cartography 0.93.0rc1__py3-none-any.whl → 0.123.0__py3-none-any.whl

cartography/intel/okta/awssaml.py

@@ -10,21 +10,28 @@ import neo4j
 
 from cartography.client.core.tx import read_list_of_dicts_tx
 from cartography.client.core.tx import read_single_value_tx
+from cartography.client.core.tx import run_write_query
 from cartography.util import timeit
 
-
-AccountRole = namedtuple('AccountRole', ['account_id', 'role_name'])
-OktaGroup = namedtuple('OktaGroup', ['group_id', 'group_name'])
-GroupRole = namedtuple('GroupRole', ['okta_group_id', 'aws_role_arn'])
+AccountRole = namedtuple("AccountRole", ["account_id", "role_name"])
+OktaGroup = namedtuple("OktaGroup", ["group_id", "group_name"])
+GroupRole = namedtuple("GroupRole", ["okta_group_id", "aws_role_arn"])
 
 logger = logging.getLogger(__name__)
 
 
 def _parse_regex(regex_string: str) -> str:
-    return regex_string.replace("{{accountid}}", "P<accountid>").replace("{{role}}", "P<role>").strip()
+    return (
+        regex_string.replace("{{accountid}}", "P<accountid>")
+        .replace("{{role}}", "P<role>")
+        .strip()
+    )
 
 
-def _parse_okta_group_name(okta_group_name: str, mapping_regex: str) -> AccountRole | None:
+def _parse_okta_group_name(
+    okta_group_name: str,
+    mapping_regex: str,
+) -> AccountRole | None:
     """
     Extract AWS account id and AWS role name from the given Okta group name using the given mapping regex.
     """
@@ -37,36 +44,50 @@ def _parse_okta_group_name(okta_group_name: str, mapping_regex: str) -> AccountR
     return None
 
 
-def transform_okta_group_to_aws_role(group_id: str, group_name: str, mapping_regex: str) -> Optional[Dict]:
+def transform_okta_group_to_aws_role(
+    group_id: str,
+    group_name: str,
+    mapping_regex: str,
+) -> Optional[Dict]:
     account_role = _parse_okta_group_name(group_name, mapping_regex)
     if account_role:
-        role_arn = f"arn:aws:iam::{account_role.account_id}:role/{account_role.role_name}"
+        role_arn = (
+            f"arn:aws:iam::{account_role.account_id}:role/{account_role.role_name}"
+        )
         return {"groupid": group_id, "role": role_arn}
     return None
 
 
 @timeit
-def query_for_okta_to_aws_role_mapping(neo4j_session: neo4j.Session, mapping_regex: str) -> List[Dict]:
+def query_for_okta_to_aws_role_mapping(
+    neo4j_session: neo4j.Session,
+    mapping_regex: str,
+) -> List[Dict]:
     """
     Query the graph for all groups associated with the amazon_aws application and map them to AWSRoles
     :param neo4j_session: session from the Neo4j server
     :param mapping_regex: the regex used by the organization to map groups to aws roles
     """
-    query = "MATCH (app:OktaApplication{name:'amazon_aws'})--(group:OktaGroup) return group.id, group.name"
+    query = (
+        "MATCH (app:OktaApplication{name:'amazon_aws'})--(group:OktaGroup) "
+        "RETURN group.id AS group_id, group.name AS group_name"
+    )
 
     group_to_role_mapping: List[Dict] = []
-    has_results = False
-    results = neo4j_session.run(query)
+    results = neo4j_session.execute_read(read_list_of_dicts_tx, query)
 
     for res in results:
-        has_results = True
         # input: okta group id, okta group name. output: aws role arn.
-        mapping = transform_okta_group_to_aws_role(res["group.id"], res["group.name"], mapping_regex)
+        mapping = transform_okta_group_to_aws_role(
+            res["group_id"],
+            res["group_name"],
+            mapping_regex,
+        )
         if mapping:
             group_to_role_mapping.append(mapping)
 
-    if has_results and not group_to_role_mapping:
-        logger.warn(
+    if results and not group_to_role_mapping:
+        logger.warning(
             "AWS Okta Application present, but no mappings were found. "
             "Please verify the mapping regex is correct",
         )
@@ -76,7 +97,8 @@ def query_for_okta_to_aws_role_mapping(neo4j_session: neo4j.Session, mapping_reg
 
 @timeit
 def _load_okta_group_to_aws_roles(
-    neo4j_session: neo4j.Session, group_to_role: List[Dict],
+    neo4j_session: neo4j.Session,
+    group_to_role: List[Dict],
     okta_update_tag: int,
 ) -> None:
     """
@@ -96,7 +118,8 @@ def _load_okta_group_to_aws_roles(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         GROUP_TO_ROLE=group_to_role,
         okta_update_tag=okta_update_tag,
@@ -104,7 +127,10 @@ def _load_okta_group_to_aws_roles(
 
 
 @timeit
-def _load_human_can_assume_role(neo4j_session: neo4j.Session, okta_update_tag: int) -> None:
+def _load_human_can_assume_role(
+    neo4j_session: neo4j.Session,
+    okta_update_tag: int,
+) -> None:
     """
     Add the CAN_ASSUME_ROLE relationship between Humans and the AWSRoles they can assume
     :param neo4j_session: session with the Neo4j server
@@ -117,13 +143,17 @@ def _load_human_can_assume_role(neo4j_session: neo4j.Session, okta_update_tag: i
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         okta_update_tag=okta_update_tag,
     )
 
 
-def get_awssso_okta_groups(neo4j_session: neo4j.Session, okta_org_id: str) -> list[OktaGroup]:
+def get_awssso_okta_groups(
+    neo4j_session: neo4j.Session,
+    okta_org_id: str,
+) -> list[OktaGroup]:
     """
     Return list of all Okta group ids in the current Okta organization tied to Okta Applications with name
     "amazon_aws_sso".
@@ -133,11 +163,21 @@ def get_awssso_okta_groups(neo4j_session: neo4j.Session, okta_org_id: str) -> li
            <-[:RESOURCE]-(:OktaOrganization{id: $okta_org_id})
     RETURN g.id as group_id, g.name as group_name
     """
-    result = neo4j_session.read_transaction(read_list_of_dicts_tx, query, okta_org_id=okta_org_id)
-    return [OktaGroup(group_name=og['group_name'], group_id=og['group_id']) for og in result]
+    result = neo4j_session.read_transaction(
+        read_list_of_dicts_tx,
+        query,
+        okta_org_id=okta_org_id,
+    )
+    return [
+        OktaGroup(group_name=og["group_name"], group_id=og["group_id"]) for og in result
+    ]
 
 
-def get_awssso_role_arn(account_id: str, role_hint: str, neo4j_session: neo4j.Session) -> str | None:
+def get_awssso_role_arn(
+    account_id: str,
+    role_hint: str,
+    neo4j_session: neo4j.Session,
+) -> str | None:
     """
     Attempt to return the AWS role ARN for the given AWS account ID and role hint string.
     This function exists to handle that AWS SSO roles have a 'AWSReservedSSO' prefix and a hashed suffix
@@ -153,13 +193,18 @@ def get_awssso_role_arn(account_id: str, role_hint: str, neo4j_session: neo4j.Se
     WHERE SPLIT(role.name, '_')[1..-1][0] = $role_hint
     RETURN role.arn AS role_arn
     """
-    return neo4j_session.read_transaction(read_single_value_tx, query, account_id=account_id, role_hint=role_hint)
+    return neo4j_session.read_transaction(
+        read_single_value_tx,
+        query,
+        account_id=account_id,
+        role_hint=role_hint,
+    )
 
 
 def query_for_okta_to_awssso_role_mapping(
-        neo4j_session: neo4j.Session,
-        awssso_okta_groups: list[OktaGroup],
-        mapping_regex: str,
+    neo4j_session: neo4j.Session,
+    awssso_okta_groups: list[OktaGroup],
+    mapping_regex: str,
 ) -> list[GroupRole]:
     """
     Input:
@@ -176,13 +221,21 @@ def query_for_okta_to_awssso_role_mapping(
             logger.info(f"Okta group {group.group_name} has no associated AWS SSO role")
             continue
 
-        role_arn = get_awssso_role_arn(account_role.account_id, account_role.role_name, neo4j_session)
+        role_arn = get_awssso_role_arn(
+            account_role.account_id,
+            account_role.role_name,
+            neo4j_session,
+        )
         if role_arn:
             result.append(GroupRole(group.group_id, role_arn))
     return result
 
 
-def _load_awssso_tx(tx: neo4j.Transaction, group_to_role: list[GroupRole], okta_update_tag: int) -> None:
+def _load_awssso_tx(
+    tx: neo4j.Transaction,
+    group_to_role: list[GroupRole],
+    okta_update_tag: int,
+) -> None:
     ingest_statement = """
     UNWIND $GROUP_TO_ROLE as app_data
         MATCH (role:AWSRole{arn: app_data.aws_role_arn})
@@ -195,23 +248,23 @@ def _load_awssso_tx(tx: neo4j.Transaction, group_to_role: list[GroupRole], okta_
         ingest_statement,
         GROUP_TO_ROLE=[g._asdict() for g in group_to_role],
         okta_update_tag=okta_update_tag,
-    )
+    ).consume()
 
 
 def _load_okta_group_to_awssso_roles(
-        neo4j_session: neo4j.Session,
-        group_to_role: list[GroupRole],
-        okta_update_tag: int,
+    neo4j_session: neo4j.Session,
+    group_to_role: list[GroupRole],
+    okta_update_tag: int,
 ) -> None:
     neo4j_session.write_transaction(_load_awssso_tx, group_to_role, okta_update_tag)
 
 
 @timeit
 def sync_okta_aws_saml(
-        neo4j_session: neo4j.Session,
-        mapping_regex: str,
-        okta_update_tag: int,
-        okta_org_id: str,
+    neo4j_session: neo4j.Session,
+    mapping_regex: str,
+    okta_update_tag: int,
+    okta_org_id: str,
 ) -> None:
     """
     Sync okta integration with saml. This will link OktaGroups to the AWSRoles they enable.
@@ -228,10 +281,21 @@ def sync_okta_aws_saml(
     logger.info("Syncing Okta SAML Integration")
 
     # Query for the aws application and its associated groups
-    group_to_role_mapping = query_for_okta_to_aws_role_mapping(neo4j_session, mapping_regex)
+    group_to_role_mapping = query_for_okta_to_aws_role_mapping(
+        neo4j_session,
+        mapping_regex,
+    )
     _load_okta_group_to_aws_roles(neo4j_session, group_to_role_mapping, okta_update_tag)
     _load_human_can_assume_role(neo4j_session, okta_update_tag)
 
     sso_okta_groups = get_awssso_okta_groups(neo4j_session, okta_org_id)
-    group_to_ssorole_mapping = query_for_okta_to_awssso_role_mapping(neo4j_session, sso_okta_groups, mapping_regex)
-    _load_okta_group_to_awssso_roles(neo4j_session, group_to_ssorole_mapping, okta_update_tag)
+    group_to_ssorole_mapping = query_for_okta_to_awssso_role_mapping(
+        neo4j_session,
+        sso_okta_groups,
+        mapping_regex,
+    )
+    _load_okta_group_to_awssso_roles(
+        neo4j_session,
+        group_to_ssorole_mapping,
+        okta_update_tag,
+    )

cartography/intel/okta/factors.py

@@ -8,6 +8,7 @@ from okta import FactorsClient
 from okta.framework.OktaError import OktaError
 from okta.models.factor.Factor import Factor
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.util import timeit
 
@@ -79,12 +80,16 @@ def transform_okta_user_factor(okta_factor_info: Factor) -> Dict:
     factor_props["provider"] = okta_factor_info.provider
     factor_props["status"] = okta_factor_info.status
     if okta_factor_info.created:
-        factor_props["created"] = okta_factor_info.created.strftime("%m/%d/%Y, %H:%M:%S")
+        factor_props["created"] = okta_factor_info.created.strftime(
+            "%m/%d/%Y, %H:%M:%S",
+        )
     else:
         factor_props["created"] = None
 
     if okta_factor_info.lastUpdated:
-        factor_props["okta_last_updated"] = okta_factor_info.lastUpdated.strftime("%m/%d/%Y, %H:%M:%S")
+        factor_props["okta_last_updated"] = okta_factor_info.lastUpdated.strftime(
+            "%m/%d/%Y, %H:%M:%S",
+        )
     else:
         factor_props["okta_last_updated"] = None
 
@@ -93,7 +98,12 @@ def transform_okta_user_factor(okta_factor_info: Factor) -> Dict:
 
 
 @timeit
-def _load_user_factors(neo4j_session: neo4j.Session, user_id: str, factors: List[Dict], okta_update_tag: int) -> None:
+def _load_user_factors(
+    neo4j_session: neo4j.Session,
+    user_id: str,
+    factors: List[Dict],
+    okta_update_tag: int,
+) -> None:
     """
     Add user factors into the graph
     :param neo4j_session: session with the Neo4j server
@@ -121,7 +131,8 @@ def _load_user_factors(neo4j_session: neo4j.Session, user_id: str, factors: List
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         USER_ID=user_id,
         FACTOR_LIST=factors,
@@ -131,7 +142,10 @@ def _load_user_factors(neo4j_session: neo4j.Session, user_id: str, factors: List
 
 @timeit
 def sync_users_factors(
-    neo4j_session: neo4j.Session, okta_org_id: str, okta_update_tag: int, okta_api_key: str,
+    neo4j_session: neo4j.Session,
+    okta_org_id: str,
+    okta_update_tag: int,
+    okta_api_key: str,
     sync_state: OktaSyncState,
 ) -> None:
     """

cartography/intel/okta/groups.py

@@ -11,6 +11,7 @@ from okta.framework.OktaError import OktaError
 from okta.framework.PagedResults import PagedResults
 from okta.models.usergroup import UserGroup
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
@@ -39,9 +40,9 @@ def _get_okta_groups(api_client: ApiClient) -> List[str]:
             paged_response = api_client.get(next_url)
         else:
             params = {
-                'limit': 10000,
+                "limit": 10000,
             }
-            paged_response = api_client.get_path('/', params)
+            paged_response = api_client.get_path("/", params)
 
         paged_results = PagedResults(paged_response, UserGroup)
 
@@ -75,9 +76,9 @@ def get_okta_group_members(api_client: ApiClient, group_id: str) -> List[Dict]:
                 paged_response = api_client.get(next_url)
             else:
                 params = {
-                    'limit': 1000,
+                    "limit": 1000,
                 }
-                paged_response = api_client.get_path(f'/{group_id}/users', params)
+                paged_response = api_client.get_path(f"/{group_id}/users", params)
         except OktaError:
             logger.error(f"OktaError while listing members of group {group_id}")
             raise
@@ -95,7 +96,9 @@ def get_okta_group_members(api_client: ApiClient, group_id: str) -> List[Dict]:
 
 
 @timeit
-def transform_okta_group_list(okta_group_list: List[UserGroup]) -> Tuple[List[Dict], List[str]]:
+def transform_okta_group_list(
+    okta_group_list: List[UserGroup],
+) -> Tuple[List[Dict], List[str]]:
     groups: List[Dict] = []
     groups_id: List[str] = []
 
@@ -128,7 +131,9 @@ def transform_okta_group(okta_group: UserGroup) -> Dict:
         group_props["dn"] = None
 
     if okta_group.profile.windowsDomainQualifiedName:
-        group_props["windows_domain_qualified_name"] = okta_group.profile.windowsDomainQualifiedName
+        group_props["windows_domain_qualified_name"] = (
+            okta_group.profile.windowsDomainQualifiedName
+        )
     else:
         group_props["windows_domain_qualified_name"] = None
 
@@ -146,27 +151,31 @@ def transform_okta_group_member_list(okta_member_list: List[Dict]) -> List[Dict]
     """
     transformed_member_list: List[Dict] = []
     for user in okta_member_list:
-        transformed_member_list.append({
-            'first_name': user['profile']['firstName'],
-            'last_name': user['profile']['lastName'],
-            'login': user['profile']['login'],
-            'email': user['profile']['email'],
-            'second_email': user['profile'].get('secondEmail'),
-            'id': user['id'],
-            'created': user['created'],
-            'activated': user.get('activated'),
-            'status_changed': user.get('status_changed'),
-            'last_login': user.get('last_login'),
-            'okta_last_updated': user.get('okta_last_updated'),
-            'password_changed': user.get('password_changed'),
-            'transition_to_status': user.get('transitioningToStatus'),
-        })
+        transformed_member_list.append(
+            {
+                "first_name": user["profile"]["firstName"],
+                "last_name": user["profile"]["lastName"],
+                "login": user["profile"]["login"],
+                "email": user["profile"]["email"],
+                "second_email": user["profile"].get("secondEmail"),
+                "id": user["id"],
+                "created": user["created"],
+                "activated": user.get("activated"),
+                "status_changed": user.get("status_changed"),
+                "last_login": user.get("last_login"),
+                "okta_last_updated": user.get("okta_last_updated"),
+                "password_changed": user.get("password_changed"),
+                "transition_to_status": user.get("transitioningToStatus"),
+            },
+        )
     return transformed_member_list
 
 
 @timeit
 def _load_okta_groups(
-    neo4j_session: neo4j.Session, okta_org_id: str, group_list: List[Dict],
+    neo4j_session: neo4j.Session,
+    okta_org_id: str,
+    group_list: List[Dict],
     okta_update_tag: int,
 ) -> None:
     """
@@ -196,7 +205,8 @@ def _load_okta_groups(
     SET org_r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest_statement,
         ORG_ID=okta_org_id,
         GROUP_LIST=group_list,
@@ -206,7 +216,9 @@ def _load_okta_groups(
 
 @timeit
 def load_okta_group_members(
-    neo4j_session: neo4j.Session, group_id: str, member_list: List[Dict],
+    neo4j_session: neo4j.Session,
+    group_id: str,
+    member_list: List[Dict],
     okta_update_tag: int,
 ) -> None:
     """
@@ -240,8 +252,9 @@ def load_okta_group_members(
         ON CREATE SET r.firstseen = timestamp()
         SET r.lastupdated = $okta_update_tag
     """
-    logging.info(f'Loading {len(member_list)} members of group {group_id}')
-    neo4j_session.run(
+    logging.info(f"Loading {len(member_list)} members of group {group_id}")
+    run_write_query(
+        neo4j_session,
         ingest,
         GROUP_ID=group_id,
         MEMBER_LIST=member_list,
@@ -251,7 +264,9 @@ def load_okta_group_members(
 
 @timeit
 def sync_okta_group_membership(
-    neo4j_session: neo4j.Session, api_client: ApiClient, group_list_info: List[Dict],
+    neo4j_session: neo4j.Session,
+    api_client: ApiClient,
+    group_list_info: List[Dict],
     okta_update_tag: int,
 ) -> None:
     """
@@ -266,13 +281,23 @@ def sync_okta_group_membership(
     for group_info in group_list_info:
         group_id = group_info["id"]
         members_data: List[Dict] = get_okta_group_members(api_client, group_id)
-        transformed_member_data: List[Dict] = transform_okta_group_member_list(members_data)
-        load_okta_group_members(neo4j_session, group_id, transformed_member_data, okta_update_tag)
+        transformed_member_data: List[Dict] = transform_okta_group_member_list(
+            members_data,
+        )
+        load_okta_group_members(
+            neo4j_session,
+            group_id,
+            transformed_member_data,
+            okta_update_tag,
+        )
 
 
 @timeit
 def sync_okta_groups(
-    neo4_session: neo4j.Session, okta_org_id: str, okta_update_tag: int, okta_api_key: str,
+    neo4_session: neo4j.Session,
+    okta_org_id: str,
+    okta_update_tag: int,
+    okta_api_key: str,
     sync_state: OktaSyncState,
 ) -> None:
     """
@@ -295,4 +320,9 @@ def sync_okta_groups(
 
     _load_okta_groups(neo4_session, okta_org_id, group_list_info, okta_update_tag)
 
-    sync_okta_group_membership(neo4_session, api_client, group_list_info, okta_update_tag)
+    sync_okta_group_membership(
+        neo4_session,
+        api_client,
+        group_list_info,
+        okta_update_tag,
+    )

cartography/intel/okta/organization.py

@@ -3,13 +3,18 @@ import logging
 
 import neo4j
 
+from cartography.client.core.tx import run_write_query
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
 
 @timeit
-def create_okta_organization(neo4j_session: neo4j.Session, organization: str, okta_update_tag: int) -> None:
+def create_okta_organization(
+    neo4j_session: neo4j.Session,
+    organization: str,
+    okta_update_tag: int,
+) -> None:
     """
     Create Okta organization in the graph
     :param neo4_session: session with the Neo4j server
@@ -23,7 +28,8 @@ def create_okta_organization(neo4j_session: neo4j.Session, organization: str, ok
     SET org.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         ORG_NAME=organization,
         okta_update_tag=okta_update_tag,

cartography/intel/okta/origins.py

@@ -7,6 +7,7 @@ from typing import List
 import neo4j
 from okta.framework.ApiClient import ApiClient
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.utils import create_api_client
 from cartography.util import timeit
 
@@ -61,7 +62,9 @@ def transform_trusted_origins(data: str) -> List[Dict]:
 
 @timeit
 def _load_trusted_origins(
-    neo4j_session: neo4j.Session, okta_org_id: str, trusted_list: List[Dict],
+    neo4j_session: neo4j.Session,
+    okta_org_id: str,
+    trusted_list: List[Dict],
     okta_update_tag: int,
 ) -> None:
     """
@@ -94,7 +97,8 @@ def _load_trusted_origins(
     SET r.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         ORG_ID=okta_org_id,
         TRUSTED_LIST=trusted_list,
@@ -104,7 +108,9 @@ def _load_trusted_origins(
 
 @timeit
 def sync_trusted_origins(
-    neo4j_session: neo4j.Session, okta_org_id: str, okta_update_tag: int,
+    neo4j_session: neo4j.Session,
+    okta_org_id: str,
+    okta_update_tag: int,
     okta_api_key: str,
 ) -> None:
     """

cartography/intel/okta/roles.py

@@ -7,6 +7,7 @@ from typing import List
 import neo4j
 from okta.framework.ApiClient import ApiClient
 
+from cartography.client.core.tx import run_write_query
 from cartography.intel.okta.sync_state import OktaSyncState
 from cartography.intel.okta.utils import check_rate_limit
 from cartography.intel.okta.utils import create_api_client
@@ -26,7 +27,7 @@ def _get_user_roles(api_client: ApiClient, user_id: str, okta_org_id: str) -> st
     """
 
     # https://developer.okta.com/docs/reference/api/roles/#list-roles
-    response = api_client.get_path(f'/{user_id}/roles')
+    response = api_client.get_path(f"/{user_id}/roles")
     check_rate_limit(response)
     return response.text
 
@@ -42,7 +43,7 @@ def _get_group_roles(api_client: ApiClient, group_id: str, okta_org_id: str) ->
     """
 
     # https://developer.okta.com/docs/reference/api/roles/#list-roles-assigned-to-group
-    response = api_client.get_path(f'/{group_id}/roles')
+    response = api_client.get_path(f"/{group_id}/roles")
     check_rate_limit(response)
     return response.text
 
@@ -94,7 +95,12 @@ def transform_group_roles_data(data: str, okta_org_id: str) -> List[Dict]:
 
 
 @timeit
-def _load_user_role(neo4j_session: neo4j.Session, user_id: str, roles_data: List[Dict], okta_update_tag: int) -> None:
+def _load_user_role(
+    neo4j_session: neo4j.Session,
+    user_id: str,
+    roles_data: List[Dict],
+    okta_update_tag: int,
+) -> None:
     ingest = """
     MATCH (user:OktaUser{id: $USER_ID})<-[:RESOURCE]-(org:OktaOrganization)
     WITH user,org
@@ -112,7 +118,8 @@ def _load_user_role(neo4j_session: neo4j.Session, user_id: str, roles_data: List
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         USER_ID=user_id,
         ROLES_DATA=roles_data,
@@ -122,7 +129,9 @@ def _load_user_role(neo4j_session: neo4j.Session, user_id: str, roles_data: List
 
 @timeit
 def _load_group_role(
-    neo4j_session: neo4j.Session, group_id: str, roles_data: List[Dict],
+    neo4j_session: neo4j.Session,
+    group_id: str,
+    roles_data: List[Dict],
     okta_update_tag: int,
 ) -> None:
     ingest = """
@@ -142,7 +151,8 @@ def _load_group_role(
     SET r2.lastupdated = $okta_update_tag
     """
 
-    neo4j_session.run(
+    run_write_query(
+        neo4j_session,
         ingest,
         GROUP_ID=group_id,
         ROLES_DATA=roles_data,
@@ -152,7 +162,10 @@ def _load_group_role(
 
 @timeit
 def sync_roles(
-    neo4j_session: str, okta_org_id: str, okta_update_tag: int, okta_api_key: str,
+    neo4j_session: str,
+    okta_org_id: str,
+    okta_update_tag: int,
+    okta_api_key: str,
     sync_state: OktaSyncState,
 ) -> None:
     """