cartography 0.90.0rc2__py3-none-any.whl → 0.92.0__py3-none-any.whl

cartography/cli.py

@@ -325,6 +325,30 @@ class CLI:
             default=None,
             help='The name of an environment variable containing a password with which to authenticate to Jamf.',
         )
+        parser.add_argument(
+            '--kandji-base-uri',
+            type=str,
+            default=None,
+            help=(
+                'Your Kandji base URI, e.g. https://company.api.kandji.io.'
+                'Required if you are using the Kandji intel module. Ignored otherwise.'
+            ),
+        )
+        parser.add_argument(
+            '--kandji-tenant-id',
+            type=str,
+            default=None,
+            help=(
+                'Your Kandji tenant id e.g. company.'
+                'Required using the Kandji intel module. Ignored otherwise.'
+            ),
+        )
+        parser.add_argument(
+            '--kandji-token-env-var',
+            type=str,
+            default=None,
+            help='The name of an environment variable containing token with which to authenticate to Kandji.',
+        )
         parser.add_argument(
             '--k8s-kubeconfig',
             default=None,
@@ -620,6 +644,26 @@ class CLI:
             config.jamf_user = None
             config.jamf_password = None
 
+        # Kandji config
+        if config.kandji_base_uri:
+            if config.kandji_token_env_var:
+                logger.debug(
+                    "Reading Kandji API token from environment variable '%s'.",
+                    config.kandji_token_env_var,
+                )
+                config.kandji_token = os.environ.get(config.kandji_token_env_var)
+            elif os.environ.get('KANDJI_TOKEN'):
+                logger.debug(
+                    "Reading Kandji API token from environment variable 'KANDJI_TOKEN'.",
+                )
+                config.kandji_token = os.environ.get('KANDJI_TOKEN')
+            else:
+                logger.warning("A Kandji base URI was provided but a token was not.")
+                config.kandji_token = None
+        else:
+            logger.warning("A Kandji base URI was not provided.")
+            config.kandji_base_uri = None
+
         if config.statsd_enabled:
             logger.debug(
                 f'statsd enabled. Sending metrics to server {config.statsd_host}:{config.statsd_port}. '

cartography/config.py

@@ -69,6 +69,12 @@ class Config:
     :param jamf_user: User name used to authenticate to the Jamf data provider. Optional.
     :type jamf_password: string
     :param jamf_password: Password used to authenticate to the Jamf data provider. Optional.
+    :type kandji_base_uri: string
+    :param kandji_base_uri: Kandji data provider base URI, e.g. https://company.api.kandji.io. Optional.
+    :type kandji_tenant_id: string
+    :param kandji_tenant_id: Kandji tenant id. e.g. company Optional.
+    :type kandji_token: string
+    :param kandji_token: Token used to authenticate to the Kandji data provider. Optional.
     :type statsd_enabled: bool
     :param statsd_enabled: Whether to collect statsd metrics such as sync execution times. Optional.
     :type statsd_host: str
@@ -137,6 +143,9 @@ class Config:
         jamf_base_uri=None,
         jamf_user=None,
         jamf_password=None,
+        kandji_base_uri=None,
+        kandji_tenant_id=None,
+        kandji_token=None,
         k8s_kubeconfig=None,
         statsd_enabled=False,
         statsd_prefix=None,
@@ -190,6 +199,9 @@ class Config:
         self.jamf_base_uri = jamf_base_uri
         self.jamf_user = jamf_user
         self.jamf_password = jamf_password
+        self.kandji_base_uri = kandji_base_uri
+        self.kandji_tenant_id = kandji_tenant_id
+        self.kandji_token = kandji_token
         self.k8s_kubeconfig = k8s_kubeconfig
         self.statsd_enabled = statsd_enabled
         self.statsd_prefix = statsd_prefix

cartography/data/indexes.cypher

@@ -200,12 +200,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplate) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplate) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplate) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplateVersion) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplateVersion) ON (n.name);
-CREATE INDEX IF NOT EXISTS FOR (n:LaunchTemplateVersion) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.dnsname);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.lastupdated);

cartography/intel/aws/ec2/images.py

@@ -19,23 +19,23 @@ logger = logging.getLogger(__name__)
 
 @timeit
 def get_images_in_use(neo4j_session: neo4j.Session, region: str, current_aws_account_id: str) -> List[str]:
-    # We use OPTIONAL here to allow query chaining with queries that may not match.
     get_images_query = """
-    OPTIONAL MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(i:EC2Instance)
+    MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(i:EC2Instance)
     WHERE i.region = $Region
-    WITH collect(DISTINCT i.imageid) AS images
-    OPTIONAL MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(lc:LaunchConfiguration)
+    RETURN DISTINCT(i.imageid) as image
+    UNION
+    MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(lc:LaunchConfiguration)
     WHERE lc.region = $Region
-    WITH collect(DISTINCT lc.image_id)+images AS images
-    OPTIONAL MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(ltv:LaunchTemplateVersion)
+    RETURN DISTINCT(lc.image_id) as image
+    UNION
+    MATCH (:AWSAccount{id: $AWS_ACCOUNT_ID})-[:RESOURCE]->(ltv:LaunchTemplateVersion)
     WHERE ltv.region = $Region
-    WITH collect(DISTINCT ltv.image_id)+images AS images
-    RETURN images
+    RETURN DISTINCT(ltv.image_id) as image
     """
     results = neo4j_session.run(get_images_query, AWS_ACCOUNT_ID=current_aws_account_id, Region=region)
     images = []
     for r in results:
-        images.extend(r['images'])
+        images.append(r['image'])
     return images
 
 
@@ -51,6 +51,7 @@ def get_images(boto3_session: boto3.session.Session, region: str, image_ids: Lis
         logger.warning(f"Failed retrieve images for region - {region}. Error - {e}")
     try:
         if image_ids:
+            image_ids = [image_id for image_id in image_ids if image_id is not None]
             images_in_use = client.describe_images(ImageIds=image_ids)['Images']
             # Ensure we're not adding duplicates
             _ids = [image["ImageId"] for image in images]

cartography/intel/aws/ec2/launch_templates.py

@@ -1,13 +1,15 @@
 import logging
-from typing import Dict
-from typing import List
+from typing import Any
 
 import boto3
 import neo4j
 
 from .util import get_botocore_config
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ec2.launch_template_versions import LaunchTemplateVersionSchema
+from cartography.models.aws.ec2.launch_templates import LaunchTemplateSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -15,101 +17,131 @@ logger = logging.getLogger(__name__)
 
 @timeit
 @aws_handle_regions
-def get_launch_templates(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_launch_templates(boto3_session: boto3.session.Session, region: str) -> list[dict[str, Any]]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     paginator = client.get_paginator('describe_launch_templates')
-    templates: List[Dict] = []
+    templates: list[dict[str, Any]] = []
     for page in paginator.paginate():
         templates.extend(page['LaunchTemplates'])
-    for template in templates:
-        template_versions: List[Dict] = []
-        v_paginator = client.get_paginator('describe_launch_template_versions')
-        for versions in v_paginator.paginate(LaunchTemplateId=template['LaunchTemplateId']):
-            template_versions.extend(versions["LaunchTemplateVersions"])
-        template["_template_versions"] = template_versions
     return templates
 
 
+def transform_launch_templates(templates: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    result: list[dict[str, Any]] = []
+    for template in templates:
+        current = template.copy()
+        current['CreateTime'] = str(int(current['CreateTime'].timestamp()))
+        result.append(current)
+    return result
+
+
 @timeit
 def load_launch_templates(
-        neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str, update_tag: int,
+        neo4j_session: neo4j.Session,
+        data: list[dict[str, Any]],
+        region: str,
+        current_aws_account_id: str,
+        update_tag: int,
 ) -> None:
-    ingest_lt = """
-    UNWIND $launch_templates as lt
-        MERGE (template:LaunchTemplate{id: lt.LaunchTemplateId})
-        ON CREATE SET template.firstseen = timestamp(),
-        template.name = lt.LaunchTemplateName,
-        template.create_time = lt.CreateTime,
-        template.created_by = lt.CreatedBy
-        SET template.default_version_number = lt.DefaultVersionNumber,
-        template.latest_version_number = lt.LatestVersionNumber,
-        template.lastupdated = $update_tag,
-        template.region=$Region
-        WITH template, lt._template_versions as versions
-        MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (aa)-[r:RESOURCE]->(template)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $update_tag
-        WITH template, versions
-        UNWIND versions as tv
-            MERGE (version:LaunchTemplateVersion{id: tv.LaunchTemplateId + '-' + tv.VersionNumber})
-            ON CREATE SET version.firstseen = timestamp(),
-            version.name = tv.LaunchTemplateName,
-            version.create_time = tv.CreateTime,
-            version.created_by = tv.CreatedBy,
-            version.default_version = tv.DefaultVersion,
-            version.version_number = tv.VersionNumber,
-            version.version_description = tv.VersionDescription,
-            version.kernel_id = tv.LaunchTemplateData.KernelId,
-            version.ebs_optimized = tv.LaunchTemplateData.EbsOptimized,
-            version.iam_instance_profile_arn = tv.LaunchTemplateData.IamInstanceProfile.Arn,
-            version.iam_instance_profile_name = tv.LaunchTemplateData.IamInstanceProfile.Name,
-            version.image_id = tv.LaunchTemplateData.ImageId,
-            version.instance_type = tv.LaunchTemplateData.InstanceType,
-            version.key_name = tv.LaunchTemplateData.KeyName,
-            version.monitoring_enabled = tv.LaunchTemplateData.Monitoring.Enabled,
-            version.ramdisk_id = tv.LaunchTemplateData.RamdiskId,
-            version.disable_api_termination = tv.LaunchTemplateData.DisableApiTermination,
-            version.instance_initiated_shutdown_behavior = tv.LaunchTemplateData.InstanceInitiatedShutdownBehavior,
-            version.security_group_ids = tv.LaunchTemplateData.SecurityGroupIds,
-            version.security_groups = tv.LaunchTemplateData.SecurityGroups
-            SET version.lastupdated = $update_tag,
-            version.region=$Region
-            WITH template, version
-            MERGE (template)-[r:VERSION]->(version)
-            ON CREATE SET r.firstseen = timestamp()
-            SET r.lastupdated = $update_tag
-    """
-    for lt in data:
-        lt['CreateTime'] = str(int(lt['CreateTime'].timestamp()))
-        for tv in lt["_template_versions"]:
-            tv['CreateTime'] = str(int(tv['CreateTime'].timestamp()))
-
-    neo4j_session.run(
-        ingest_lt,
-        launch_templates=data,
-        AWS_ACCOUNT_ID=current_aws_account_id,
+    load(
+        neo4j_session,
+        LaunchTemplateSchema(),
+        data,
         Region=region,
-        update_tag=update_tag,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
     )
 
 
 @timeit
-def cleanup_ec2_launch_templates(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job(
-        'aws_import_ec2_launch_templates_cleanup.json',
+@aws_handle_regions
+def get_launch_template_versions(
+        boto3_session: boto3.session.Session,
+        templates: list[dict[str, Any]],
+        region: str,
+) -> list[dict[str, Any]]:
+    client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
+    v_paginator = client.get_paginator('describe_launch_template_versions')
+    template_versions = []
+    for template in templates:
+        for versions in v_paginator.paginate(LaunchTemplateId=template['LaunchTemplateId']):
+            template_versions.extend(versions['LaunchTemplateVersions'])
+    return template_versions
+
+
+def transform_launch_template_versions(versions: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    result: list[dict[str, Any]] = []
+    for version in versions:
+        current = version.copy()
+
+        # Reformat some fields
+        current['Id'] = f"{version['LaunchTemplateId']}-{version['VersionNumber']}"
+        current['CreateTime'] = str(int(version['CreateTime'].timestamp()))
+
+        # Handle the nested object returned from boto
+        ltd = version['LaunchTemplateData']
+        current['KernelId'] = ltd.get('KernelId')
+        current['EbsOptimized'] = ltd.get('EbsOptimized')
+        current['IamInstanceProfileArn'] = ltd.get('IamInstanceProfileArn')
+        current['IamInstanceProfileName'] = ltd.get('IamInstanceProfileName')
+        current['ImageId'] = ltd.get('ImageId')
+        current['InstanceType'] = ltd.get('InstanceType')
+        current['KeyName'] = ltd.get('KeyName')
+        current['MonitoringEnabled'] = ltd.get('MonitoringEnabled')
+        current['RamdiskId'] = ltd.get('RamdiskId')
+        current['DisableApiTermination'] = ltd.get('DisableApiTermination')
+        current['InstanceInitiatedShutDownBehavior'] = ltd.get('InstanceInitiatedShutDownBehavior')
+        current['SecurityGroupIds'] = ltd.get('SecurityGroupIds')
+        current['SecurityGroups'] = ltd.get('SecurityGroups')
+        result.append(current)
+    return result
+
+
+@timeit
+def load_launch_template_versions(
+        neo4j_session: neo4j.Session,
+        data: list[dict[str, Any]],
+        region: str,
+        current_aws_account_id: str,
+        update_tag: int,
+) -> None:
+    load(
         neo4j_session,
-        common_job_parameters,
+        LaunchTemplateVersionSchema(),
+        data,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
     )
 
 
+@timeit
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]) -> None:
+    logger.info("Running launch template cleanup job.")
+    cleanup_job = GraphJob.from_node_schema(LaunchTemplateSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+    cleanup_job = GraphJob.from_node_schema(LaunchTemplateVersionSchema(), common_job_parameters)
+    cleanup_job.run(neo4j_session)
+
+
 @timeit
 def sync_ec2_launch_templates(
-        neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str],
-        current_aws_account_id: str, update_tag: int, common_job_parameters: Dict,
+        neo4j_session: neo4j.Session,
+        boto3_session: boto3.session.Session,
+        regions: list[str],
+        current_aws_account_id: str,
+        update_tag: int,
+        common_job_parameters: dict[str, Any],
 ) -> None:
     for region in regions:
-        logger.debug("Syncing launch templates for region '%s' in account '%s'.", region, current_aws_account_id)
-        data = get_launch_templates(boto3_session, region)
-        load_launch_templates(neo4j_session, data, region, current_aws_account_id, update_tag)
-    cleanup_ec2_launch_templates(neo4j_session, common_job_parameters)
+        logger.info(f"Syncing launch templates for region '{region}' in account '{current_aws_account_id}'.")
+        templates = get_launch_templates(boto3_session, region)
+        templates = transform_launch_templates(templates)
+        load_launch_templates(neo4j_session, templates, region, current_aws_account_id, update_tag)
+
+        versions = get_launch_template_versions(boto3_session, templates, region)
+        versions = transform_launch_template_versions(versions)
+        load_launch_template_versions(neo4j_session, versions, region, current_aws_account_id, update_tag)
+
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/ec2/snapshots.py

@@ -42,8 +42,10 @@ def get_snapshots(boto3_session: boto3.session.Session, region: str, in_use_snap
                 snapshots.extend(page['Snapshots'])
         except ClientError as e:
             if e.response['Error']['Code'] == 'InvalidSnapshot.NotFound':
-                logger.warning(f"Failed to retrieve page of in-use, \
-                    not owned snapshots. Continuing anyway. Error - {e}")
+                logger.warning(
+                    f"Failed to retrieve page of in-use, \
+                    not owned snapshots. Continuing anyway. Error - {e}",
+                )
             else:
                 raise
 

cartography/intel/aws/iam.py

@@ -227,6 +227,7 @@ def get_account_access_key_data(boto3_session: boto3.session.Session, username:
         logger.warning(
             f"Could not get access key for user {username} due to NoSuchEntityException; skipping.",
         )
+        return access_keys
     for access_key in access_keys['AccessKeyMetadata']:
         access_key_id = access_key['AccessKeyId']
         last_used_info = client.get_access_key_last_used(

cartography/intel/github/teams.py

@@ -57,10 +57,13 @@ def _get_team_repos_for_multiple_teams(
 
         team_repos = _get_team_repos(org, api_url, token, team_name) if repo_count > 0 else None
 
-        # Shape = [(repo_url, 'WRITE'), ...]]
-        repo_urls = [t['url'] for t in team_repos.nodes] if team_repos else []
-        repo_permissions = [t['permission'] for t in team_repos.edges] if team_repos else []
+        repo_urls = []
+        repo_permissions = []
+        if team_repos:
+            repo_urls = [t['url'] for t in team_repos.nodes] if team_repos.nodes else []
+            repo_permissions = [t['permission'] for t in team_repos.edges] if team_repos.edges else []
 
+        # Shape = [(repo_url, 'WRITE'), ...]]
         result[team_name] = list(zip(repo_urls, repo_permissions))
     return result
 

cartography/intel/github/util.py

@@ -81,12 +81,12 @@ def call_github_api(query: str, variables: str, token: str, api_url: str) -> Dic
 
 
 def fetch_page(
-        token: str,
-        api_url: str,
-        organization: str,
-        query: str,
-        cursor: Optional[str] = None,
-        **kwargs: Any,
+    token: str,
+    api_url: str,
+    organization: str,
+    query: str,
+    cursor: Optional[str] = None,
+    **kwargs: Any,
 ) -> Dict[str, Any]:
     """
     Return a single page of max size 100 elements from the Github api_url using the given `query` and `cursor` params.
@@ -139,6 +139,7 @@ def fetch_all(
     """
     cursor = None
     has_next_page = True
+    org_data: Dict[str, Any] = {}
     data: PaginatedGraphqlData = PaginatedGraphqlData(nodes=[], edges=[])
     retry = 0
 
@@ -170,6 +171,15 @@ def fetch_all(
             time.sleep(2 ** retry)
             continue
 
+        if 'data' not in resp:
+            logger.warning(
+                f'Got no "data" attribute in response: {resp}. '
+                f'Stopping requests for organization: {organization} and '
+                f'resource_type: {resource_type}',
+            )
+            has_next_page = False
+            continue
+
         resource = resp['data']['organization'][resource_type]
         if resource_inner_type:
             resource = resp['data']['organization'][resource_type][resource_inner_type]
@@ -180,6 +190,14 @@ def fetch_all(
 
         cursor = resource['pageInfo']['endCursor']
         has_next_page = resource['pageInfo']['hasNextPage']
-
-    org_data = {'url': resp['data']['organization']['url'], 'login': resp['data']['organization']['login']}
+        if not org_data:
+            org_data = {
+                'url': resp['data']['organization']['url'],
+                'login': resp['data']['organization']['login'],
+            }
+
+    if not org_data:
+        raise ValueError(
+            f"Didn't get any organization data for organization: {organization} and resource_type: {resource_type}",
+        )
     return data, org_data

cartography/intel/kandji/__init__.py

@@ -0,0 +1,39 @@
+import logging
+
+import neo4j
+
+import cartography.intel.kandji.devices
+from cartography.config import Config
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def start_kandji_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
+    """
+    If this module is configured, perform ingestion of Kandji devices. Otherwise warn and exit
+
+    :param neo4j_session: Neo4J session for database interface
+    :param config: A cartography.config object
+
+    :return: None
+    """
+    if config.kandji_base_uri is None or config.kandji_token is None or config.kandji_tenant_id is None:
+        logger.warning(
+            'Required parameter(s) missing. Skipping sync.',
+            'See docs to configure.',
+        )
+        return
+
+    common_job_parameters = {
+        "UPDATE_TAG": config.update_tag,
+        "TENANT_ID": config.kandji_tenant_id,
+    }
+
+    cartography.intel.kandji.devices.sync(
+        neo4j_session,
+        config.kandji_base_uri,
+        config.kandji_token,
+        common_job_parameters=common_job_parameters,
+    )

cartography/intel/kandji/devices.py

@@ -0,0 +1,84 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+from requests import Session
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.kandji.device import KandjiDeviceSchema
+from cartography.models.kandji.tenant import KandjiTenantSchema
+from cartography.util import timeit
+
+
+logger = logging.getLogger(__name__)
+_TIMEOUT = (60, 60)
+
+
+@timeit
+def get(kandji_base_uri: str, kandji_token: str) -> List[Dict[str, Any]]:
+    api_endpoint = f"{kandji_base_uri}/api/v1/devices"
+    headers = {
+        'Accept': 'application/json',
+        'Authorization': f'Bearer {kandji_token}',
+    }
+
+    session = Session()
+    req = session.get(api_endpoint, headers=headers, timeout=_TIMEOUT)
+    req.raise_for_status()
+    return req.json()
+
+
+@timeit
+def transform(api_result: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
+    result: List[Dict[str, Any]] = []
+    for device in api_result:
+        n_device = device
+        n_device['id'] = device['device_id']
+        result.append(n_device)
+    return result
+
+
+@timeit
+def load_devices(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict[str, Any],
+    data: List[Dict[str, Any]],
+) -> None:
+
+    tenant_id = common_job_parameters["TENANT_ID"]
+    update_tag = common_job_parameters["UPDATE_TAG"]
+
+    load(
+        neo4j_session,
+        KandjiTenantSchema(),
+        [{'id': tenant_id}],
+        lastupdated=update_tag,
+    )
+
+    load(
+        neo4j_session,
+        KandjiDeviceSchema(),
+        data,
+        lastupdated=update_tag,
+        TENANT_ID=tenant_id,
+    )
+
+
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
+    GraphJob.from_node_schema(KandjiDeviceSchema(), common_job_parameters).run(neo4j_session)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    kandji_base_uri: str,
+    kandji_token: str,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    devices = get(kandji_base_uri=kandji_base_uri, kandji_token=kandji_token)
+    formatted_devices = transform(devices)
+    load_devices(neo4j_session, common_job_parameters, formatted_devices)
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/okta/__init__.py

@@ -68,7 +68,7 @@ def start_okta_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
     applications.sync_okta_applications(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key)
     factors.sync_users_factors(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key, state)
     origins.sync_trusted_origins(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key)
-    awssaml.sync_okta_aws_saml(neo4j_session, config.okta_saml_role_regex, config.update_tag)
+    awssaml.sync_okta_aws_saml(neo4j_session, config.okta_saml_role_regex, config.update_tag, config.okta_org_id)
 
     # need creds with permission
     # soft fail as some won't be able to get such high priv token

cartography/intel/okta/awssaml.py

@@ -1,15 +1,22 @@
 # Okta intel module - AWS SAML
 import logging
 import re
+from collections import namedtuple
 from typing import Dict
 from typing import List
 from typing import Optional
 
 import neo4j
 
+from cartography.client.core.tx import read_list_of_dicts_tx
+from cartography.client.core.tx import read_single_value_tx
 from cartography.util import timeit
 
 
+AccountRole = namedtuple('AccountRole', ['account_id', 'role_name'])
+OktaGroup = namedtuple('OktaGroup', ['group_id', 'group_name'])
+GroupRole = namedtuple('GroupRole', ['okta_group_id', 'aws_role_arn'])
+
 logger = logging.getLogger(__name__)
 
 
@@ -17,17 +24,25 @@ def _parse_regex(regex_string: str) -> str:
     return regex_string.replace("{{accountid}}", "P<accountid>").replace("{{role}}", "P<role>").strip()
 
 
-@timeit
-def transform_okta_group_to_aws_role(group_id: str, group_name: str, mapping_regex: str) -> Optional[Dict]:
+def _parse_okta_group_name(okta_group_name: str, mapping_regex: str) -> AccountRole | None:
+    """
+    Extract AWS account id and AWS role name from the given Okta group name using the given mapping regex.
+    """
     regex = _parse_regex(mapping_regex)
-    matches = re.search(regex, group_name)
+    matches = re.search(regex, okta_group_name)
     if matches:
-        accountid = matches.group("accountid")
-        role = matches.group("role")
-        role_arn = f"arn:aws:iam::{accountid}:role/{role}"
+        account_id = matches.group("accountid")
+        role_name = matches.group("role")
+        return AccountRole(account_id, role_name)
+    return None
+
+
+def transform_okta_group_to_aws_role(group_id: str, group_name: str, mapping_regex: str) -> Optional[Dict]:
+    account_role = _parse_okta_group_name(group_name, mapping_regex)
+    if account_role:
+        role_arn = f"arn:aws:iam::{account_role.account_id}:role/{account_role.role_name}"
         return {"groupid": group_id, "role": role_arn}
-    else:
-        return None
+    return None
 
 
 @timeit
@@ -45,6 +60,7 @@ def query_for_okta_to_aws_role_mapping(neo4j_session: neo4j.Session, mapping_reg
 
     for res in results:
         has_results = True
+        # input: okta group id, okta group name. output: aws role arn.
         mapping = transform_okta_group_to_aws_role(res["group.id"], res["group.name"], mapping_regex)
         if mapping:
             group_to_role_mapping.append(mapping)
@@ -107,8 +123,96 @@ def _load_human_can_assume_role(neo4j_session: neo4j.Session, okta_update_tag: i
     )
 
 
+def get_awssso_okta_groups(neo4j_session: neo4j.Session, okta_org_id: str) -> list[OktaGroup]:
+    """
+    Return list of all Okta group ids in the current Okta organization tied to Okta Applications with name
+    "amazon_aws_sso".
+    """
+    query = """
+    MATCH (g:OktaGroup)-[:APPLICATION]->(a:OktaApplication{name:"amazon_aws_sso"})
+           <-[:RESOURCE]-(:OktaOrganization{id: $okta_org_id})
+    RETURN g.id as group_id, g.name as group_name
+    """
+    result = neo4j_session.read_transaction(read_list_of_dicts_tx, query, okta_org_id=okta_org_id)
+    return [OktaGroup(group_name=og['group_name'], group_id=og['group_id']) for og in result]
+
+
+def get_awssso_role_arn(account_id: str, role_hint: str, neo4j_session: neo4j.Session) -> str | None:
+    """
+    Attempt to return the AWS role ARN for the given AWS account ID and role hint string.
+    This function exists to handle that AWS SSO roles have a 'AWSReservedSSO' prefix and a hashed suffix
+    Input:
+    - account_id: AWS account ID
+    - role_hint (str): The `AccountRole.role_name` returned by _parse_okta_group_name(). This is the part of the Okta
+    group name that refers to the AWS role name.
+    Output:
+    - If we are able to find it, returns the matching AWS role ARN.
+    """
+    query = """
+    MATCH (:AWSAccount{id:$account_id})-[:RESOURCE]->(role:AWSRole{path:"/aws-reserved/sso.amazonaws.com/"})
+    WHERE SPLIT(role.name, '_')[1..-1][0] = $role_hint
+    RETURN role.arn AS role_arn
+    """
+    return neo4j_session.read_transaction(read_single_value_tx, query, account_id=account_id, role_hint=role_hint)
+
+
+def query_for_okta_to_awssso_role_mapping(
+        neo4j_session: neo4j.Session,
+        awssso_okta_groups: list[OktaGroup],
+        mapping_regex: str,
+) -> list[GroupRole]:
+    """
+    Input:
+    - neo4j session
+    - str list of Okta group names
+    - str regex that tells us how to find the AWS role name and account when given an Okta group name
+    Output:
+    - list of OktaGroup id to AWSRole arn pairs.
+    """
+    result = []
+    for group in awssso_okta_groups:
+        account_role = _parse_okta_group_name(group.group_name, mapping_regex)
+        if not account_role:
+            logger.info(f"Okta group {group.group_name} has no associated AWS SSO role")
+            continue
+
+        role_arn = get_awssso_role_arn(account_role.account_id, account_role.role_name, neo4j_session)
+        if role_arn:
+            result.append(GroupRole(group.group_id, role_arn))
+    return result
+
+
+def _load_awssso_tx(tx: neo4j.Transaction, group_to_role: list[GroupRole], okta_update_tag: int) -> None:
+    ingest_statement = """
+    UNWIND $GROUP_TO_ROLE as app_data
+        MATCH (role:AWSRole{arn: app_data.aws_role_arn})
+        MATCH (group:OktaGroup{id: app_data.okta_group_id})
+        MERGE (role)<-[r:ALLOWED_BY]-(group)
+        ON CREATE SET r.firstseen = timestamp()
+        SET r.lastupdated = $okta_update_tag
+    """
+    tx.run(
+        ingest_statement,
+        GROUP_TO_ROLE=[g._asdict() for g in group_to_role],
+        okta_update_tag=okta_update_tag,
+    )
+
+
+def _load_okta_group_to_awssso_roles(
+        neo4j_session: neo4j.Session,
+        group_to_role: list[GroupRole],
+        okta_update_tag: int,
+) -> None:
+    neo4j_session.write_transaction(_load_awssso_tx, group_to_role, okta_update_tag)
+
+
 @timeit
-def sync_okta_aws_saml(neo4j_session: neo4j.Session, mapping_regex: str, okta_update_tag: int) -> None:
+def sync_okta_aws_saml(
+        neo4j_session: neo4j.Session,
+        mapping_regex: str,
+        okta_update_tag: int,
+        okta_org_id: str,
+) -> None:
     """
     Sync okta integration with saml. This will link OktaGroups to the AWSRoles they enable.
     This is for people who use the okta saml provider for AWS
@@ -127,3 +231,7 @@ def sync_okta_aws_saml(neo4j_session: neo4j.Session, mapping_regex: str, okta_up
     group_to_role_mapping = query_for_okta_to_aws_role_mapping(neo4j_session, mapping_regex)
     _load_okta_group_to_aws_roles(neo4j_session, group_to_role_mapping, okta_update_tag)
     _load_human_can_assume_role(neo4j_session, okta_update_tag)
+
+    sso_okta_groups = get_awssso_okta_groups(neo4j_session, okta_org_id)
+    group_to_ssorole_mapping = query_for_okta_to_awssso_role_mapping(neo4j_session, sso_okta_groups, mapping_regex)
+    _load_okta_group_to_awssso_roles(neo4j_session, group_to_ssorole_mapping, okta_update_tag)

cartography/models/aws/ec2/launch_template_versions.py

@@ -0,0 +1,81 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('Id')
+    name: PropertyRef = PropertyRef('LaunchTemplateName')
+    create_time: PropertyRef = PropertyRef('CreateTime')
+    created_by: PropertyRef = PropertyRef('CreatedBy')
+    default_version: PropertyRef = PropertyRef('DefaultVersion')
+    version_number: PropertyRef = PropertyRef('VersionNumber')
+    version_description: PropertyRef = PropertyRef('VersionDescription')
+    kernel_id: PropertyRef = PropertyRef('KernelId')
+    ebs_optimized: PropertyRef = PropertyRef('EbsOptimized')
+    iam_instance_profile_arn: PropertyRef = PropertyRef('IamInstanceProfileArn')
+    iam_instance_profile_name: PropertyRef = PropertyRef('IamInstanceProfileName')
+    image_id: PropertyRef = PropertyRef('ImageId')
+    instance_type: PropertyRef = PropertyRef('InstanceType')
+    key_name: PropertyRef = PropertyRef('KeyName')
+    monitoring_enabled: PropertyRef = PropertyRef('MonitoringEnabled')
+    ramdisk_id: PropertyRef = PropertyRef('RamdiskId')
+    disable_api_termination: PropertyRef = PropertyRef('DisableApiTermination')
+    instance_initiated_shutdown_behavior: PropertyRef = PropertyRef('InstanceInitiatedShutdownBehavior')
+    security_group_ids: PropertyRef = PropertyRef('SecurityGroupIds')
+    security_groups: PropertyRef = PropertyRef('SecurityGroups')
+    region: PropertyRef = PropertyRef('Region', set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: LaunchTemplateVersionToAwsAccountRelProperties = LaunchTemplateVersionToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionToLTRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionToLT(CartographyRelSchema):
+    target_node_label: str = 'LaunchTemplate'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('LaunchTemplateId')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "VERSION"
+    properties: LaunchTemplateVersionToLTRelProperties = LaunchTemplateVersionToLTRelProperties()
+
+
+@dataclass(frozen=True)
+class LaunchTemplateVersionSchema(CartographyNodeSchema):
+    label: str = 'LaunchTemplateVersion'
+    properties: LaunchTemplateVersionNodeProperties = LaunchTemplateVersionNodeProperties()
+    sub_resource_relationship: LaunchTemplateVersionToAWSAccount = LaunchTemplateVersionToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            LaunchTemplateVersionToLT(),
+        ],
+    )

cartography/models/aws/ec2/launch_templates.py

@@ -0,0 +1,46 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class LaunchTemplateNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('LaunchTemplateId')
+    launch_template_id: PropertyRef = PropertyRef('LaunchTemplateId')
+    name: PropertyRef = PropertyRef('LaunchTemplateName')
+    create_time: PropertyRef = PropertyRef('CreateTime')
+    created_by: PropertyRef = PropertyRef('CreatedBy')
+    default_version_number: PropertyRef = PropertyRef('DefaultVersionNumber')
+    latest_version_number: PropertyRef = PropertyRef('LatestVersionNumber')
+    region: PropertyRef = PropertyRef('Region', set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class LaunchTemplateToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class LaunchTemplateToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: LaunchTemplateToAwsAccountRelProperties = LaunchTemplateToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class LaunchTemplateSchema(CartographyNodeSchema):
+    label: str = 'LaunchTemplate'
+    properties: LaunchTemplateNodeProperties = LaunchTemplateNodeProperties()
+    sub_resource_relationship: LaunchTemplateToAWSAccount = LaunchTemplateToAWSAccount()

cartography/models/aws/ec2/subnet_instance.py

@@ -15,7 +15,7 @@ from cartography.models.core.relationships import TargetNodeMatcher
 class EC2SubnetInstanceNodeProperties(CartographyNodeProperties):
     # arn: PropertyRef = PropertyRef('Arn', extra_index=True) TODO use arn; issue #1024
     id: PropertyRef = PropertyRef('SubnetId')
-    subnet_id: PropertyRef = PropertyRef('SubnetId', extra_index=True)
+    subnetid: PropertyRef = PropertyRef('SubnetId', extra_index=True)
     region: PropertyRef = PropertyRef('Region', set_in_kwargs=True)
     lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
 

cartography/models/kandji/device.py

@@ -0,0 +1,48 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class KandjiDeviceNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+    device_id: PropertyRef = PropertyRef('device_id')
+    device_name: PropertyRef = PropertyRef('device_name')
+    last_check_in: PropertyRef = PropertyRef('last_check_in')
+    model: PropertyRef = PropertyRef('model')
+    os_version: PropertyRef = PropertyRef('os_version')
+    platform: PropertyRef = PropertyRef('platform')
+    serial_number: PropertyRef = PropertyRef('serial_number', extra_index=True)
+
+
+@dataclass(frozen=True)
+class KandjiTenantToKandjiDeviceRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:KandjiDevice)-[:ENROLLED_TO]->(:KandjiTenant)
+class KandjiTenantToKandjiDeviceRel(CartographyRelSchema):
+    target_node_label: str = 'KandjiTenant'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('TENANT_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ENROLLED_TO"
+    properties: KandjiTenantToKandjiDeviceRelProperties = KandjiTenantToKandjiDeviceRelProperties()
+
+
+@dataclass(frozen=True)
+class KandjiDeviceSchema(CartographyNodeSchema):
+    label: str = 'KandjiDevice'  # The label of the node
+    properties: KandjiDeviceNodeProperties = KandjiDeviceNodeProperties()  # An object representing all properties
+    sub_resource_relationship: KandjiTenantToKandjiDeviceRel = KandjiTenantToKandjiDeviceRel()

cartography/models/kandji/tenant.py

@@ -0,0 +1,17 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+
+
+@dataclass(frozen=True)
+class KandjiTenantNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class KandjiTenantSchema(CartographyNodeSchema):
+    label: str = 'KandjiTenant'  # The label of the node
+    properties: KandjiTenantNodeProperties = KandjiTenantNodeProperties()  # An object representing all properties

cartography/sync.py

@@ -24,6 +24,7 @@ import cartography.intel.duo
 import cartography.intel.gcp
 import cartography.intel.github
 import cartography.intel.gsuite
+import cartography.intel.kandji
 import cartography.intel.kubernetes
 import cartography.intel.lastpass
 import cartography.intel.oci
@@ -50,6 +51,7 @@ TOP_LEVEL_MODULES = OrderedDict({  # preserve order so that the default sync alw
     'okta': cartography.intel.okta.start_okta_ingestion,
     'github': cartography.intel.github.start_github_ingestion,
     'digitalocean': cartography.intel.digitalocean.start_digitalocean_ingestion,
+    'kandji': cartography.intel.kandji.start_kandji_ingestion,
     'kubernetes': cartography.intel.kubernetes.start_k8s_ingestion,
     'lastpass': cartography.intel.lastpass.start_lastpass_ingestion,
     'bigfix': cartography.intel.bigfix.start_bigfix_ingestion,

{cartography-0.90.0rc2.dist-info → cartography-0.92.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.90.0rc2
+Version: 0.92.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/lyft/cartography
 Maintainer: Lyft

{cartography-0.90.0rc2.dist-info → cartography-0.92.0.dist-info}/RECORD

@@ -1,10 +1,10 @@
 cartography/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/__main__.py,sha256=JftXT_nUPkqcEh8uxCCT4n-OyHYqbldEgrDS-4ygy0U,101
-cartography/cli.py,sha256=2_kLxdCSIb0nLo2vRVnIR_5XnylonvoWehfvXZElX1o,30059
-cartography/config.py,sha256=3X70Vx94T0Sam5qCdln-R_FnGmJGY-SY6Ok32A38nbE,10777
+cartography/cli.py,sha256=ot9_gMxw5_irVS7KYfWf5HIr2Xkb10RDEbOTY1nzUcw,31787
+cartography/config.py,sha256=rL1zgxZO47_R7S6E9e0CwxmhzRSN0X_q93NtcPR1G00,11368
 cartography/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/stats.py,sha256=dbybb9V2FuvSuHjjNwz6Vjwnd1hap2C7h960rLoKcl8,4406
-cartography/sync.py,sha256=1y7nzaNSpxND1CRHpP6pFyOSw0DVDn_kox3zuvw3Uzo,9635
+cartography/sync.py,sha256=a80r_IzrZcWGSmRDRrxkesNYPiOuLte5YHvDQT3L-Lw,9730
 cartography/util.py,sha256=F3FPMJl1KDW0x_5cvt2ZGI0Dv1LVrHU7Az4OleAANBI,14474
 cartography/client/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/client/aws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -12,7 +12,7 @@ cartography/client/aws/iam.py,sha256=dYsGikc36DEsSeR2XVOVFFUDwuU9yWj_EVkpgVYCFgM
 cartography/client/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/client/core/tx.py,sha256=4_kTBxrtlwsOM-e8Xtjf7wmmzwZ-DGRJL0rPFp0Xj0Q,10805
 cartography/data/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/data/indexes.cypher,sha256=2OP2V7hsN794IssfeaAYYwPxUt5QghXnrgBAEKHWag8,27804
+cartography/data/indexes.cypher,sha256=PTQEUbC_Kmjj_wM-j6NJqLvETRIORreeqF6WlKmnHKg,27395
 cartography/data/permission_relationships.yaml,sha256=RuKGGc_3ZUQ7ag0MssB8k_zaonCkVM5E8I_svBWTmGc,969
 cartography/data/jobs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/data/jobs/analysis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -36,7 +36,6 @@ cartography/data/jobs/cleanup/aws_import_account_access_key_cleanup.json,sha256=
 cartography/data/jobs/cleanup/aws_import_apigateway_cleanup.json,sha256=wCV95ydo3dmlhK7VrDrxCqrP6dbhCCMTzcz_qaJQ4Jo,2189
 cartography/data/jobs/cleanup/aws_import_config_cleanup.json,sha256=VCAJjEnFcQUR16VxKdpsOkBJEnhMuLk-7Kgm_p9k1NM,754
 cartography/data/jobs/cleanup/aws_import_ec2_launch_configurations_cleanup.json,sha256=x9IIzb9Sr1353ygkA-qqUUbZS9XO2v3GzUHe-0J4Pw8,281
-cartography/data/jobs/cleanup/aws_import_ec2_launch_templates_cleanup.json,sha256=tuJzb1wmKSPUiShX8zgNTz7Il_XhXZ7_uQE4_6iUjFI,524
 cartography/data/jobs/cleanup/aws_import_ec2_security_groupinfo_cleanup.json,sha256=CackEgSs1PN15pTg8oIdS0amB-n-PsKODLAaqC3gf_A,1183
 cartography/data/jobs/cleanup/aws_import_ecr_cleanup.json,sha256=7Sga9WlbhHe-VyoFaF0LrlhbAFvSSOjVKiRf_VW8To8,1355
 cartography/data/jobs/cleanup/aws_import_ecs_cleanup.json,sha256=6HtmZy7gNC0ZxLU7I6C2KKcqpZhYRFyaJZCDA50DzAs,2126
@@ -153,7 +152,7 @@ cartography/intel/aws/eks.py,sha256=OerAX7qT2uGPbqliPvuy8JZUIgle_KMlnkkHxk8O5fk,
 cartography/intel/aws/elasticache.py,sha256=fCI47aDFmIDyE26GiReKYb6XIZUwrzcvsXBQ4ruFhuI,4427
 cartography/intel/aws/elasticsearch.py,sha256=ZL7MkXF_bXRSoXuDSI1dwGckRLG2zDB8LuAD07vSLnE,8374
 cartography/intel/aws/emr.py,sha256=xhWBVZngxJRFjMEDxwq3G6SgytRGLq0v2a_CeDvByR0,3372
-cartography/intel/aws/iam.py,sha256=fEn0XCQhBKxoEQJT5OCEzTbP58VXtfzF11GUK-Fnqog,32347
+cartography/intel/aws/iam.py,sha256=eLw0NkBGKzCI_tQ3wmrx3aUibQerrsxKJd3d0RCKcKQ,32374
 cartography/intel/aws/inspector.py,sha256=6enCu2USefuGT3FqA0Vto6i-z4BrL2HC_clbiXSLIlo,8654
 cartography/intel/aws/kms.py,sha256=bZUzMxAH_DsAcGTJBs08gg2tLKYu-QWjvMvV9C-6v50,11731
 cartography/intel/aws/lambda_function.py,sha256=KKTyn53xpaMI9WvIqxmsOASFwflHt-2_5ow-zUFc2wg,9890
@@ -172,17 +171,17 @@ cartography/intel/aws/ssm.py,sha256=IDOYa8v2FgziU8nBOZ7wyDG4o_nFYshbB-si9Ut_9Zc,
 cartography/intel/aws/ec2/__init__.py,sha256=IDK2Yap7mllK_ab6yVMLXatJ94znIkn-szv5RJP5fbo,346
 cartography/intel/aws/ec2/auto_scaling_groups.py,sha256=4erjP31KSVW-Pp2ASmDox_VLp_AQUAin4KYxfZKZcSM,9223
 cartography/intel/aws/ec2/elastic_ip_addresses.py,sha256=0k4NwS73VyWbEj5jXvSkaq2RNvmAlBlrN-UKa_Bj0uk,3957
-cartography/intel/aws/ec2/images.py,sha256=KZJft6EB-EbILzzjbamRkOgvOmPBqarKUFzMKgpJdXc,3842
+cartography/intel/aws/ec2/images.py,sha256=heElwHJGqVD3iUJjxwA_Sdc3CmE4HPs00CTMHuQ1wkc,3782
 cartography/intel/aws/ec2/instances.py,sha256=mnTjdBY-4D-TGhH29UrSaLUW0Uft0JApDIJkkLz4zPc,12170
 cartography/intel/aws/ec2/internet_gateways.py,sha256=dI-4-85_3DGGZZBcY_DN6XqESx9P26S6jKok314lcnQ,2883
 cartography/intel/aws/ec2/key_pairs.py,sha256=SvRgd56vE4eouvTSNoFK8PP8HYoECO91goxc36oq_FY,2508
-cartography/intel/aws/ec2/launch_templates.py,sha256=UXqINdxBzpgPTJVjSZ9DXhO-Lo598aHswJapuo4QNXA,5099
+cartography/intel/aws/ec2/launch_templates.py,sha256=YhLh_O2cZbeoKXA6MXmwkxJJi0ubZb5FyouTYykuq1k,5372
 cartography/intel/aws/ec2/load_balancer_v2s.py,sha256=95FfQQn740gexINIHDJizOM4OKzRtQT_y2XQMipQ5Dg,8661
 cartography/intel/aws/ec2/load_balancers.py,sha256=1GwErzGqi3BKCARqfGJcD_r_D84rFKVy5kNMas9jAok,6756
 cartography/intel/aws/ec2/network_interfaces.py,sha256=CzF8PooCYUQ2pk8DR8JDAhkWRUQSBj_27OsIfkL_-Cs,9199
 cartography/intel/aws/ec2/reserved_instances.py,sha256=jv8-VLI5KL8jN1QRI20yim8lzZ7I7wR8a5EF8DckahA,3122
 cartography/intel/aws/ec2/security_groups.py,sha256=vxLeaCpCowkbl-YpON1UdbjtPolMfj_reOEuKujN80Y,6060
-cartography/intel/aws/ec2/snapshots.py,sha256=HSeK8COoc1p399Y0LSg6Jo0bTiooCIh66jCv4DPsJsA,5393
+cartography/intel/aws/ec2/snapshots.py,sha256=R3U6ZwE4bQPy5yikLCRcUHyXN1dD7TzS-3jULQO-F0g,5432
 cartography/intel/aws/ec2/subnets.py,sha256=wdv9TXI1BR_iilOCYmYXL2yok8qef49-I77_DPlyheQ,3694
 cartography/intel/aws/ec2/tgw.py,sha256=lTFPlRNoDHNklR38alSywXlSiiTyg86vJNth7Pc4pZQ,9114
 cartography/intel/aws/ec2/util.py,sha256=Pv-x1QEAAmyxcpEl6y8M24ija3ERjXFE36fswuKXHDs,226
@@ -231,14 +230,16 @@ cartography/intel/gcp/gke.py,sha256=qaTwsVaxkwNhW5_Mw4bedOk7fgJK8y0LwwcYlUABXDg,
 cartography/intel/gcp/storage.py,sha256=oO_ayEhkXlj2Gn7T5MU41ZXiqwRwe6Ud4wzqyRTsyf4,9075
 cartography/intel/github/__init__.py,sha256=y876JJGTDJZEOFCDiNCJfcLNxN24pVj4s2N0YmuuoaE,1914
 cartography/intel/github/repos.py,sha256=YPDdBMk6NkZjwPcqPW5LlCy_OS9tKcrZD6ygiUG93J0,21766
-cartography/intel/github/teams.py,sha256=aX1dj7HHVjw0hv_VvG1dee3WzTfmVMraP1khlwvN7Xs,5287
+cartography/intel/github/teams.py,sha256=mofyJeJVOD7Umh9Rq6QnAwom9bBHBx18kyvFMvQX5YE,5383
 cartography/intel/github/users.py,sha256=kQp0dxzP08DVrdvfVeCciQbrKPbbFvwbR_p_I_XGt7s,3826
-cartography/intel/github/util.py,sha256=trigWITP7C44RjKpBT12fCcxtqo5WFqUOcB9VqtzifA,7465
+cartography/intel/github/util.py,sha256=K6hbxypy4luKhIE1Uh5VWZc9OyjMK2OuO00vBAQfloA,8049
 cartography/intel/gsuite/__init__.py,sha256=AGIUskGlLCVGHbnQicNpNWi9AvmV7_7hUKTt-hsB2J8,4306
 cartography/intel/gsuite/api.py,sha256=J0dkNdfBVMrEv8vvStQu7YKVxXSyV45WueFhUS4aOG4,10310
 cartography/intel/jamf/__init__.py,sha256=Nof-LrUeevoieo6oP2GyfTwx8k5TUIgreW6hSj53YjQ,419
 cartography/intel/jamf/computers.py,sha256=EfjlupQ-9HYTjOrmuwrGuJDy9ApAnJvk8WrYcp6_Jkk,1673
 cartography/intel/jamf/util.py,sha256=EAyP8VpOY2uAvW3HtX6r7qORNjGa1Tr3fuqezuLQ0j4,1017
+cartography/intel/kandji/__init__.py,sha256=OHZJNzuNibIfJ51OkL3XL2EdA_ZmvPHPeWCQUld4J64,1079
+cartography/intel/kandji/devices.py,sha256=j_rP6rQ5VPT_XEcGXx7Yt6eCOm1Oe3I2qWIxXODXEcA,2224
 cartography/intel/kubernetes/__init__.py,sha256=jaOTEanWnTrYvcBN1XUC5oqBhz1AJbFmzoT9uu_VBSg,1481
 cartography/intel/kubernetes/namespaces.py,sha256=6o-FgAX_Ai5NCj2xOWM-RNWEvn0gZjVQnZSGCJlcIhw,2710
 cartography/intel/kubernetes/pods.py,sha256=aX3pP_vs6icMe2vK4vgMak6HZ64okhRzoihpkPHscGU,4502
@@ -251,9 +252,9 @@ cartography/intel/oci/__init__.py,sha256=AZmRX6EO4LUnynDtIKHxtZ_Ab2-CYPPc2u5d0Q2
 cartography/intel/oci/iam.py,sha256=zPrJeoMoO3ZkjBfWbTttjrcUvxxMuWquLTmsDH5MgOI,17712
 cartography/intel/oci/organizations.py,sha256=tzQkZfE4LPoS-6lXBRQGyhq8aJLZUJ1_q75Q9eTBke0,4086
 cartography/intel/oci/utils.py,sha256=UbX9jib4sWEdKeAt2CeCo4k9shUiWY08oTfQz_nDvjA,3223
-cartography/intel/okta/__init__.py,sha256=HYw9wlE27dHJ2fwSlHgbJyHcxhdFzbYWBcZdQ6bqfIo,3813
+cartography/intel/okta/__init__.py,sha256=i5YY9mIDQ2-IBnCSWf4rToYMa9fQQIxucCnl0TXK2Uc,3833
 cartography/intel/okta/applications.py,sha256=ZqUn-bru6Kh75vpUeRnMurUBh0rGBRpI2b2V09HOOQw,12866
-cartography/intel/okta/awssaml.py,sha256=uJFasoyQmABoC5xAjlXak51KuAjT2H6AA2f47N3h6gw,4651
+cartography/intel/okta/awssaml.py,sha256=Rw0mrJ7NY5xjfEO_ijMqi1VEbr0FSasfrvGtoCPy1aU,9136
 cartography/intel/okta/factors.py,sha256=1bLnF4MRf0MYzzhT2tfM4jdfkjE1bkQn6_WuOqED2K4,4955
 cartography/intel/okta/groups.py,sha256=GxaixbY5KWkalj2rY6nWwe_IskVVowOAPo88OZIGcPY,10172
 cartography/intel/okta/organization.py,sha256=YLQc7ETdtf8Vc-CRCYivV_xmVl2Oz0Px53anJHYp-p8,821
@@ -281,6 +282,8 @@ cartography/models/aws/ec2/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 cartography/models/aws/ec2/images.py,sha256=uGhXS7Xb6sKUdwwkS0O0dWP4sIREjusUaV_unODv9gE,3012
 cartography/models/aws/ec2/instances.py,sha256=cNMHngdGNRhxoyID6AmG2F7CQGC1fYani8DV8lSKvsI,3902
 cartography/models/aws/ec2/keypairs.py,sha256=scKC3SdExHAWkPNmb6tT9LK-9q4sweqS2ejFzMec10M,2630
+cartography/models/aws/ec2/launch_template_versions.py,sha256=RitfnAuAj0XpFsCXkRbtUhHMAi8Vsvmtury231eKvGU,3897
+cartography/models/aws/ec2/launch_templates.py,sha256=GqiwFuMp72LNSt2eQlp2WfdU_vHsom-xKV5AaUewSHQ,2157
 cartography/models/aws/ec2/loadbalancerv2.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/ec2/networkinterface_instance.py,sha256=t3oqcQ4GjYf7dwqPUGCiXd70ie4ibYLilOXiE5_Ad8g,4707
 cartography/models/aws/ec2/networkinterfaces.py,sha256=z1-Dl6I79-TCxXKG8QBpSKga93lPCPaLR1XqKJZK3ME,4127
@@ -288,7 +291,7 @@ cartography/models/aws/ec2/privateip_networkinterface.py,sha256=j8MyiZsiUCuzuGUH
 cartography/models/aws/ec2/reservations.py,sha256=dE9uSB3Em-ca1dDbetbu79JXr4ZWHC3r5gA1S3mjhVU,1930
 cartography/models/aws/ec2/securitygroup_instance.py,sha256=RZS9TzHHatTOESQgcs5_YHmF9sM7pRkUq2VPjk9FJlU,2876
 cartography/models/aws/ec2/securitygroup_networkinterface.py,sha256=PiaA8J82kybZyZ1wDsa-ACIDa88vt4NoA3smGNiwl14,2399
-cartography/models/aws/ec2/subnet_instance.py,sha256=kPELT07l6AXIy-NYnXfkhM_RWUG20D33K1V1CJQdHyw,2753
+cartography/models/aws/ec2/subnet_instance.py,sha256=ct_ibXiPN2C5ld06TczwSTXtsnlov5VCW6elphtbvPs,2752
 cartography/models/aws/ec2/subnet_networkinterface.py,sha256=JHlxfBojBw7LfJS4a5LpVGM28MUu451PUrrwbbOPGuQ,3614
 cartography/models/aws/ec2/volumes.py,sha256=WSP7YNZeJE3s4wnY9QrIAbcJN3OathqNgEBX0cVahDg,4470
 cartography/models/aws/eks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -319,6 +322,9 @@ cartography/models/duo/user.py,sha256=ih3DH_QveAve4cX9dmIwC5gVN6_RNnuLK3bfJ5I9u6
 cartography/models/duo/web_authn_credential.py,sha256=OcZnfG5zCMlphxSltRcAXQ12hHYJjxrBt6A9L28g7Vk,2920
 cartography/models/github/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/github/teams.py,sha256=mk3OFGTDqWkLz7aX7Q9AtpOMOkZDDGH0MWoVeevK2-k,4376
+cartography/models/kandji/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cartography/models/kandji/device.py,sha256=C3zPhLi1oPNysbSUr4H2u8b-Xy14sb3FE7YcjCwlntw,2214
+cartography/models/kandji/tenant.py,sha256=KhcbahNBemny3coQPiadIY8B-yDMg_ejYB2BR6vqBfw,674
 cartography/models/lastpass/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/lastpass/tenant.py,sha256=TG-9LFo9Sfzb9UgcTt_gFVTKocLItbgQMMPkN_iprXU,618
 cartography/models/lastpass/user.py,sha256=SMTTYN6jgccc9k76hY3rVImElJOhHhZ9f1aZ6JzcrHw,3487
@@ -326,10 +332,10 @@ cartography/models/semgrep/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 cartography/models/semgrep/deployment.py,sha256=or5qZDuR51MXzINpH15jZrqmSUvXQevCNYWJ7D6v-JI,745
 cartography/models/semgrep/findings.py,sha256=xrn8sgXpNMrNJbKQagaAVxaCG9bVjTATSRR2XRBR4rg,5386
 cartography/models/semgrep/locations.py,sha256=kSk7Nn5Mn4Ob84MVZOo2GR0YFi-9Okq9pgA3FfC6_bk,3061
-cartography-0.90.0rc2.dist-info/LICENSE,sha256=489ZXeW9G90up6ep-D1n-lJgk9ciNT2yxXpFgRSidtk,11341
-cartography-0.90.0rc2.dist-info/METADATA,sha256=DHVlVtAVX0wLA23rAP2on60QcEvswp8wivDIIw5LQgE,1991
-cartography-0.90.0rc2.dist-info/NOTICE,sha256=YOGAsjFtbyKj5tslYIg6V5jEYRuEvnSsIuDOUKj0Qj4,97
-cartography-0.90.0rc2.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-cartography-0.90.0rc2.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
-cartography-0.90.0rc2.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
-cartography-0.90.0rc2.dist-info/RECORD,,
+cartography-0.92.0.dist-info/LICENSE,sha256=489ZXeW9G90up6ep-D1n-lJgk9ciNT2yxXpFgRSidtk,11341
+cartography-0.92.0.dist-info/METADATA,sha256=HXdDXVgGGUnCSRNCb9yiLfbWFxQ25iXo8YJGnKk0NvI,1988
+cartography-0.92.0.dist-info/NOTICE,sha256=YOGAsjFtbyKj5tslYIg6V5jEYRuEvnSsIuDOUKj0Qj4,97
+cartography-0.92.0.dist-info/WHEEL,sha256=GJ7t_kWBFywbagK5eo9IoUwLW6oyOeTKmQ-9iHFVNxQ,92
+cartography-0.92.0.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
+cartography-0.92.0.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
+cartography-0.92.0.dist-info/RECORD,,

{cartography-0.90.0rc2.dist-info → cartography-0.92.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: bdist_wheel (0.42.0)
+Generator: bdist_wheel (0.43.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

cartography/data/jobs/cleanup/aws_import_ec2_launch_templates_cleanup.json

@@ -1,13 +0,0 @@
-{
-  "statements": [{
-    "query": "MATCH (n:LaunchTemplateVersion)<-[:VERSION]-(:LaunchTemplate)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ID}) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)",
-    "iterative": true,
-    "iterationsize": 100
-  },
-  {
-    "query": "MATCH (n:LaunchTemplate)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ID}) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)",
-    "iterative": true,
-    "iterationsize": 100
-  }],
-  "name": "cleanup LaunchTemplate"
-}