cartography 0.113.0__py3-none-any.whl → 0.115.0__py3-none-any.whl

cartography/intel/aws/route53.py

@@ -24,6 +24,7 @@ DnsData = namedtuple(
     [
         "zones",
         "a_records",
+        "aaaa_records",
         "alias_records",
         "cname_records",
         "ns_records",
@@ -73,7 +74,7 @@ def get_zones(
 def transform_record_set(
     record_set: dict[str, Any], zone_id: str, name: str
 ) -> dict[str, Any] | None:
-    # process CNAME, ALIAS and A records
+    # process CNAME, ALIAS, A, and AAAA records
     if record_set["Type"] == "CNAME":
         if "AliasTarget" in record_set:
             # this is a weighted CNAME record
@@ -127,6 +128,31 @@ def transform_record_set(
                 "value": value,
                 "id": _create_dns_record_id(zone_id, name, "A"),
             }
+    elif record_set["Type"] == "AAAA":
+        if "AliasTarget" in record_set:
+            # AAAA alias records follow the same pattern as A aliases but map to IPv6 targets
+            value = record_set["AliasTarget"]["DNSName"]
+            if value.endswith("."):
+                value = value[:-1]
+            return {
+                "name": name,
+                "type": "ALIAS",
+                "zoneid": zone_id,
+                "value": value,
+                "id": _create_dns_record_id(zone_id, name, "ALIAS_AAAA"),
+            }
+        else:
+            ip_addresses = [record["Value"] for record in record_set["ResourceRecords"]]
+            value = ",".join(ip_addresses)
+
+            return {
+                "name": name,
+                "type": "AAAA",
+                "zoneid": zone_id,
+                "ip_addresses": ip_addresses,
+                "value": value,
+                "id": _create_dns_record_id(zone_id, name, "AAAA"),
+            }
     # This should never happen since we only call this for A and CNAME records,
     # but we'll log it and return None.
     logger.warning(f"Unsupported record type: {record_set['Type']}")
@@ -179,10 +205,11 @@ def transform_all_dns_data(
 ) -> DnsData:
     """
     Transform all DNS data into flat lists for loading.
-    Returns: (zones, a_records, alias_records, cname_records, ns_records)
+    Returns: (zones, a_records, aaaa_records, alias_records, cname_records, ns_records)
     """
     transformed_zones = []
     all_a_records = []
+    all_aaaa_records = []
     all_alias_records = []
     all_cname_records = []
     all_ns_records = []
@@ -196,7 +223,7 @@ def transform_all_dns_data(
         zone_name = parsed_zone["name"]
 
         for rs in zone_record_sets:
-            if rs["Type"] == "A" or rs["Type"] == "CNAME":
+            if rs["Type"] in {"A", "AAAA", "CNAME"}:
                 transformed_rs = transform_record_set(
                     rs,
                     zone_id,
@@ -209,6 +236,8 @@ def transform_all_dns_data(
                     all_a_records.append(transformed_rs)
                     # TODO consider creating IPs as a first-class node from here.
                     # Right now we just match on them from the A record.
+                elif transformed_rs["type"] == "AAAA":
+                    all_aaaa_records.append(transformed_rs)
                 elif transformed_rs["type"] == "ALIAS":
                     all_alias_records.append(transformed_rs)
                 elif transformed_rs["type"] == "CNAME":
@@ -232,6 +261,7 @@ def transform_all_dns_data(
     return DnsData(
         zones=transformed_zones,
         a_records=all_a_records,
+        aaaa_records=all_aaaa_records,
         alias_records=all_alias_records,
         cname_records=all_cname_records,
         ns_records=all_ns_records,
@@ -244,6 +274,7 @@ def _load_dns_details_flat(
     neo4j_session: neo4j.Session,
     zones: list[dict[str, Any]],
     a_records: list[dict[str, Any]],
+    aaaa_records: list[dict[str, Any]],
     alias_records: list[dict[str, Any]],
     cname_records: list[dict[str, Any]],
     ns_records: list[dict[str, Any]],
@@ -253,6 +284,7 @@ def _load_dns_details_flat(
 ) -> None:
     load_zones(neo4j_session, zones, current_aws_id, update_tag)
     load_a_records(neo4j_session, a_records, update_tag, current_aws_id)
+    load_aaaa_records(neo4j_session, aaaa_records, update_tag, current_aws_id)
     load_alias_records(neo4j_session, alias_records, update_tag, current_aws_id)
     load_cname_records(neo4j_session, cname_records, update_tag, current_aws_id)
     load_name_servers(neo4j_session, name_servers, update_tag, current_aws_id)
@@ -274,6 +306,7 @@ def load_dns_details(
         neo4j_session,
         transformed_data.zones,
         transformed_data.a_records,
+        transformed_data.aaaa_records,
         transformed_data.alias_records,
         transformed_data.cname_records,
         transformed_data.ns_records,
@@ -299,6 +332,22 @@ def load_a_records(
     )
 
 
+@timeit
+def load_aaaa_records(
+    neo4j_session: neo4j.Session,
+    records: list[dict[str, Any]],
+    update_tag: int,
+    current_aws_id: str,
+) -> None:
+    load(
+        neo4j_session,
+        AWSDNSRecordSchema(),
+        records,
+        lastupdated=update_tag,
+        AWS_ID=current_aws_id,
+    )
+
+
 @timeit
 def load_alias_records(
     neo4j_session: neo4j.Session,
@@ -468,6 +517,7 @@ def sync(
         neo4j_session,
         transformed_data.zones,
         transformed_data.a_records,
+        transformed_data.aaaa_records,
         transformed_data.alias_records,
         transformed_data.cname_records,
         transformed_data.ns_records,

cartography/intel/aws/securityhub.py

@@ -6,6 +6,7 @@ import boto3
 import neo4j
 from dateutil import parser
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
@@ -50,7 +51,8 @@ def load_hub(
     ON CREATE SET r.firstseen = timestamp()
     SET r.lastupdated = $aws_update_tag
     """
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_hub,
         Hub=data,
         AWS_ACCOUNT_ID=current_aws_account_id,

cartography/intel/azure/__init__.py

@@ -7,8 +7,11 @@ import neo4j
 from cartography.config import Config
 from cartography.util import timeit
 
+from . import app_service
 from . import compute
 from . import cosmosdb
+from . import functions
+from . import logic_apps
 from . import sql
 from . import storage
 from . import subscription
@@ -40,6 +43,27 @@ def _sync_one_subscription(
         update_tag,
         common_job_parameters,
     )
+    app_service.sync(
+        neo4j_session,
+        credentials,
+        subscription_id,
+        update_tag,
+        common_job_parameters,
+    )
+    functions.sync(
+        neo4j_session,
+        credentials,
+        subscription_id,
+        update_tag,
+        common_job_parameters,
+    )
+    logic_apps.sync(
+        neo4j_session,
+        credentials,
+        subscription_id,
+        update_tag,
+        common_job_parameters,
+    )
     sql.sync(
         neo4j_session,
         credentials.credential,

cartography/intel/azure/app_service.py

@@ -0,0 +1,105 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+from azure.core.exceptions import ClientAuthenticationError
+from azure.core.exceptions import HttpResponseError
+from azure.mgmt.web import WebSiteManagementClient
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.azure.app_service import AzureAppServiceSchema
+from cartography.util import timeit
+
+from .util.credentials import Credentials
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_app_services(credentials: Credentials, subscription_id: str) -> List[Dict]:
+    """
+    Get a list of App Services from the given Azure subscription.
+    """
+    try:
+        client = WebSiteManagementClient(credentials.credential, subscription_id)
+        # NOTE: This is the same API call as Functions. We get all web apps
+        # and then filter them in the transform stage.
+        return [app.as_dict() for app in client.web_apps.list()]
+    except (ClientAuthenticationError, HttpResponseError) as e:
+        logger.warning(
+            f"Failed to get app services for subscription {subscription_id}: {str(e)}"
+        )
+        return []
+
+
+@timeit
+def transform_app_services(app_services_response: List[Dict]) -> List[Dict]:
+    """
+    Transform the raw API response to the dictionary structure that the model expects.
+    """
+    transformed_apps: List[Dict[str, Any]] = []
+    for app in app_services_response:
+        if "functionapp" not in app.get("kind", ""):
+            transformed_app = {
+                "id": app.get("id"),
+                "name": app.get("name"),
+                "kind": app.get("kind"),
+                "location": app.get("location"),
+                "state": app.get("state"),
+                "default_host_name": app.get("default_host_name"),
+                "https_only": app.get("https_only"),
+            }
+            transformed_apps.append(transformed_app)
+    return transformed_apps
+
+
+@timeit
+def load_app_services(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    subscription_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Load the transformed Azure App Service data to Neo4j.
+    """
+    load(
+        neo4j_session,
+        AzureAppServiceSchema(),
+        data,
+        lastupdated=update_tag,
+        AZURE_SUBSCRIPTION_ID=subscription_id,
+    )
+
+
+@timeit
+def cleanup_app_services(
+    neo4j_session: neo4j.Session, common_job_parameters: Dict
+) -> None:
+    """
+    Run the cleanup job for Azure App Services.
+    """
+    GraphJob.from_node_schema(AzureAppServiceSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    credentials: Credentials,
+    subscription_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
+) -> None:
+    """
+    The main sync function for Azure App Services.
+    """
+    logger.info(f"Syncing Azure App Services for subscription {subscription_id}.")
+    raw_apps = get_app_services(credentials, subscription_id)
+    transformed_apps = transform_app_services(raw_apps)
+    load_app_services(neo4j_session, transformed_apps, subscription_id, update_tag)
+    cleanup_app_services(neo4j_session, common_job_parameters)

cartography/intel/azure/functions.py

@@ -0,0 +1,124 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+from azure.core.exceptions import ClientAuthenticationError
+from azure.core.exceptions import HttpResponseError
+from azure.mgmt.web import WebSiteManagementClient
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.azure.function_app import AzureFunctionAppSchema
+from cartography.util import timeit
+
+from .util.credentials import Credentials
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_function_apps(credentials: Credentials, subscription_id: str) -> List[Dict]:
+    """
+    Get a list of Function Apps from the given Azure subscription.
+    """
+    try:
+        client = WebSiteManagementClient(credentials.credential, subscription_id)
+        # Note: Function Apps are a type of Web App, so we list all web apps
+        # and then filter them in the transform stage.
+        return [app.as_dict() for app in client.web_apps.list()]
+
+    except ClientAuthenticationError as e:
+        logger.warning(
+            (
+                "Failed to authenticate to get function apps for subscription '%s'. "
+                "Please check your credentials. Error: %s"
+            ),
+            subscription_id,
+            e,
+        )
+        return []
+
+    except HttpResponseError as e:
+        logger.warning(
+            (
+                "Failed to get function apps for subscription '%s' due to an API error. "
+                "Status code: %s. Message: %s"
+            ),
+            subscription_id,
+            e.status_code,
+            str(e),
+        )
+        return []
+
+
+@timeit
+def transform_function_apps(function_apps_response: List[Dict]) -> List[Dict]:
+    """
+    Transform the raw API response to the dictionary structure that the model expects.
+    """
+    transformed_apps: List[Dict[str, Any]] = []
+    for app in function_apps_response:
+        # We only want to ingest resources that are explicitly function apps.
+        if "functionapp" in app.get("kind", ""):
+            transformed_app = {
+                "id": app.get("id"),
+                "name": app.get("name"),
+                "kind": app.get("kind"),
+                "location": app.get("location"),
+                "state": app.get("state"),
+                "default_host_name": app.get("default_host_name"),
+                "https_only": app.get("https_only"),
+            }
+            transformed_apps.append(transformed_app)
+    return transformed_apps
+
+
+@timeit
+def load_function_apps(
+    neo4j_session: neo4j.Session,
+    data: List[Dict[str, Any]],
+    subscription_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Load the transformed Azure Function App data to Neo4j.
+    """
+    load(
+        neo4j_session,
+        AzureFunctionAppSchema(),
+        data,
+        lastupdated=update_tag,
+        AZURE_SUBSCRIPTION_ID=subscription_id,
+    )
+
+
+@timeit
+def cleanup_function_apps(
+    neo4j_session: neo4j.Session, common_job_parameters: Dict
+) -> None:
+    """
+    Run the cleanup job for Azure Function Apps.
+    """
+    GraphJob.from_node_schema(AzureFunctionAppSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    credentials: Credentials,
+    subscription_id: str,
+    update_tag: int,
+    common_job_parameters: Dict,
+) -> None:
+    """
+    The main sync function for Azure Function Apps.
+    """
+    logger.info(f"Syncing Azure Function Apps for subscription {subscription_id}.")
+    raw_apps = get_function_apps(credentials, subscription_id)
+    transformed_apps = transform_function_apps(raw_apps)
+    load_function_apps(neo4j_session, transformed_apps, subscription_id, update_tag)
+    cleanup_function_apps(neo4j_session, common_job_parameters)

cartography/intel/azure/logic_apps.py

@@ -0,0 +1,101 @@
+import logging
+from typing import Any
+
+import neo4j
+from azure.core.exceptions import ClientAuthenticationError
+from azure.core.exceptions import HttpResponseError
+from azure.mgmt.logic import LogicManagementClient
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.azure.logic_apps import AzureLogicAppSchema
+from cartography.util import timeit
+
+from .util.credentials import Credentials
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get_logic_apps(credentials: Credentials, subscription_id: str) -> list[dict]:
+    """
+    Get a list of Logic Apps from the given Azure subscription.
+    """
+    try:
+        client = LogicManagementClient(credentials.credential, subscription_id)
+        # NOTE: The resource for a Logic App is called a "Workflow" in the SDK.
+        return [w.as_dict() for w in client.workflows.list_by_subscription()]
+    except (ClientAuthenticationError, HttpResponseError) as e:
+        logger.warning(
+            f"Failed to get logic apps for subscription {subscription_id}: {str(e)}"
+        )
+        return []
+
+
+def transform_logic_apps(logic_apps_response: list[dict]) -> list[dict]:
+    """
+    Transform the raw API response to the dictionary structure that the model expects.
+    """
+    transformed_apps: list[dict[str, Any]] = []
+    for app in logic_apps_response:
+        transformed_app = {
+            "id": app.get("id"),
+            "name": app.get("name"),
+            "location": app.get("location"),
+            "state": app.get("properties", {}).get("state"),
+            "created_time": app.get("properties", {}).get("created_time"),
+            "changed_time": app.get("properties", {}).get("changed_time"),
+            "version": app.get("properties", {}).get("version"),
+            "access_endpoint": app.get("properties", {}).get("access_endpoint"),
+        }
+        transformed_apps.append(transformed_app)
+    return transformed_apps
+
+
+@timeit
+def load_logic_apps(
+    neo4j_session: neo4j.Session,
+    data: list[dict[str, Any]],
+    subscription_id: str,
+    update_tag: int,
+) -> None:
+    """
+    Load the transformed Azure Logic App data to Neo4j.
+    """
+    load(
+        neo4j_session,
+        AzureLogicAppSchema(),
+        data,
+        lastupdated=update_tag,
+        AZURE_SUBSCRIPTION_ID=subscription_id,
+    )
+
+
+@timeit
+def cleanup_logic_apps(
+    neo4j_session: neo4j.Session, common_job_parameters: dict
+) -> None:
+    """
+    Run the cleanup job for Azure Logic Apps.
+    """
+    GraphJob.from_node_schema(AzureLogicAppSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    credentials: Credentials,
+    subscription_id: str,
+    update_tag: int,
+    common_job_parameters: dict,
+) -> None:
+    """
+    The main sync function for Azure Logic Apps.
+    """
+    logger.info(f"Syncing Azure Logic Apps for subscription {subscription_id}.")
+    raw_apps = get_logic_apps(credentials, subscription_id)
+    transformed_apps = transform_logic_apps(raw_apps)
+    load_logic_apps(neo4j_session, transformed_apps, subscription_id, update_tag)
+    cleanup_logic_apps(neo4j_session, common_job_parameters)

cartography/intel/create_indexes.py

@@ -3,6 +3,7 @@ from typing import List
 
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.config import Config
 from cartography.util import load_resource_binary
 
@@ -23,4 +24,4 @@ def run(neo4j_session: neo4j.Session, config: Config) -> None:
     logger.info("Creating indexes for cartography node types.")
     for statement in get_index_statements():
         logger.debug("Executing statement: %s", statement)
-        neo4j_session.run(statement)
+        run_write_query(neo4j_session, statement)

cartography/intel/dns.py

@@ -8,6 +8,7 @@ import dns.rdatatype
 import dns.resolver
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -104,7 +105,8 @@ def _link_ip_to_A_record(
     SET r.lastupdated = $update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         ParentId=parent_record,
         IP_LIST=ip_list,
@@ -151,7 +153,8 @@ def ingest_dns_record(
 
     record_id = f"{name}+{type}"
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         template.safe_substitute(
             record_label=record_label,
             dns_node_additional_label=dns_node_additional_label,

cartography/intel/entra/__init__.py

@@ -6,9 +6,12 @@ from azure.identity import ClientSecretCredential
 from msgraph import GraphServiceClient
 
 from cartography.config import Config
+from cartography.intel.entra.app_role_assignments import sync_app_role_assignments
 from cartography.intel.entra.applications import sync_entra_applications
+from cartography.intel.entra.federation.aws_identity_center import sync_entra_federation
 from cartography.intel.entra.groups import sync_entra_groups
 from cartography.intel.entra.ou import sync_entra_ous
+from cartography.intel.entra.service_principals import sync_service_principals
 from cartography.intel.entra.users import get_tenant
 from cartography.intel.entra.users import load_tenant
 from cartography.intel.entra.users import sync_entra_users
@@ -125,5 +128,33 @@ def start_entra_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
             common_job_parameters,
         )
 
+        # Run service principals sync
+        await sync_service_principals(
+            neo4j_session,
+            config.entra_tenant_id,
+            config.entra_client_id,
+            config.entra_client_secret,
+            config.update_tag,
+            common_job_parameters,
+        )
+
+        # Run app role assignments sync
+        await sync_app_role_assignments(
+            neo4j_session,
+            config.entra_tenant_id,
+            config.entra_client_id,
+            config.entra_client_secret,
+            config.update_tag,
+            common_job_parameters,
+        )
+
+        # Run federation sync (after all resources are synced)
+        await sync_entra_federation(
+            neo4j_session,
+            config.update_tag,
+            config.entra_tenant_id,
+            common_job_parameters,
+        )
+
     # Execute syncs in sequence
     asyncio.run(main())