cartography 0.114.0__py3-none-any.whl → 0.115.0__py3-none-any.whl

cartography/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.114.0'
-__version_tuple__ = version_tuple = (0, 114, 0)
+__version__ = version = '0.115.0'
+__version_tuple__ = version_tuple = (0, 115, 0)
 
 __commit_id__ = commit_id = None

cartography/cli.py

@@ -967,8 +967,8 @@ class CLI:
                 logger.warning("A Kandji base URI was provided but a token was not.")
                 config.kandji_token = None
         else:
-            logger.warning("A Kandji base URI was not provided.")
             config.kandji_base_uri = None
+            config.kandji_token = None
 
         if config.statsd_enabled:
             logger.debug(
@@ -1096,8 +1096,8 @@ class CLI:
                 logger.warning("A SnipeIT base URI was provided but a token was not.")
                 config.snipeit_token = None
         else:
-            logger.warning("A SnipeIT base URI was not provided.")
             config.snipeit_base_uri = None
+            config.snipeit_token = None
 
         # Tailscale config
         if config.tailscale_token_env_var:

cartography/client/core/tx.py

@@ -19,6 +19,17 @@ from cartography.util import batch
 logger = logging.getLogger(__name__)
 
 
+def run_write_query(
+    neo4j_session: neo4j.Session, query: str, **parameters: Any
+) -> None:
+    """Execute a write query inside a managed transaction."""
+
+    def _run_query_tx(tx: neo4j.Transaction) -> None:
+        tx.run(query, **parameters).consume()
+
+    neo4j_session.execute_write(_run_query_tx)
+
+
 def read_list_of_values_tx(
     tx: neo4j.Transaction,
     query: str,

cartography/intel/aws/config.py

@@ -5,6 +5,7 @@ from typing import List
 import boto3
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import aws_handle_regions
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
@@ -80,7 +81,8 @@ def load_configuration_recorders(
     for recorder in data:
         recorder["_id"] = f'{recorder["name"]}:{current_aws_account_id}:{region}'
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_configuration_recorders,
         Recorders=data,
         Region=region,
@@ -120,7 +122,8 @@ def load_delivery_channels(
     for channel in data:
         channel["_id"] = f'{channel["name"]}:{current_aws_account_id}:{region}'
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_delivery_channels,
         Channels=data,
         Region=region,
@@ -167,7 +170,8 @@ def load_config_rules(
             for detail in rule["Source"]["SourceDetails"]:
                 details.append(f"{detail}")
         rule["_source_details"] = details
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_config_rules,
         Rules=data,
         Region=region,

cartography/intel/aws/ecr.py

@@ -57,15 +57,15 @@ def get_ecr_repository_images(
         )
         for response in describe_response:
             image_details = response["imageDetails"]
-            image_details = [
-                (
-                    {**detail, "imageTag": detail["imageTags"][0]}
-                    if detail.get("imageTags")
-                    else detail
-                )
-                for detail in image_details
-            ]
-            ecr_repository_images.extend(image_details)
+            for detail in image_details:
+                tags = detail.get("imageTags") or []
+                if tags:
+                    for tag in tags:
+                        image_detail = {**detail, "imageTag": tag}
+                        image_detail.pop("imageTags", None)
+                        ecr_repository_images.append(image_detail)
+                else:
+                    ecr_repository_images.append({**detail})
     return ecr_repository_images
 
 

cartography/intel/aws/identitycenter.py

@@ -2,6 +2,8 @@ import logging
 from typing import Any
 from typing import Dict
 from typing import List
+from typing import Optional
+from typing import Union
 
 import boto3
 import neo4j
@@ -15,9 +17,13 @@ from cartography.models.aws.identitycenter.awsidentitycenter import (
 from cartography.models.aws.identitycenter.awspermissionset import (
     AWSPermissionSetSchema,
 )
+from cartography.models.aws.identitycenter.awspermissionset import (
+    RoleAssignmentAllowedByGroupMatchLink,
+)
 from cartography.models.aws.identitycenter.awspermissionset import (
     RoleAssignmentAllowedByMatchLink,
 )
+from cartography.models.aws.identitycenter.awssogroup import AWSSSOGroupSchema
 from cartography.models.aws.identitycenter.awsssouser import AWSSSOUserSchema
 from cartography.util import aws_handle_regions
 from cartography.util import timeit
@@ -150,18 +156,72 @@ def get_sso_users(
     return users
 
 
-def transform_sso_users(users: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
+@timeit
+@aws_handle_regions
+def get_sso_groups(
+    boto3_session: boto3.session.Session,
+    identity_store_id: str,
+    region: str,
+) -> List[Dict]:
+    """
+    Get all SSO groups for a given Identity Store
+    """
+    client = boto3_session.client("identitystore", region_name=region)
+    groups: List[Dict[str, Any]] = []
+
+    paginator = client.get_paginator("list_groups")
+    for page in paginator.paginate(IdentityStoreId=identity_store_id):
+        group_page = page.get("Groups", [])
+        for group in group_page:
+            groups.append(group)
+
+    return groups
+
+
+def transform_sso_users(
+    users: List[Dict[str, Any]],
+    user_group_memberships: Optional[Dict[str, List[str]]] = None,
+    user_permission_sets: Optional[Dict[str, List[str]]] = None,
+) -> List[Dict[str, Any]]:
     """
-    Transform SSO users to match the expected schema
+    Transform SSO users to match the expected schema, optionally including group memberships
     """
     transformed_users = []
     for user in users:
-        if user.get("ExternalIds") is not None:
+        if user.get("ExternalIds"):
             user["ExternalId"] = user["ExternalIds"][0].get("Id")
+        # Add group memberships if provided
+        if user_group_memberships:
+            user["MemberOfGroups"] = user_group_memberships.get(user["UserId"], [])
+        # Add direct permission set assignments if provided
+        if user_permission_sets:
+            user["AssignedPermissionSets"] = user_permission_sets.get(
+                user["UserId"], []
+            )
         transformed_users.append(user)
     return transformed_users
 
 
+def transform_sso_groups(
+    groups: List[Dict[str, Any]],
+    group_permission_sets: Optional[Dict[str, List[str]]] = None,
+) -> List[Dict[str, Any]]:
+    """
+    Transform SSO groups to match the expected schema, optionally including permission set assignments
+    """
+    transformed_groups: List[Dict[str, Any]] = []
+    for group in groups:
+        if group.get("ExternalIds"):
+            group["ExternalId"] = group["ExternalIds"][0].get("Id")
+        # Add permission set assignments if provided
+        if group_permission_sets:
+            group["AssignedPermissionSets"] = group_permission_sets.get(
+                group["GroupId"], []
+            )
+        transformed_groups.append(group)
+    return transformed_groups
+
+
 @timeit
 def load_sso_users(
     neo4j_session: neo4j.Session,
@@ -189,6 +249,33 @@ def load_sso_users(
     )
 
 
+@timeit
+def load_sso_groups(
+    neo4j_session: neo4j.Session,
+    groups: List[Dict],
+    identity_store_id: str,
+    region: str,
+    aws_account_id: str,
+    aws_update_tag: int,
+) -> None:
+    """
+    Load SSO groups into the graph
+    """
+    logger.info(
+        f"Loading {len(groups)} SSO groups for identity store {identity_store_id} in region {region}",
+    )
+
+    load(
+        neo4j_session,
+        AWSSSOGroupSchema(),
+        groups,
+        lastupdated=aws_update_tag,
+        IdentityStoreId=identity_store_id,
+        AWS_ID=aws_account_id,
+        Region=region,
+    )
+
+
 @timeit
 @aws_handle_regions
 def get_role_assignments(
@@ -225,6 +312,71 @@ def get_role_assignments(
     return role_assignments
 
 
+@timeit
+@aws_handle_regions
+def get_group_role_assignments(
+    boto3_session: boto3.session.Session,
+    groups: List[Dict],
+    instance_arn: str,
+    region: str,
+) -> List[Dict]:
+    """
+    Get role assignments for SSO groups
+    """
+
+    logger.info(f"Getting role assignments for {len(groups)} groups")
+    client = boto3_session.client("sso-admin", region_name=region)
+    role_assignments: List[Dict[str, Any]] = []
+
+    for group in groups:
+        group_id = group["GroupId"]
+        paginator = client.get_paginator("list_account_assignments_for_principal")
+        for page in paginator.paginate(
+            InstanceArn=instance_arn,
+            PrincipalId=group_id,
+            PrincipalType="GROUP",
+        ):
+            for assignment in page.get("AccountAssignments", []):
+                role_assignments.append(
+                    {
+                        "GroupId": group_id,
+                        "PermissionSetArn": assignment.get("PermissionSetArn"),
+                        "AccountId": assignment.get("AccountId"),
+                    }
+                )
+
+    return role_assignments
+
+
+@timeit
+@aws_handle_regions
+def get_user_group_memberships(
+    boto3_session: boto3.session.Session,
+    identity_store_id: str,
+    groups: List[Dict],
+    region: str,
+) -> Dict[str, List[str]]:
+    """
+    Return a mapping of UserId -> [GroupIds] for all group memberships in the identity store.
+    """
+    client = boto3_session.client("identitystore", region_name=region)
+    user_groups: Dict[str, List[str]] = {}
+
+    for group in groups:
+        group_id = group["GroupId"]
+        paginator = client.get_paginator("list_group_memberships")
+        for page in paginator.paginate(
+            IdentityStoreId=identity_store_id, GroupId=group_id
+        ):
+            for membership in page.get("GroupMemberships", []):
+                member = membership.get("MemberId", {})
+                user_id = member.get("UserId")
+                if user_id:
+                    user_groups.setdefault(user_id, []).append(group_id)
+
+    return user_groups
+
+
 @timeit
 def get_permset_roles(
     neo4j_session: neo4j.Session,
@@ -270,14 +422,18 @@ def load_role_assignments(
     role_assignments: List[Dict],
     aws_account_id: str,
     aws_update_tag: int,
+    matchlink_schema: Union[
+        RoleAssignmentAllowedByMatchLink,
+        RoleAssignmentAllowedByGroupMatchLink,
+    ],
 ) -> None:
     """
-    Load role assignments into the graph using MatchLink schema
+    Load role assignments into the graph using the provided MatchLink schema
     """
     logger.info(f"Loading {len(role_assignments)} role assignments")
     load_matchlinks(
         neo4j_session,
-        RoleAssignmentAllowedByMatchLink(),
+        matchlink_schema,
         role_assignments,
         lastupdated=aws_update_tag,
         _sub_resource_label="AWSAccount",
@@ -300,6 +456,9 @@ def cleanup(
     GraphJob.from_node_schema(AWSSSOUserSchema(), common_job_parameters).run(
         neo4j_session,
     )
+    GraphJob.from_node_schema(AWSSSOGroupSchema(), common_job_parameters).run(
+        neo4j_session,
+    )
 
     # Clean up role assignment MatchLinks
     GraphJob.from_matchlink(
@@ -308,6 +467,12 @@ def cleanup(
         common_job_parameters["AWS_ID"],
         common_job_parameters["UPDATE_TAG"],
     ).run(neo4j_session)
+    GraphJob.from_matchlink(
+        RoleAssignmentAllowedByGroupMatchLink(),
+        "AWSAccount",
+        common_job_parameters["AWS_ID"],
+        common_job_parameters["UPDATE_TAG"],
+    ).run(neo4j_session)
 
 
 @timeit
@@ -350,35 +515,97 @@ def sync_identity_center_instances(
                 update_tag,
             )
 
-            users = get_sso_users(boto3_session, identity_store_id, region)
-            transformed_users = transform_sso_users(users)
-            load_sso_users(
+            # Fetch groups first to avoid interleaving between groups and users
+            groups = get_sso_groups(boto3_session, identity_store_id, region)
+
+            # Get permission set assignments for groups
+            group_permission_sets: Dict[str, List[str]] = {}
+            group_role_assignments_raw = get_group_role_assignments(
+                boto3_session,
+                groups,
+                instance_arn,
+                region,
+            )
+            for assignment in group_role_assignments_raw:
+                group_id = assignment["GroupId"]
+                perm_set = assignment["PermissionSetArn"]
+                group_permission_sets.setdefault(group_id, []).append(perm_set)
+
+            # Transform and load groups with their permission set assignments FIRST
+            # so that user->group membership edges can attach in the same run.
+            transformed_groups = transform_sso_groups(groups, group_permission_sets)
+            load_sso_groups(
                 neo4j_session,
-                transformed_users,
+                transformed_groups,
                 identity_store_id,
                 region,
                 current_aws_account_id,
                 update_tag,
             )
 
-            # Get and load role assignments
-            role_assignments = get_role_assignments(
+            # Handle users AFTER groups exist
+            users = get_sso_users(boto3_session, identity_store_id, region)
+            user_group_memberships = get_user_group_memberships(
+                boto3_session,
+                identity_store_id,
+                groups,
+                region,
+            )
+
+            # Get direct permission set assignments for users
+            user_permission_sets: Dict[str, List[str]] = {}
+            user_role_assignments_raw = get_role_assignments(
                 boto3_session,
                 users,
                 instance_arn,
                 region,
             )
+            for assignment in user_role_assignments_raw:
+                uid = assignment["UserId"]
+                perm_set = assignment["PermissionSetArn"]
+                user_permission_sets.setdefault(uid, []).append(perm_set)
 
-            # Enrich role assignments with exact role ARNs using permission set relationships
+            # Transform and load users with their group memberships AFTER groups exist
+            transformed_users = transform_sso_users(
+                users,
+                user_group_memberships,
+                user_permission_sets,
+            )
+            load_sso_users(
+                neo4j_session,
+                transformed_users,
+                identity_store_id,
+                region,
+                current_aws_account_id,
+                update_tag,
+            )
+
+            # Enrich role assignments with exact role ARNs using permission set relationships.
+            # Note: we do this after groups and users are loaded so that
+            # load_role_assignments calls can MATCH existing AWSSSOUser/AWSSSOGroup
+            # nodes when drawing the ALLOWED_BY edges.
             enriched_role_assignments = get_permset_roles(
                 neo4j_session,
-                role_assignments,
+                user_role_assignments_raw,
             )
             load_role_assignments(
                 neo4j_session,
                 enriched_role_assignments,
                 current_aws_account_id,
                 update_tag,
+                RoleAssignmentAllowedByMatchLink(),
+            )
+
+            enriched_group_role_assignments = get_permset_roles(
+                neo4j_session,
+                group_role_assignments_raw,
+            )
+            load_role_assignments(
+                neo4j_session,
+                enriched_group_role_assignments,
+                current_aws_account_id,
+                update_tag,
+                RoleAssignmentAllowedByGroupMatchLink(),
             )
 
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/lambda_function.py

@@ -1,3 +1,4 @@
+import json
 import logging
 from typing import Any
 from typing import Dict
@@ -6,6 +7,7 @@ from typing import List
 import boto3
 import botocore
 import neo4j
+from policyuniverse.policy import Policy
 
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
@@ -36,7 +38,11 @@ def get_lambda_data(boto3_session: boto3.session.Session, region: str) -> List[D
     return lambda_functions
 
 
-def transform_lambda_functions(lambda_functions: List[Dict], region: str) -> List[Dict]:
+def transform_lambda_functions(
+    lambda_functions: List[Dict],
+    permissions_by_arn: Dict[str, Dict[str, Any]],
+    region: str,
+) -> List[Dict]:
     transformed_functions = []
 
     for function_data in lambda_functions:
@@ -48,6 +54,11 @@ def transform_lambda_functions(lambda_functions: List[Dict], region: str) -> Lis
 
         transformed_function["Region"] = region
 
+        function_arn = function_data["FunctionArn"]
+        permission_data = permissions_by_arn[function_arn]
+        transformed_function["AnonymousAccess"] = permission_data["AnonymousAccess"]
+        transformed_function["AnonymousActions"] = permission_data["AnonymousActions"]
+
         transformed_functions.append(transformed_function)
 
     return transformed_functions
@@ -126,6 +137,61 @@ def get_event_source_mappings(
     return event_source_mappings
 
 
+@timeit
+@aws_handle_regions
+def get_lambda_permissions(
+    lambda_functions: List[Dict],
+    boto3_session: boto3.Session,
+    region: str,
+) -> Dict[str, Dict[str, Any]]:
+    """
+    Get Lambda permissions for the given functions in the specified region.
+    """
+    client = boto3_session.client("lambda", region_name=region)
+    all_permissions = {}
+    for function in lambda_functions:
+        function_name = function["FunctionName"]
+        function_arn = function["FunctionArn"]
+
+        all_permissions[function_arn] = {
+            "AnonymousAccess": None,
+            "AnonymousActions": None,
+        }
+
+        try:
+            response = client.get_policy(FunctionName=function_name)
+            policy = response.get("Policy")
+
+            if policy:
+                parsed_policy = parse_policy(function_arn, policy)
+                all_permissions[function_arn] = {
+                    "AnonymousAccess": parsed_policy.get("AnonymousAccess"),
+                    "AnonymousActions": parsed_policy.get("AnonymousActions"),
+                }
+        except client.exceptions.ResourceNotFoundException:
+            logger.debug(f"No policy found for Lambda function {function_name}")
+            pass
+        except Exception as e:
+            logger.warning(
+                f"Error getting policy for Lambda function {function_name}: {e}"
+            )
+
+    return all_permissions
+
+
+def parse_policy(function_arn: str, policy: str) -> Dict[str, Any]:
+    """
+    Parse the Lambda permission policy to extract anonymous access and actions.
+    """
+    policy_obj = Policy(json.loads(policy))
+    inet_actions = policy_obj.internet_accessible_actions()
+
+    return {
+        "AnonymousAccess": policy_obj.is_internet_accessible(),
+        "AnonymousActions": list(inet_actions) if inet_actions else [],
+    }
+
+
 @timeit
 def load_lambda_function_aliases(
     neo4j_session: neo4j.Session,
@@ -306,7 +372,8 @@ def sync(
 
         # Get and load core lambda functions
         data = get_lambda_data(boto3_session, region)
-        transformed_data = transform_lambda_functions(data, region)
+        permissions_by_arn = get_lambda_permissions(data, boto3_session, region)
+        transformed_data = transform_lambda_functions(data, permissions_by_arn, region)
         load_lambda_functions(
             neo4j_session,
             transformed_data,

cartography/intel/aws/organizations.py

@@ -5,6 +5,7 @@ import boto3
 import botocore.exceptions
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.aws.iam import sync_root_principal
 from cartography.util import timeit
 
@@ -114,7 +115,8 @@ def load_aws_accounts(
     """
     for account_name, account_id in aws_accounts.items():
         root_arn = f"arn:aws:iam::{account_id}:root"
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             query,
             ACCOUNT_ID=account_id,
             ACCOUNT_NAME=account_name,

cartography/intel/aws/permission_relationships.py

@@ -13,6 +13,7 @@ import neo4j
 import yaml
 
 from cartography.client.core.tx import read_list_of_dicts_tx
+from cartography.client.core.tx import run_write_query
 from cartography.graph.statement import GraphStatement
 from cartography.util import timeit
 
@@ -329,7 +330,8 @@ def load_principal_mappings(
         node_label=node_label,
         relationship_name=relationship_name,
     )
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         map_policy_query_template,
         Mapping=principal_mappings,
         aws_update_tag=update_tag,

cartography/intel/aws/redshift.py

@@ -5,6 +5,7 @@ from typing import List
 import boto3
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import aws_handle_regions
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
@@ -88,7 +89,8 @@ def load_redshift_cluster_data(
     SET r.lastupdated = $aws_update_tag
     """
     for cluster in clusters:
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             ingest_cluster,
             Arn=cluster["arn"],
             AZ=cluster["AvailabilityZone"],
@@ -128,7 +130,8 @@ def _attach_ec2_security_groups(
     SET m.lastupdated = $aws_update_tag
     """
     for group in cluster.get("VpcSecurityGroups", []):
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             attach_cluster_to_group,
             ClusterArn=cluster["arn"],
             GroupId=group["VpcSecurityGroupId"],
@@ -150,7 +153,8 @@ def _attach_iam_roles(
     SET s.lastupdated = $aws_update_tag
     """
     for role in cluster.get("IamRoles", []):
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             attach_cluster_to_role,
             ClusterArn=cluster["arn"],
             RoleArn=role["IamRoleArn"],
@@ -172,7 +176,8 @@ def _attach_aws_vpc(
     SET m.lastupdated = $aws_update_tag
     """
     if cluster.get("VpcId"):
-        neo4j_session.run(
+        run_write_query(
+            neo4j_session,
             attach_cluster_to_vpc,
             ClusterArn=cluster["arn"],
             VpcId=cluster["VpcId"],