cartography 0.114.0__py3-none-any.whl → 0.116.0__py3-none-any.whl

cartography/intel/okta/roles.py

@@ -7,6 +7,7 @@ from typing import List
 import neo4j
 from okta.framework.ApiClient import ApiClient
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
@@ -117,7 +118,8 @@ def _load_user_role(
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         USER_ID=user_id,
         ROLES_DATA=roles_data,
@@ -149,7 +151,8 @@ def _load_group_role(
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         GROUP_ID=group_id,
         ROLES_DATA=roles_data,

cartography/intel/okta/users.py

@@ -8,6 +8,7 @@ import neo4j
 from okta import UsersClient
 from okta.models.user import User
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.util import timeit
@@ -174,7 +175,8 @@ def _load_okta_users(
     SET h.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         ORG_ID=okta_org_id,
         USER_LIST=user_list,

cartography/models/aws/ecr/image.py

@@ -7,6 +7,7 @@ from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
 from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
 from cartography.models.core.relationships import TargetNodeMatcher
 
 
@@ -16,6 +17,7 @@ class ECRImageNodeProperties(CartographyNodeProperties):
     digest: PropertyRef = PropertyRef("imageDigest")
     region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
     lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    layer_diff_ids: PropertyRef = PropertyRef("layer_diff_ids")
 
 
 @dataclass(frozen=True)
@@ -34,8 +36,27 @@ class ECRImageToAWSAccountRel(CartographyRelSchema):
     properties: ECRImageToAWSAccountRelProperties = ECRImageToAWSAccountRelProperties()
 
 
+@dataclass(frozen=True)
+class ECRImageHasLayerRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageHasLayerRel(CartographyRelSchema):
+    target_node_label: str = "ECRImageLayer"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"diff_id": PropertyRef("layer_diff_ids", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "HAS_LAYER"
+    properties: ECRImageHasLayerRelProperties = ECRImageHasLayerRelProperties()
+
+
 @dataclass(frozen=True)
 class ECRImageSchema(CartographyNodeSchema):
     label: str = "ECRImage"
     properties: ECRImageNodeProperties = ECRImageNodeProperties()
     sub_resource_relationship: ECRImageToAWSAccountRel = ECRImageToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [ECRImageHasLayerRel()],
+    )

cartography/models/aws/ecr/image_layer.py

@@ -0,0 +1,107 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class ECRImageLayerNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("diff_id")
+    diff_id: PropertyRef = PropertyRef("diff_id")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+    is_empty: PropertyRef = PropertyRef("is_empty")
+
+
+@dataclass(frozen=True)
+class ECRImageLayerToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageLayerToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)}
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: ECRImageLayerToAWSAccountRelProperties = (
+        ECRImageLayerToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ECRImageLayerToNextRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageLayerToNextRel(CartographyRelSchema):
+    target_node_label: str = "ECRImageLayer"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"diff_id": PropertyRef("next_diff_ids", one_to_many=True)}
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "NEXT"
+    properties: ECRImageLayerToNextRelProperties = ECRImageLayerToNextRelProperties()
+
+
+@dataclass(frozen=True)
+class ECRImageLayerHeadOfImageRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageLayerHeadOfImageRel(CartographyRelSchema):
+    target_node_label: str = "ECRImage"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("head_image_ids", one_to_many=True)}
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "HEAD"
+    properties: ECRImageLayerHeadOfImageRelProperties = (
+        ECRImageLayerHeadOfImageRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ECRImageLayerTailOfImageRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class ECRImageLayerTailOfImageRel(CartographyRelSchema):
+    target_node_label: str = "ECRImage"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("tail_image_ids", one_to_many=True)}
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "TAIL"
+    properties: ECRImageLayerTailOfImageRelProperties = (
+        ECRImageLayerTailOfImageRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class ECRImageLayerSchema(CartographyNodeSchema):
+    label: str = "ECRImageLayer"
+    properties: ECRImageLayerNodeProperties = ECRImageLayerNodeProperties()
+    sub_resource_relationship: ECRImageLayerToAWSAccountRel = (
+        ECRImageLayerToAWSAccountRel()
+    )
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            ECRImageLayerToNextRel(),
+            ECRImageLayerHeadOfImageRel(),
+            ECRImageLayerTailOfImageRel(),
+        ]
+    )
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["ImageLayer"])

cartography/models/aws/identitycenter/awspermissionset.py

@@ -82,7 +82,7 @@ class AWSPermissionSetToAWSAccountRel(CartographyRelSchema):
 @dataclass(frozen=True)
 class RoleAssignmentAllowedByRelProperties(CartographyRelProperties):
     """
-    Properties for the ALLOWED_BY relationship between AWSRole and AWSSSOUser.
+    Properties for the ALLOWED_BY relationship between AWSRole and AWSSSO principals.
     """
 
     # Mandatory fields for MatchLinks
@@ -121,6 +121,29 @@ class RoleAssignmentAllowedByMatchLink(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class RoleAssignmentAllowedByGroupMatchLink(CartographyRelSchema):
+    """
+    MatchLink schema for ALLOWED_BY relationships from group role assignments.
+    Creates relationships like: (AWSRole)-[:ALLOWED_BY]->(AWSSSOGroup)
+    """
+
+    source_node_label: str = "AWSRole"
+    source_node_matcher: SourceNodeMatcher = make_source_node_matcher(
+        {"arn": PropertyRef("RoleArn")},
+    )
+
+    target_node_label: str = "AWSSSOGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("GroupId")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ALLOWED_BY"
+    properties: RoleAssignmentAllowedByRelProperties = (
+        RoleAssignmentAllowedByRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class AWSPermissionSetSchema(CartographyNodeSchema):
     label: str = "AWSPermissionSet"

cartography/models/aws/identitycenter/awssogroup.py

@@ -0,0 +1,70 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class SSOGroupProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("GroupId")
+    display_name: PropertyRef = PropertyRef("DisplayName")
+    description: PropertyRef = PropertyRef("Description")
+    identity_store_id: PropertyRef = PropertyRef("IdentityStoreId")
+    external_id: PropertyRef = PropertyRef("ExternalId", extra_index=True)
+    region: PropertyRef = PropertyRef("Region")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSSSOGroupToAWSAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSSSOGroupToAWSAccountRel(CartographyRelSchema):
+    target_node_label: str = "AWSAccount"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AWS_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AWSSSOGroupToAWSAccountRelProperties = (
+        AWSSSOGroupToAWSAccountRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSSSOGroupToPermissionSetRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSSSOGroupToPermissionSetRel(CartographyRelSchema):
+    target_node_label: str = "AWSPermissionSet"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("AssignedPermissionSets", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "HAS_PERMISSION_SET"
+    properties: AWSSSOGroupToPermissionSetRelProperties = (
+        AWSSSOGroupToPermissionSetRelProperties()
+    )
+
+
+@dataclass(frozen=True)
+class AWSSSOGroupSchema(CartographyNodeSchema):
+    label: str = "AWSSSOGroup"
+    properties: SSOGroupProperties = SSOGroupProperties()
+    sub_resource_relationship: AWSSSOGroupToAWSAccountRel = AWSSSOGroupToAWSAccountRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            AWSSSOGroupToPermissionSetRel(),
+        ]
+    )

cartography/models/aws/identitycenter/awsssouser.py

@@ -14,7 +14,7 @@ from cartography.models.core.relationships import TargetNodeMatcher
 
 @dataclass(frozen=True)
 class SSOUserProperties(CartographyNodeProperties):
-    id: PropertyRef = PropertyRef("UserId", extra_index=True)
+    id: PropertyRef = PropertyRef("UserId")
     user_name: PropertyRef = PropertyRef("UserName")
     identity_store_id: PropertyRef = PropertyRef("IdentityStoreId")
     external_id: PropertyRef = PropertyRef("ExternalId", extra_index=True)
@@ -57,6 +57,40 @@ class AWSSSOUserToAWSAccountRel(CartographyRelSchema):
     )
 
 
+@dataclass(frozen=True)
+class AWSSSOUserToSSOGroupRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSSSOUserToSSOGroupRel(CartographyRelSchema):
+    target_node_label: str = "AWSSSOGroup"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("MemberOfGroups", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "MEMBER_OF_SSO_GROUP"
+    properties: AWSSSOUserToSSOGroupRelProperties = AWSSSOUserToSSOGroupRelProperties()
+
+
+@dataclass(frozen=True)
+class AWSSSOUserToPermissionSetRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AWSSSOUserToPermissionSetRel(CartographyRelSchema):
+    target_node_label: str = "AWSPermissionSet"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"arn": PropertyRef("AssignedPermissionSets", one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "HAS_PERMISSION_SET"
+    properties: AWSSSOUserToPermissionSetRelProperties = (
+        AWSSSOUserToPermissionSetRelProperties()
+    )
+
+
 @dataclass(frozen=True)
 class AWSSSOUserSchema(CartographyNodeSchema):
     label: str = "AWSSSOUser"
@@ -66,5 +100,7 @@ class AWSSSOUserSchema(CartographyNodeSchema):
     other_relationships: OtherRelationships = OtherRelationships(
         [
             SSOUserToOktaUserRel(),
+            AWSSSOUserToSSOGroupRel(),
+            AWSSSOUserToPermissionSetRel(),
         ],
     )

cartography/models/aws/lambda_function/lambda_function.py

@@ -39,6 +39,8 @@ class AWSLambdaNodeProperties(CartographyNodeProperties):
     architectures: PropertyRef = PropertyRef("Architectures")
     masterarn: PropertyRef = PropertyRef("MasterArn")
     kmskeyarn: PropertyRef = PropertyRef("KMSKeyArn")
+    anonymous_access: PropertyRef = PropertyRef("AnonymousAccess")
+    anonymous_actions: PropertyRef = PropertyRef("AnonymousActions")
     region: PropertyRef = PropertyRef("Region", set_in_kwargs=True)
     lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
 

cartography/models/azure/logic_apps.py

@@ -0,0 +1,56 @@
+import logging
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+logger = logging.getLogger(__name__)
+
+
+# --- Node Definitions ---
+@dataclass(frozen=True)
+class AzureLogicAppProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    location: PropertyRef = PropertyRef("location")
+    state: PropertyRef = PropertyRef("state")
+    created_time: PropertyRef = PropertyRef("createdTime")
+    changed_time: PropertyRef = PropertyRef("changedTime")
+    version: PropertyRef = PropertyRef("version")
+    access_endpoint: PropertyRef = PropertyRef("accessEndpoint")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+# --- Relationship Definitions ---
+@dataclass(frozen=True)
+class AzureLogicAppToSubscriptionRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AzureLogicAppToSubscriptionRel(CartographyRelSchema):
+    target_node_label: str = "AzureSubscription"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AZURE_SUBSCRIPTION_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AzureLogicAppToSubscriptionRelProperties = (
+        AzureLogicAppToSubscriptionRelProperties()
+    )
+
+
+# --- Main Schema ---
+@dataclass(frozen=True)
+class AzureLogicAppSchema(CartographyNodeSchema):
+    label: str = "AzureLogicApp"
+    properties: AzureLogicAppProperties = AzureLogicAppProperties()
+    sub_resource_relationship: AzureLogicAppToSubscriptionRel = (
+        AzureLogicAppToSubscriptionRel()
+    )

cartography/models/azure/resource_groups.py

@@ -0,0 +1,52 @@
+import logging
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+logger = logging.getLogger(__name__)
+
+
+# --- Node Definitions ---
+@dataclass(frozen=True)
+class AzureResourceGroupProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef("id")
+    name: PropertyRef = PropertyRef("name")
+    location: PropertyRef = PropertyRef("location")
+    provisioning_state: PropertyRef = PropertyRef("provisioning_state")
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+# --- Relationship Definitions ---
+@dataclass(frozen=True)
+class AzureResourceGroupToSubscriptionRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class AzureResourceGroupToSubscriptionRel(CartographyRelSchema):
+    target_node_label: str = "AzureSubscription"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("AZURE_SUBSCRIPTION_ID", set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: AzureResourceGroupToSubscriptionRelProperties = (
+        AzureResourceGroupToSubscriptionRelProperties()
+    )
+
+
+# --- Main Schema ---
+@dataclass(frozen=True)
+class AzureResourceGroupSchema(CartographyNodeSchema):
+    label: str = "AzureResourceGroup"
+    properties: AzureResourceGroupProperties = AzureResourceGroupProperties()
+    sub_resource_relationship: AzureResourceGroupToSubscriptionRel = (
+        AzureResourceGroupToSubscriptionRel()
+    )

cartography/models/entra/user.py

@@ -8,6 +8,7 @@ from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
 from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
 from cartography.models.core.relationships import TargetNodeMatcher
 
 # The user resource in Microsoft Graph exposes hundreds of properties but, in
@@ -47,6 +48,18 @@ class EntraTenantToUserRelProperties(CartographyRelProperties):
     lastupdated: PropertyRef = PropertyRef("lastupdated", set_in_kwargs=True)
 
 
+@dataclass(frozen=True)
+# (:EntraUser)-[:REPORTS_TO]->(:EntraUser)
+class EntraUserReportsToRel(CartographyRelSchema):
+    target_node_label: str = "EntraUser"
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {"id": PropertyRef("manager_id")},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "REPORTS_TO"
+    properties: EntraTenantToUserRelProperties = EntraTenantToUserRelProperties()
+
+
 @dataclass(frozen=True)
 # (:EntraUser)<-[:RESOURCE]-(:AzureTenant)
 class EntraUserToTenantRel(CartographyRelSchema):
@@ -64,6 +77,11 @@ class EntraUserSchema(CartographyNodeSchema):
     label: str = "EntraUser"
     properties: EntraUserNodeProperties = EntraUserNodeProperties()
     sub_resource_relationship: EntraUserToTenantRel = EntraUserToTenantRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            EntraUserReportsToRel(),
+        ]
+    )
     extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
         [
             "EntraIdentity",

cartography/rules/README.md

@@ -0,0 +1 @@
+See [the rules docs](https://cartography-cncf.github.io/cartography/usage/rules.html) for how Cartography develops and approaches security rules.