Opal Intel module

[SecPrez]

Intel module to map in Opal Resource, what those resources grant access, and map who can automatically and manually approve themselves to those resources.

Summary

Describe your changes.

Related issues or links

Include links to relevant issues or other pages.

• https://github.com/lyft/cartography/issues/...

Checklist

Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:

• [ x] Update/add unit or integration tests.
• Include a screenshot showing what the graph looked like before and after your changes.
• Include console log trace showing what happened before and after your changes.

If you are changing a node or relationship:

• [ x] Update the schema and readme.

If you are implementing a new intel module:

• [ x] Use the NodeSchema data model.

[achantavy]

Thanks for putting this together, I'm excited. Left some comments about using the data model to represent some of the OpalResource relationships, and how we'd need to add some read_transaction() functions to grab lists of IDs from the graph to make that possible.

I think it's also worth adding in a "fake tenant" node for the OpalResource so that we can automatically clean up the OpalResources -- this is done with the LastPass sync here: #1083.

Happy to get on a call if there's things that don't make sense, also happy to help with making these changes too, just let me know.

[achantavy]

Same idea like with (:OpalResource)-[:PROVIDES_ACCESS_TO]->(:AWSRole): let's refactor to use a rel schema with make_target_node_matcher so that the OpalResource looks for an OktaGroup with the group id we need. We should use read_transaction() to get those OktaGroups.

It's a bit of a performance hit to do it this way because of the data moving back and forth, but I think it's worth it to get the automatic cleanups and data model benefits.

[achantavy]

Let's use the OpalResource model that you created.

We can refactor to use rel schema with make_target_node_matcher. To do this, have a separate function query for the AWS role names that we need to grab from the given permission set. That separate function should use read_transaction for auto retries like in

cartography/cartography/intel/okta/awssaml.py

Lines 126 to 137 in 1401ca5

	def get_awssso_okta_groups(neo4j_session: neo4j.Session, okta_org_id: str) -> list[OktaGroup]:
	"""
	Return list of all Okta group ids in the current Okta organization tied to Okta Applications with name
	"amazon_aws_sso".
	"""
	query = """
	MATCH (g:OktaGroup)-[:APPLICATION]->(a:OktaApplication{name:"amazon_aws_sso"})
	<-[:RESOURCE]-(:OktaOrganization{id: $okta_org_id})
	RETURN g.id as group_id, g.name as group_name
	"""
	result = neo4j_session.read_transaction(read_list_of_dicts_tx, query, okta_org_id=okta_org_id)
	return [OktaGroup(group_name=og['group_name'], group_id=og['group_id']) for og in result]

.

[achantavy]

Would it make sense to move this and get_opal_groups_to_okta_groups_map to opal_okta.py?

[achantavy]

Can we move this to opal_common.py? I'm thinking this file should pretty much only have the start_* and other orchestration functions.

[achantavy]

Can we move this to opal_aws.py?

[achantavy]

Let's use the OpalResource model that you created so that we can remove this manual cleanup job. To do this we can introduce a fake "tenant" like in this LastPass PR: https://github.com/cartography-cncf/cartography/pull/1083/files#diff-3b2215e87b2aaf55796fc63a223403d163b97d5bcbb6931d5886802a1f554cd8.

[achantavy]

Same comment here about making this a rel schema defined on the OpalResource model and then using a read_transaction function to get a list of the IDs you need.