage_class": b.get("storageClass"),
+            "time_created": b.get("timeCreated"),
+            "versioning_enabled": b.get("versioning", {}).get("enabled"),
+            "retention_period": b.get("retentionPolicy", {}).get("retentionPeriod"),
+            "default_kms_key_name": b.get("encryption", {}).get("defaultKmsKeyName"),
+            "log_bucket": b.get("logging", {}).get("logBucket"),
+            "requester_pays": b.get("billing", {}).get("requesterPays"),
+        }
+        buckets.append(bucket)
+        for key, val in b.get("labels", {}).items():
+            labels.append(
+                {
+                    "id": f"GCPBucket_{key}",
+                    "key": key,
+                    "value": val,
+                    "bucket_id": b["id"],
+                }
+            )
+    return buckets, labels
 
 
 @timeit
 def load_gcp_buckets(
     neo4j_session: neo4j.Session,
     buckets: List[Dict],
+    project_id: str,
     gcp_update_tag: int,
 ) -> None:
-    """
-    Ingest GCP Storage Buckets to Neo4j
-
-    :type neo4j_session: Neo4j session object
-    :param neo4j session: The Neo4j session object
-
-    :type buckets: list
-    :param buckets: List of GCP Storage Buckets to injest
-
-    :type gcp_update_tag: timestamp
-    :param gcp_update_tag: The timestamp value to set our new Neo4j nodes with
-
-    :rtype: NoneType
-    :return: Nothing
-    """
-
-    query = """
-    MERGE(p:GCPProject{projectnumber:$ProjectNumber})
-    ON CREATE SET p.firstseen = timestamp()
-    SET p.lastupdated = $gcp_update_tag
-
-    MERGE(bucket:GCPBucket{id:$BucketId})
-    ON CREATE SET bucket.firstseen = timestamp(),
-    bucket.bucket_id = $BucketId
-    SET bucket.self_link = $SelfLink,
-    bucket.project_number = $ProjectNumber,
-    bucket.kind = $Kind,
-    bucket.location = $Location,
-    bucket.location_type = $LocationType,
-    bucket.meta_generation = $MetaGeneration,
-    bucket.storage_class = $StorageClass,
-    bucket.time_created = $TimeCreated,
-    bucket.retention_period = $RetentionPeriod,
-    bucket.iam_config_bucket_policy_only = $IamConfigBucketPolicyOnly,
-    bucket.owner_entity = $OwnerEntity,
-    bucket.owner_entity_id = $OwnerEntityId,
-    bucket.lastupdated = $gcp_update_tag,
-    bucket.versioning_enabled = $VersioningEnabled,
-    bucket.log_bucket = $LogBucket,
-    bucket.requester_pays = $RequesterPays,
-    bucket.default_kms_key_name = $DefaultKmsKeyName
-
-    MERGE (p)-[r:RESOURCE]->(bucket)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $gcp_update_tag
-    """
-    for bucket in buckets:
-        neo4j_session.run(
-            query,
-            ProjectNumber=bucket["project_number"],
-            BucketId=bucket["id"],
-            SelfLink=bucket["self_link"],
-            Kind=bucket["kind"],
-            Location=bucket["location"],
-            LocationType=bucket["location_type"],
-            MetaGeneration=bucket["meta_generation"],
-            StorageClass=bucket["storage_class"],
-            TimeCreated=bucket["time_created"],
-            RetentionPeriod=bucket["retention_period"],
-            IamConfigBucketPolicyOnly=bucket["iam_config_bucket_policy_only"],
-            OwnerEntity=bucket["owner_entity"],
-            OwnerEntityId=bucket["owner_entity_id"],
-            VersioningEnabled=bucket["versioning_enabled"],
-            LogBucket=bucket["log_bucket"],
-            RequesterPays=bucket["requester_pays"],
-            DefaultKmsKeyName=bucket["default_kms_key_name"],
-            gcp_update_tag=gcp_update_tag,
-        )
-        _attach_gcp_bucket_labels(neo4j_session, bucket, gcp_update_tag)
+    """Ingest GCP Storage Buckets to Neo4j."""
+    load(
+        neo4j_session,
+        GCPBucketSchema(),
+        buckets,
+        lastupdated=gcp_update_tag,
+        PROJECT_ID=project_id,
+    )
 
 
 @timeit
-def _attach_gcp_bucket_labels(
+def load_gcp_bucket_labels(
     neo4j_session: neo4j.Session,
-    bucket: Resource,
+    bucket_labels: List[Dict],
+    project_id: str,
     gcp_update_tag: int,
 ) -> None:
-    """
-    Attach GCP bucket labels to the bucket.
-    :param neo4j_session: The neo4j session
-    :param bucket: The GCP bucket object
-    :param gcp_update_tag: The update tag for this sync
-    :return: Nothing
-    """
-    query = """
-    MERGE (l:Label:GCPBucketLabel{id: $BucketLabelId})
-    ON CREATE SET l.firstseen = timestamp(),
-    l.key = $Key
-    SET l.value = $Value,
-    l.lastupdated = $gcp_update_tag
-    WITH l
-    MATCH (bucket:GCPBucket{id:$BucketId})
-    MERGE (l)<-[r:LABELED]-(bucket)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $gcp_update_tag
-    """
-    for key, val in bucket.get("labels", []):
-        neo4j_session.run(
-            query,
-            BucketLabelId=f"GCPBucket_{key}",
-            Key=key,
-            Value=val,
-            BucketId=bucket["id"],
-            gcp_update_tag=gcp_update_tag,
-        )
+    """Ingest GCP Storage Bucket labels and attach them to buckets."""
+    load(
+        neo4j_session,
+        GCPBucketLabelSchema(),
+        bucket_labels,
+        lastupdated=gcp_update_tag,
+        PROJECT_ID=project_id,
+    )
 
 
 @timeit
@@ -224,22 +148,14 @@ def cleanup_gcp_buckets(
     neo4j_session: neo4j.Session,
     common_job_parameters: Dict,
 ) -> None:
-    """
-    Delete out-of-date GCP Storage Bucket nodes and relationships
-
-    :type neo4j_session: The Neo4j session object
-    :param neo4j_session: The Neo4j session
-
-    :type common_job_parameters: dict
-    :param common_job_parameters: Dictionary of other job parameters to pass to Neo4j
-
-    :rtype: NoneType
-    :return: Nothing
-    """
-    run_cleanup_job(
-        "gcp_storage_bucket_cleanup.json",
+    """Delete out-of-date GCP Storage Bucket nodes and relationships."""
+    # Bucket labels depend on buckets, so we must remove labels first to avoid
+    # dangling references before deleting the buckets themselves.
+    GraphJob.from_node_schema(GCPBucketLabelSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
+    GraphJob.from_node_schema(GCPBucketSchema(), common_job_parameters).run(
         neo4j_session,
-        common_job_parameters,
     )
 
 
@@ -274,7 +190,7 @@ def sync_gcp_buckets(
     """
     logger.info("Syncing Storage objects for project %s.", project_id)
     storage_res = get_gcp_buckets(storage, project_id)
-    bucket_list = transform_gcp_buckets(storage_res)
-    load_gcp_buckets(neo4j_session, bucket_list, gcp_update_tag)
-    # TODO scope the cleanup to the current project - https://github.com/cartography-cncf/cartography/issues/381
+    buckets, bucket_labels = transform_gcp_buckets_and_labels(storage_res)
+    load_gcp_buckets(neo4j_session, buckets, project_id, gcp_update_tag)
+    load_gcp_bucket_labels(neo4j_session, bucket_labels, project_id, gcp_update_tag)
     cleanup_gcp_buckets(neo4j_session, common_job_parameters)

cartography/intel/github/__init__.py

@@ -1,18 +1,45 @@
 import base64
 import json
 import logging
+from typing import cast
 
 import neo4j
 
+import cartography.intel.github.commits
 import cartography.intel.github.repos
 import cartography.intel.github.teams
 import cartography.intel.github.users
+from cartography.client.core.tx import read_list_of_values_tx
 from cartography.config import Config
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
 
+def _get_repos_from_graph(neo4j_session: neo4j.Session, organization: str) -> list[str]:
+    """
+    Get repository names for an organization from the graph instead of making an API call.
+
+    :param neo4j_session: Neo4j session for database interface
+    :param organization: GitHub organization name
+    :return: List of repository names
+    """
+    org_url = f"https://github.com/{organization}"
+    query = """
+    MATCH (org:GitHubOrganization {id: $org_url})<-[:OWNER]-(repo:GitHubRepository)
+    RETURN repo.name
+    ORDER BY repo.name
+    """
+    return cast(
+        list[str],
+        neo4j_session.execute_read(
+            read_list_of_values_tx,
+            query,
+            org_url=org_url,
+        ),
+    )
+
+
 @timeit
 def start_github_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
     """
@@ -54,3 +81,17 @@ def start_github_ingestion(neo4j_session: neo4j.Session, config: Config) -> None
             auth_data["url"],
             auth_data["name"],
         )
+
+        # Sync commit relationships for the configured lookback period
+        # Get repo names from the graph instead of making another API call
+        repo_names = _get_repos_from_graph(neo4j_session, auth_data["name"])
+
+        cartography.intel.github.commits.sync_github_commits(
+            neo4j_session,
+            auth_data["token"],
+            auth_data["url"],
+            auth_data["name"],
+            repo_names,
+            common_job_parameters["UPDATE_TAG"],
+            config.github_commit_lookback_days,
+        )