cartography 0.96.2__py3-none-any.whl → 0.97.1__py3-none-any.whl

cartography/intel/aws/identitycenter.py

@@ -56,6 +56,7 @@ def load_identity_center_instances(
 
 
 @timeit
+@aws_handle_regions
 def get_permission_sets(boto3_session: boto3.session.Session, instance_arn: str, region: str) -> List[Dict]:
     """
     Get all permission sets for a given Identity Center instance
@@ -81,26 +82,6 @@ def get_permission_sets(boto3_session: boto3.session.Session, instance_arn: str,
     return permission_sets
 
 
-@timeit
-def get_permission_set_roles(
-    boto3_session: boto3.session.Session,
-    instance_arn: str,
-    permission_set_arn: str,
-    region: str,
-) -> List[Dict]:
-    """
-    Get all accounts associated with a given permission set
-    """
-    client = boto3_session.client('sso-admin', region_name=region)
-    accounts = []
-
-    paginator = client.get_paginator('list_accounts_for_provisioned_permission_set')
-    for page in paginator.paginate(InstanceArn=instance_arn, PermissionSetArn=permission_set_arn):
-        accounts.extend(page.get('AccountIds', []))
-
-    return accounts
-
-
 @timeit
 def load_permission_sets(
     neo4j_session: neo4j.Session,
@@ -127,6 +108,7 @@ def load_permission_sets(
 
 
 @timeit
+@aws_handle_regions
 def get_sso_users(
     boto3_session: boto3.session.Session,
     identity_store_id: str,
@@ -175,6 +157,7 @@ def load_sso_users(
 
 
 @timeit
+@aws_handle_regions
 def get_role_assignments(
     boto3_session: boto3.session.Session,
     users: List[Dict],
@@ -230,6 +213,7 @@ def load_role_assignments(
         )
 
 
+@timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
     GraphJob.from_node_schema(AWSIdentityCenterInstanceSchema(), common_job_parameters).run(neo4j_session)
     GraphJob.from_node_schema(AWSPermissionSetSchema(), common_job_parameters).run(neo4j_session)

cartography/intel/cve/__init__.py

@@ -2,6 +2,9 @@ import logging
 from datetime import datetime
 
 import neo4j
+from requests import Session
+from requests.adapters import HTTPAdapter
+from urllib3 import Retry
 
 from cartography.config import Config
 from cartography.intel.cve import feed
@@ -13,28 +16,34 @@ logger = logging.getLogger(__name__)
 stat_handler = get_stats_client(__name__)
 
 
-@timeit
-def start_cve_ingestion(
-    neo4j_session: neo4j.Session, config: Config,
-) -> None:
-    """
-    Perform ingestion of CVE data from NIST APIs.
-    :param neo4j_session: Neo4J session for database interface
-    :param config: A cartography.config object
-    :return: None
-    """
-    if not config.cve_enabled:
-        return
-    cve_api_key: str | None = config.cve_api_key if config.cve_api_key else None
+def _retryable_session() -> Session:
+    session = Session()
+    retry_policy = Retry(
+        total=8,
+        connect=1,
+        backoff_factor=1,
+        status_forcelist=[429, 500, 502, 503, 504],
+        allowed_methods=["GET"],
+    )
+    session.mount("https://", HTTPAdapter(max_retries=retry_policy))
+    logger.info(f"Configured session with retry policy: {retry_policy}")
+    return session
 
-    # sync CVE year archives, if not yet synced
+
+def _sync_year_archives(
+    http_session: Session,
+    neo4j_session: neo4j.Session,
+    config: Config,
+    cve_api_key: str | None,
+) -> None:
     existing_years = feed.get_cve_sync_metadata(neo4j_session)
     current_year = datetime.now().year
-    for year in range(2002, current_year + 1):
+    logger.info(f"Syncing CVE data for year archives. Existing years: {existing_years}. Current year: {current_year}")
+    for year in range(1999, current_year + 1):
         if year in existing_years:
             continue
         logger.info(f"Syncing CVE data for year {year}")
-        cves = feed.get_published_cves_per_year(config.nist_cve_url, str(year), cve_api_key)
+        cves = feed.get_published_cves_per_year(http_session, config.nist_cve_url, str(year), cve_api_key)
         feed_metadata = feed.transform_cve_feed(cves)
         feed.load_cve_feed(neo4j_session, [feed_metadata], config.update_tag)
         published_cves = feed.transform_cves(cves)
@@ -48,10 +57,16 @@ def start_cve_ingestion(
             stat_handler=stat_handler,
         )
 
-    # sync modified data
+
+def _sync_modified_data(
+    http_session: Session,
+    neo4j_session: neo4j.Session,
+    config: Config,
+    cve_api_key: str | None,
+) -> None:
     logger.info("Syncing CVE data for modified data")
     last_modified_date = feed.get_last_modified_cve_date(neo4j_session)
-    cves = feed.get_modified_cves(config.nist_cve_url, last_modified_date, cve_api_key)
+    cves = feed.get_modified_cves(http_session, config.nist_cve_url, last_modified_date, cve_api_key)
     feed_metadata = feed.transform_cve_feed(cves)
     feed.load_cve_feed(neo4j_session, [feed_metadata], config.update_tag)
     modified_cves = feed.transform_cves(cves)
@@ -65,4 +80,21 @@ def start_cve_ingestion(
         stat_handler=stat_handler,
     )
 
-    # CVEs are never deleted, so we don't need to run a cleanup job
+
+@timeit
+def start_cve_ingestion(
+    neo4j_session: neo4j.Session, config: Config,
+) -> None:
+    """
+    Perform ingestion of CVE data from NIST APIs.
+    :param neo4j_session: Neo4J session for database interface
+    :param config: A cartography.config object
+    :return: None
+    """
+    if not config.cve_enabled:
+        return
+    cve_api_key: str | None = config.cve_api_key if config.cve_api_key else None
+    with _retryable_session() as http_session:
+        _sync_year_archives(http_session, neo4j_session=neo4j_session, config=config, cve_api_key=cve_api_key)
+        _sync_modified_data(http_session, neo4j_session=neo4j_session, config=config, cve_api_key=cve_api_key)
+        # CVEs are never deleted, so we don't need to run a cleanup job

cartography/intel/cve/feed.py

@@ -11,7 +11,7 @@ from typing import List
 from typing import Optional
 
 import neo4j
-import requests
+from requests import Session
 
 from cartography.client.core.tx import load
 from cartography.client.core.tx import read_list_of_values_tx
@@ -22,7 +22,6 @@ from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
-MAX_RETRIES = 8
 # Connect and read timeouts of 120 seconds each; see https://requests.readthedocs.io/en/master/user/advanced/#timeouts
 CONNECT_AND_READ_TIMEOUT = (30, 120)
 CVE_FEED_ID = "NIST_NVD"
@@ -68,53 +67,36 @@ def _map_cve_dict(cve_dict: Dict[Any, Any], data: Dict[Any, Any]) -> None:
     cve_dict["startIndex"] = data["startIndex"]
 
 
-def _call_cves_api(url: str, api_key: str | None, params: Dict[str, Any]) -> Dict[Any, Any]:
-    totalResults = 0
-    sleep_time = DEFAULT_SLEEP_TIME
-    retries = 0
+def _call_cves_api(http_session: Session, url: str, api_key: str | None, params: Dict[str, Any]) -> Dict[Any, Any]:
+    total_results = 0
     params["startIndex"] = 0
     params["resultsPerPage"] = RESULTS_PER_PAGE
-    headers = {}
-    headers["Content-Type"] = "application/json"
+    headers = {"Content-Type": "application/json"}
     if api_key:
+        sleep_between_requests = DEFAULT_SLEEP_TIME
         headers["apiKey"] = api_key
     else:
-        sleep_time = DELAYED_SLEEP_TIME  # Sleep for 6 seconds between each request to avoid rate limiting
+        sleep_between_requests = DELAYED_SLEEP_TIME
         logger.warning(
-            f"No NIST NVD API key provided. Increasing sleep time to {sleep_time}.",
+            f"No NIST NVD API key provided. Increasing sleep time to {sleep_between_requests}.",
         )
     results: Dict[Any, Any] = dict()
 
-    with requests.Session() as session:
-        while params["resultsPerPage"] > 0 or params["startIndex"] < totalResults:
-            logger.info(f"Calling NIST NVD API at {url} with params {params}")
-            try:
-                res = session.get(
-                    url, params=params, headers=headers, timeout=CONNECT_AND_READ_TIMEOUT,
-                )
-                res.raise_for_status()
-                data = res.json()
-            except requests.exceptions.HTTPError:
-                logger.error(
-                    f"Failed to get CVE data from NIST NVD API {res.status_code} : {res.text}",
-                )
-                retries += 1
-                if retries >= MAX_RETRIES:
-                    raise
-                # Exponential backoff
-                sleep_time *= 2
-                time.sleep(sleep_time)
-                continue
-            _map_cve_dict(results, data)
-            totalResults = data["totalResults"]
-            params["resultsPerPage"] = data["resultsPerPage"]
-            params["startIndex"] += data["resultsPerPage"]
-            retries = 0
-            time.sleep(sleep_time)
+    while params["resultsPerPage"] > 0 or params["startIndex"] < total_results:
+        logger.info(f"Calling NIST NVD API at {url} with params {params}")
+        res = http_session.get(url, params=params, headers=headers, timeout=CONNECT_AND_READ_TIMEOUT)
+        res.raise_for_status()
+        data = res.json()
+        _map_cve_dict(results, data)
+        total_results = data["totalResults"]
+        params["resultsPerPage"] = data["resultsPerPage"]
+        params["startIndex"] += data["resultsPerPage"]
+        time.sleep(sleep_between_requests)
     return results
 
 
 def get_cves_in_batches(
+    http_session: Session,
     nist_cve_url: str,
     start_date: datetime,
     end_date: datetime,
@@ -147,7 +129,7 @@ def get_cves_in_batches(
         logger.info(
             f"Querying CVE data between {current_start_date} and {current_end_date}",
         )
-        batch_cves = _call_cves_api(nist_cve_url, api_key, params)
+        batch_cves = _call_cves_api(http_session, nist_cve_url, api_key, params)
         _map_cve_dict(cves, batch_cves)
         current_start_date = current_end_date
         new_end_date = current_start_date + batch_size
@@ -158,9 +140,8 @@ def get_cves_in_batches(
 
 
 def get_modified_cves(
-    nist_cve_url: str, last_modified_date: str, api_key: str | None,
+    http_session: Session, nist_cve_url: str, last_modified_date: str, api_key: str | None,
 ) -> Dict[Any, Any]:
-    cves = dict()
     end_date = datetime.now(tz=timezone.utc)
     start_date = datetime.strptime(last_modified_date, "%Y-%m-%dT%H:%M:%S").replace(
         tzinfo=timezone.utc,
@@ -170,15 +151,14 @@ def get_modified_cves(
         "end": "lastModEndDate",
     }
     cves = get_cves_in_batches(
-        nist_cve_url, start_date, end_date, date_param_names, api_key,
+        http_session, nist_cve_url, start_date, end_date, date_param_names, api_key,
     )
     return cves
 
 
 def get_published_cves_per_year(
-    nist_cve_url: str, year: str, api_key: str | None,
+    http_session: Session, nist_cve_url: str, year: str, api_key: str | None,
 ) -> Dict[Any, Any]:
-    cves = {}
     start_of_year = datetime.strptime(f"{year}-01-01", "%Y-%m-%d")
     next_year = int(year) + 1
     end_of_next_year = datetime.strptime(f"{next_year}-01-01", "%Y-%m-%d")
@@ -187,7 +167,7 @@ def get_published_cves_per_year(
         "end": "pubEndDate",
     }
     cves = get_cves_in_batches(
-        nist_cve_url, start_of_year, end_of_next_year, date_param_names, api_key,
+        http_session, nist_cve_url, start_of_year, end_of_next_year, date_param_names, api_key,
     )
     return cves
 

cartography/intel/github/teams.py

@@ -21,6 +21,9 @@ logger = logging.getLogger(__name__)
 RepoPermission = namedtuple('RepoPermission', ['repo_url', 'permission'])
 # A team member's role: https://docs.github.com/en/graphql/reference/enums#teammemberrole
 UserRole = namedtuple('UserRole', ['user_url', 'role'])
+# Unlike the other tuples here, there is no qualification (like 'role' or 'permission') to the relationship.
+# A child team is just a child team: https://docs.github.com/en/graphql/reference/objects#teamconnection
+ChildTeam = namedtuple('ChildTeam', ['team_url'])
 
 
 def backoff_handler(details: Dict) -> None:
@@ -53,6 +56,9 @@ def get_teams(org: str, api_url: str, token: str) -> Tuple[PaginatedGraphqlData,
                         members(membership: IMMEDIATE) {
                             totalCount
                         }
+                        childTeams {
+                            totalCount
+                        }
                     }
                     pageInfo{
                         endCursor
@@ -166,6 +172,21 @@ def _get_team_repos(org: str, api_url: str, token: str, team: str) -> PaginatedG
     return team_repos
 
 
+def _get_teams_users_inner_func(
+        org: str, api_url: str, token: str, team_name: str,
+        user_urls: List[str], user_roles: List[str],
+) -> None:
+    logger.info(f"Loading team users for {team_name}.")
+    team_users = _get_team_users(org, api_url, token, team_name)
+    # The `or []` is because `.nodes` can be None. See:
+    # https://docs.github.com/en/graphql/reference/objects#teammemberconnection
+    for user in team_users.nodes or []:
+        user_urls.append(user['url'])
+    # The `or []` is because `.edges` can be None.
+    for edge in team_users.edges or []:
+        user_roles.append(edge['role'])
+
+
 def _get_team_users_for_multiple_teams(
         team_raw_data: list[dict[str, Any]],
         org: str,
@@ -185,21 +206,7 @@ def _get_team_users_for_multiple_teams(
         user_urls: List[str] = []
         user_roles: List[str] = []
 
-        def get_teams_users_inner_func(
-            org: str, api_url: str, token: str, team_name: str,
-            user_urls: List[str], user_roles: List[str],
-        ) -> None:
-            logger.info(f"Loading team users for {team_name}.")
-            team_users = _get_team_users(org, api_url, token, team_name)
-            # The `or []` is because `.nodes` can be None. See:
-            # https://docs.github.com/en/graphql/reference/objects#teammemberconnection
-            for user in team_users.nodes or []:
-                user_urls.append(user['url'])
-            # The `or []` is because `.edges` can be None.
-            for edge in team_users.edges or []:
-                user_roles.append(edge['role'])
-
-        retries_with_backoff(get_teams_users_inner_func, TypeError, 5, backoff_handler)(
+        retries_with_backoff(_get_teams_users_inner_func, TypeError, 5, backoff_handler)(
             org=org, api_url=api_url, token=token, team_name=team_name, user_urls=user_urls, user_roles=user_roles,
         )
 
@@ -252,11 +259,90 @@ def _get_team_users(org: str, api_url: str, token: str, team: str) -> PaginatedG
     return team_users
 
 
+def _get_child_teams_inner_func(
+        org: str, api_url: str, token: str, team_name: str, team_urls: List[str],
+) -> None:
+    logger.info(f"Loading child teams for {team_name}.")
+    child_teams = _get_child_teams(org, api_url, token, team_name)
+    # The `or []` is because `.nodes` can be None. See:
+    # https://docs.github.com/en/graphql/reference/objects#teammemberconnection
+    for cteam in child_teams.nodes or []:
+        team_urls.append(cteam['url'])
+    # No edges to process here, the GitHub response for child teams has no relevant info in edges.
+
+
+def _get_child_teams_for_multiple_teams(
+        team_raw_data: list[dict[str, Any]],
+        org: str,
+        api_url: str,
+        token: str,
+) -> dict[str, list[ChildTeam]]:
+    result: dict[str, list[ChildTeam]] = {}
+    for team in team_raw_data:
+        team_name = team['slug']
+        team_count = team['childTeams']['totalCount']
+
+        if team_count == 0:
+            # This team has no child teams so let's move on
+            result[team_name] = []
+            continue
+
+        team_urls: List[str] = []
+
+        retries_with_backoff(_get_child_teams_inner_func, TypeError, 5, backoff_handler)(
+            org=org, api_url=api_url, token=token, team_name=team_name, team_urls=team_urls,
+        )
+
+        result[team_name] = [ChildTeam(url) for url in team_urls]
+    return result
+
+
+def _get_child_teams(org: str, api_url: str, token: str, team: str) -> PaginatedGraphqlData:
+    team_users_gql = """
+    query($login: String!, $team: String!, $cursor: String) {
+        organization(login: $login) {
+            url
+            login
+            team(slug: $team) {
+                slug
+                childTeams(first: 100, after: $cursor) {
+                    totalCount
+                    nodes {
+                        url
+                    }
+                    pageInfo {
+                        endCursor
+                        hasNextPage
+                    }
+                }
+            }
+        }
+        rateLimit {
+            limit
+            cost
+            remaining
+            resetAt
+        }
+    }
+    """
+    team_users, _ = fetch_all(
+        token,
+        api_url,
+        org,
+        team_users_gql,
+        'team',
+        resource_inner_type='childTeams',
+        team=team,
+    )
+    return team_users
+
+
 def transform_teams(
         team_paginated_data: PaginatedGraphqlData,
         org_data: Dict[str, Any],
         team_repo_data: dict[str, list[RepoPermission]],
         team_user_data: dict[str, list[UserRole]],
+        team_child_team_data: dict[str, list[ChildTeam]],
 ) -> list[dict[str, Any]]:
     result = []
     for team in team_paginated_data.nodes:
@@ -267,13 +353,15 @@ def transform_teams(
             'description': team['description'],
             'repo_count': team['repositories']['totalCount'],
             'member_count': team['members']['totalCount'],
+            'child_team_count': team['childTeams']['totalCount'],
             'org_url': org_data['url'],
             'org_login': org_data['login'],
         }
         repo_permissions = team_repo_data[team_name]
         user_roles = team_user_data[team_name]
+        child_teams = team_child_team_data[team_name]
 
-        if not repo_permissions and not user_roles:
+        if not repo_permissions and not user_roles and not child_teams:
             result.append(repo_info)
             continue
 
@@ -289,6 +377,15 @@ def transform_teams(
                 repo_info_copy = repo_info.copy()
                 repo_info_copy[role] = user_url
                 result.append(repo_info_copy)
+        if child_teams:
+            for (team_url,) in child_teams:
+                repo_info_copy = repo_info.copy()
+                # GitHub speaks of team-team relationships as 'child teams', as in the graphql query
+                # or here: https://docs.github.com/en/graphql/reference/enums#teammembershiptype
+                # We label the relationship as 'MEMBER_OF_TEAM' here because it is in line with
+                # other similar relationships in Cartography.
+                repo_info_copy['MEMBER_OF_TEAM'] = team_url
+                result.append(repo_info_copy)
     return result
 
 
@@ -325,7 +422,8 @@ def sync_github_teams(
     teams_paginated, org_data = get_teams(organization, github_url, github_api_key)
     team_repos = _get_team_repos_for_multiple_teams(teams_paginated.nodes, organization, github_url, github_api_key)
     team_users = _get_team_users_for_multiple_teams(teams_paginated.nodes, organization, github_url, github_api_key)
-    processed_data = transform_teams(teams_paginated, org_data, team_repos, team_users)
+    team_children = _get_child_teams_for_multiple_teams(teams_paginated.nodes, organization, github_url, github_api_key)
+    processed_data = transform_teams(teams_paginated, org_data, team_repos, team_users, team_children)
     load_team_repos(neo4j_session, processed_data, common_job_parameters['UPDATE_TAG'], org_data['url'])
     common_job_parameters['org_url'] = org_data['url']
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/github/users.py

@@ -144,10 +144,13 @@ def transform_users(user_data: List[Dict], owners_data: List[Dict], org_data: Di
 
     users_dict = {}
     for user in user_data:
+        # all members get the 'MEMBER_OF' relationship
         processed_user = deepcopy(user['node'])
-        processed_user['role'] = user['role']
         processed_user['hasTwoFactorEnabled'] = user['hasTwoFactorEnabled']
         processed_user['MEMBER_OF'] = org_data['url']
+        # admins get a second relationship expressing them as such
+        if user['role'] == 'ADMIN':
+            processed_user['ADMIN_OF'] = org_data['url']
         users_dict[processed_user['url']] = processed_user
 
     owners_dict = {}

cartography/models/github/orgs.py

@@ -1,7 +1,7 @@
 """
 This schema does not handle the org's relationships.  Those are handled by other schemas, for example:
 * GitHubTeamSchema defines (GitHubOrganization)-[RESOURCE]->(GitHubTeam)
-* GitHubUserSchema defines (GitHubUser)-[MEMBER_OF|UNAFFILIATED]->(GitHubOrganization)
+* GitHubUserSchema defines (GitHubUser)-[MEMBER_OF|ADMIN_OF|UNAFFILIATED]->(GitHubOrganization)
 (There may be others, these are just two examples.)
 """
 from dataclasses import dataclass

cartography/models/github/teams.py

@@ -123,6 +123,22 @@ class GitHubTeamToOrganizationRel(CartographyRelSchema):
     properties: GitHubTeamToOrganizationRelProperties = GitHubTeamToOrganizationRelProperties()
 
 
+@dataclass(frozen=True)
+class GitHubTeamToChildTeamRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class GitHubTeamChildTeamRel(CartographyRelSchema):
+    target_node_label: str = 'GitHubTeam'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('MEMBER_OF_TEAM')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "MEMBER_OF_TEAM"
+    properties: GitHubTeamToChildTeamRelProperties = GitHubTeamToChildTeamRelProperties()
+
+
 @dataclass(frozen=True)
 class GitHubTeamSchema(CartographyNodeSchema):
     label: str = 'GitHubTeam'
@@ -136,6 +152,7 @@ class GitHubTeamSchema(CartographyNodeSchema):
             GitHubTeamWriteRepoRel(),
             GitHubTeamMaintainerUserRel(),
             GitHubTeamMemberUserRel(),
+            GitHubTeamChildTeamRel(),
         ],
     )
     sub_resource_relationship: GitHubTeamToOrganizationRel = GitHubTeamToOrganizationRel()

cartography/models/github/users.py

@@ -20,13 +20,12 @@ To allow for this in the schema, this relationship is treated as any other node-
 RE: GitHubOrganizationUserSchema vs GitHubUnaffiliatedUserSchema
 
 As noted above, there are implicitly two types of users, those that are part of, or affiliated, to a target
-GitHubOrganization, and those thare are not part, or unaffiliated.   Both are represented as GitHubUser nodes,
-but there are two schemas below to allow for some differences between them, e.g., unaffiliated lack these properties:
-  * the 'role' property, because unaffiliated have no 'role' in the target org
+GitHubOrganization, and those that are not part, or unaffiliated.   Both are represented as GitHubUser nodes,
+but there are two schemas below to allow for a difference between them: unaffiliated nodes lack this property:
   * the 'has_2fa_enabled' property, because the GitHub api does not return it, for these users
 The main importance of having two schemas is to allow the two sets of users to be loaded separately.  If we are loading
 an unaffiliated user, but the user already exists in the graph (perhaps they are members of another GitHub orgs for
-example), then loading the unaffiliated user will not blank out the 'role' and 'has_2fa_enabled' properties.
+example), then loading the unaffiliated user will not blank out the 'has_2fa_enabled' property.
 """
 from dataclasses import dataclass
 
@@ -58,8 +57,6 @@ class BaseGitHubUserNodeProperties(CartographyNodeProperties):
 class GitHubOrganizationUserNodeProperties(BaseGitHubUserNodeProperties):
     # specified for affiliated users only. The GitHub api does not return this property for unaffiliated users.
     has_2fa_enabled: PropertyRef = PropertyRef('hasTwoFactorEnabled')
-    # specified for affiliated uers only.  Unaffiliated users do not have a 'role' in the target organization.
-    role: PropertyRef = PropertyRef('role')
 
 
 @dataclass(frozen=True)
@@ -84,6 +81,17 @@ class GitHubUserMemberOfOrganizationRel(CartographyRelSchema):
     properties: GitHubUserToOrganizationRelProperties = GitHubUserToOrganizationRelProperties()
 
 
+@dataclass(frozen=True)
+class GitHubUserAdminOfOrganizationRel(CartographyRelSchema):
+    target_node_label: str = 'GitHubOrganization'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('ADMIN_OF')},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ADMIN_OF"
+    properties: GitHubUserToOrganizationRelProperties = GitHubUserToOrganizationRelProperties()
+
+
 @dataclass(frozen=True)
 class GitHubUserUnaffiliatedOrganizationRel(CartographyRelSchema):
     target_node_label: str = 'GitHubOrganization'
@@ -102,6 +110,7 @@ class GitHubOrganizationUserSchema(CartographyNodeSchema):
     other_relationships: OtherRelationships = OtherRelationships(
         [
             GitHubUserMemberOfOrganizationRel(),
+            GitHubUserAdminOfOrganizationRel(),
         ],
     )
     sub_resource_relationship = None

{cartography-0.96.2.dist-info → cartography-0.97.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.96.2
+Version: 0.97.1
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/cartography-cncf/cartography
 Maintainer: Cartography Contributors

{cartography-0.96.2.dist-info → cartography-0.97.1.dist-info}/RECORD

@@ -153,7 +153,7 @@ cartography/intel/aws/elasticache.py,sha256=fCI47aDFmIDyE26GiReKYb6XIZUwrzcvsXBQ
 cartography/intel/aws/elasticsearch.py,sha256=ZL7MkXF_bXRSoXuDSI1dwGckRLG2zDB8LuAD07vSLnE,8374
 cartography/intel/aws/emr.py,sha256=xhWBVZngxJRFjMEDxwq3G6SgytRGLq0v2a_CeDvByR0,3372
 cartography/intel/aws/iam.py,sha256=zRlF9cKcYm44iL63G6bd-_flNOFHVrjsEfW0jZHpUNg,32387
-cartography/intel/aws/identitycenter.py,sha256=zIWe_JpXPC-kkWu26aFjYtGsClNG_GaQ3bdCeiRkApc,9475
+cartography/intel/aws/identitycenter.py,sha256=OnyvsSfn6AszB2e9dPAsGmzgne0zq0_7Ta0A6k_l_TE,8956
 cartography/intel/aws/inspector.py,sha256=S22ZgRKEnmnBTJ-u0rodqRPB7_LkSIek47NeBxN4XJw,9336
 cartography/intel/aws/kms.py,sha256=bZUzMxAH_DsAcGTJBs08gg2tLKYu-QWjvMvV9C-6v50,11731
 cartography/intel/aws/lambda_function.py,sha256=KKTyn53xpaMI9WvIqxmsOASFwflHt-2_5ow-zUFc2wg,9890
@@ -208,8 +208,8 @@ cartography/intel/crowdstrike/__init__.py,sha256=dAtgI-0vZAQZ3cTFQhMEzzt7aqiNSNu
 cartography/intel/crowdstrike/endpoints.py,sha256=tdqokMDW3p4fK3dHKKb2T1DTogvOJBCpwyrxdQlbUhw,3815
 cartography/intel/crowdstrike/spotlight.py,sha256=yNhj44-RYF6ubck-hHMKhKiNU0fCfhQf4Oagopc31EM,4754
 cartography/intel/crowdstrike/util.py,sha256=gfJ6Ptr6YdbBS9Qj9a_-Jc-IJroADDRcXqjh5TW0qXE,277
-cartography/intel/cve/__init__.py,sha256=3PLAhQ36g-aq40IHvba789WANsA-TY9B-Oe9mpQweQ8,2516
-cartography/intel/cve/feed.py,sha256=1q9ZxbA4Hp2V84h7kadTImyCk7w0dmV7ROsZQ-kxKwE,10365
+cartography/intel/cve/__init__.py,sha256=u9mv5O_qkSLmdhLhLm1qbwmhoeLQ3A3fQTjNyLQpEyI,3656
+cartography/intel/cve/feed.py,sha256=HJL94jyVcRzIbpe4ooEXr6lnKfrmpukKOEDTs9djrfk,9832
 cartography/intel/digitalocean/__init__.py,sha256=SMYB7LGIQOj_EgGSGVjWZk7SJNbP43hQuOfgOu6xYm4,1526
 cartography/intel/digitalocean/compute.py,sha256=9XctwMjq9h5dExFgExvawoqyiEwSoocNgaMm3Fgl5GM,4911
 cartography/intel/digitalocean/management.py,sha256=YWRnBLLL_bAP1vefIAQgm_-QzefGH0sZKmyU_EokHfA,3764
@@ -230,8 +230,8 @@ cartography/intel/gcp/gke.py,sha256=qaTwsVaxkwNhW5_Mw4bedOk7fgJK8y0LwwcYlUABXDg,
 cartography/intel/gcp/storage.py,sha256=oO_ayEhkXlj2Gn7T5MU41ZXiqwRwe6Ud4wzqyRTsyf4,9075
 cartography/intel/github/__init__.py,sha256=y876JJGTDJZEOFCDiNCJfcLNxN24pVj4s2N0YmuuoaE,1914
 cartography/intel/github/repos.py,sha256=MmpxZASDJFQxDeSMxX3pZcpxCHFPos4_uYC_cX9KjOg,29865
-cartography/intel/github/teams.py,sha256=uQTiOfUBCk4qk0uw7jEPevAq-b2fvynRJ3t-62RZW2c,10659
-cartography/intel/github/users.py,sha256=kkxk0TqPp8HKQAd3RvJs-N_ySFIxHqLsvkvJf0WoGyc,8565
+cartography/intel/github/teams.py,sha256=AltQSmBHHmyzBtnRkez9Bo5yChEKBSt3wwzhGcfqmX4,14180
+cartography/intel/github/users.py,sha256=f_YIDwdNECRg7wRwY8qZ5mztm7m3SIgOz8BbfveRzy8,8734
 cartography/intel/github/util.py,sha256=K0cXOPuhnGvN-aqcSUBO3vTuKQLjufVal9kn2HwOpbo,8110
 cartography/intel/gsuite/__init__.py,sha256=AGIUskGlLCVGHbnQicNpNWi9AvmV7_7hUKTt-hsB2J8,4306
 cartography/intel/gsuite/api.py,sha256=J0dkNdfBVMrEv8vvStQu7YKVxXSyV45WueFhUS4aOG4,10310
@@ -335,9 +335,9 @@ cartography/models/duo/token.py,sha256=BS_AvF-TAGzCY9Owtqxr8g_s6716dnzFOO1Iwkckm
 cartography/models/duo/user.py,sha256=ih3DH_QveAve4cX9dmIwC5gVN6_RNnuLK3bfJ5I9u6g,6554
 cartography/models/duo/web_authn_credential.py,sha256=OcZnfG5zCMlphxSltRcAXQ12hHYJjxrBt6A9L28g7Vk,2920
 cartography/models/github/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/models/github/orgs.py,sha256=f5kJ-51MDGW5k4sWMeTfyBDxcHdhFJZGkRUvGcjllBU,1097
-cartography/models/github/teams.py,sha256=mykeo89acrzyrPzVVC0fzO1piTuysR2CB48LwwrQc0g,5435
-cartography/models/github/users.py,sha256=XliVsBKWF7wW7Dwjwdoz9E2gk1cASyfQgAddKYr23VY,5739
+cartography/models/github/orgs.py,sha256=EcUmkeyoCJmkmzLsfKdUwwTE0N2IIwyaUrIK32dQybo,1106
+cartography/models/github/teams.py,sha256=qFyFAKKsiiHqFZkMM7Fd9My16dgXgylcFy3BbXHhzng,6069
+cartography/models/github/users.py,sha256=N0OWcIAEzaLCx8WIc8XivwFnr2oBOvHHCKmQ0XOVVrc,5969
 cartography/models/kandji/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/kandji/device.py,sha256=C3zPhLi1oPNysbSUr4H2u8b-Xy14sb3FE7YcjCwlntw,2214
 cartography/models/kandji/tenant.py,sha256=KhcbahNBemny3coQPiadIY8B-yDMg_ejYB2BR6vqBfw,674
@@ -353,9 +353,9 @@ cartography/models/snipeit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 cartography/models/snipeit/asset.py,sha256=FyRAaeXuZjMy0eUQcSDFcgEAF5lbLMlvqp1Tv9d3Lv4,3238
 cartography/models/snipeit/tenant.py,sha256=p4rFnpNNuF1W5ilGBbexDaETWTwavfb38RcQGoImkQI,679
 cartography/models/snipeit/user.py,sha256=MsB4MiCVNTH6JpESime7cOkB89autZOXQpL6Z0l7L6o,2113
-cartography-0.96.2.dist-info/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
-cartography-0.96.2.dist-info/METADATA,sha256=JPfNQ2Z_bulMqksx5unRej-WGueUKhi1Q9wFWqaOHk8,1938
-cartography-0.96.2.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
-cartography-0.96.2.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
-cartography-0.96.2.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
-cartography-0.96.2.dist-info/RECORD,,
+cartography-0.97.1.dist-info/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
+cartography-0.97.1.dist-info/METADATA,sha256=WgfJ4bSbPI5yTN-x4-yyBghI6wQaaDAJ9waRYchm4ms,1938
+cartography-0.97.1.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+cartography-0.97.1.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
+cartography-0.97.1.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
+cartography-0.97.1.dist-info/RECORD,,