Change from linking to Okta user to linking to any UserAccount object

cartography-cncf · Nov 10, 2024 · 7c7a0fa · 7c7a0fa
1 parent d5ee38f
commit 7c7a0fa
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 9 deletions.
diff --git a/cartography/data/indexes.cypher b/cartography/data/indexes.cypher
@@ -305,8 +305,7 @@ CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.host_info_local_
 CREATE INDEX IF NOT EXISTS FOR (n:SpotlightVulnerability) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:SQSQueue) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.arn);
-CREATE INDEX IF NOT EXISTS FOR (n:User) ON (n.lastupdated);
+CREATE INDEX IF NOT EXISTS FOR (n:UserAccount) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:AzureTenant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:AzurePrincipal) ON (n.email);

diff --git a/cartography/intel/okta/users.py b/cartography/intel/okta/users.py
@@ -150,7 +150,8 @@ def _load_okta_users(
     new_user.okta_last_updated = user_data.okta_last_updated,
     new_user.password_changed = user_data.password_changed,
     new_user.transition_to_status = user_data.transition_to_status,
-    new_user.lastupdated = $okta_update_tag
+    new_user.lastupdated = $okta_update_tag,
+    new_user :UserAccount
     WITH new_user, org
     MERGE (org)-[org_r:RESOURCE]->(new_user)
     ON CREATE SET org_r.firstseen = timestamp()

diff --git a/cartography/models/aws/identitycenter/ssouser.py b/cartography/models/aws/identitycenter/ssouser.py
@@ -1,8 +1,7 @@
 from dataclasses import dataclass
 
 from cartography.models.core.common import PropertyRef
-from cartography.models.core.nodes import CartographyNodeProperties
-from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import CartographyNodeProperties, CartographyNodeSchema, ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
@@ -28,7 +27,7 @@ class SSOUserToOktaUserRelProperties(CartographyRelProperties):
 
 @dataclass(frozen=True)
 class SSOUserToOktaUser(CartographyRelSchema):
-    target_node_label: str = 'OktaUser'
+    target_node_label: str = 'UserAccount'
     target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
         {'id': PropertyRef('ExternalId')},
     )
@@ -41,7 +40,7 @@ class SSOUserToOktaUser(CartographyRelSchema):
 class SSOUserSchema(CartographyNodeSchema):
     label: str = 'AWSSSOUser'
     properties: SSOUserProperties = SSOUserProperties()
-    # role_relationship: SSOUserToRole = SSOUserToRole()
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(["UserAccount"])
     other_relationships: OtherRelationships = OtherRelationships(
         [
             SSOUserToOktaUser(),

diff --git a/docs/root/modules/aws/schema.md b/docs/root/modules/aws/schema.md
@@ -3350,10 +3350,10 @@ Representation of an AWS SSO User.
     ```
     (AWSSSOUser)<-[ALLOWED_BY]-(AWSRole)
     ```
-- OktaUser can be assumed by AWSSSOUser.
+- UserAccount can be assumed by AWSSSOUser.
 
     ```
-    (OktaUser)<-[CAN_ASSUME_IDENTITY]-(AWSSSOUser)
+    (UserAccount)-[CAN_ASSUME_IDENTITY]->(AWSSSOUser)
     ```
 
 ### AWSPermissionSet