chore: merge v8.5.1 release stage branch into main BED-7201

[specter-flq]

Description

Backmerge v8.5.1 release stage branch into main

Motivation and Context

Resolves BED-7201

How Has This Been Tested?

Screenshots (optional):

Types of changes

• Chore (a change that does not modify the application functionality)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• New Features

  • OpenGraph search now enabled by default
  • Added OpenGraph pathfinding feature flag (currently disabled)

• Bug Fixes

  • Improved custom icon rendering with explicit Font Awesome handling
  • Ignored NotFound errors when fetching RDP computer data to reduce spurious failures

• Security

  • Expanded Content Security Policy with additional directives and placeholders

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds FontAwesome-based custom node icon formatting, expands the server Content-Security-Policy format and its use, inserts an OpenGraph pathfinding feature flag and enables opengraph_search, refines CanRDP error handling to ignore only NotFound, and bumps a single Go dependency.

Changes

Cohort / File(s)	Summary
FontAwesome icon handling cmd/api/src/api/bloodhoundgraph/conversions.go, cmd/api/src/api/v2/pathfinding_test.go	Introduces fontAwesomeIconType, fontAwesomePrefix, defaultUnknownIcon; changes FontIcon.Text assignment to switch on icon type; updates test to mock custom node kind with FontAwesome icon and expect rendered FA class.
Content Security Policy (CSP) cmd/api/src/bootstrap/server.go, cmd/api/src/services/entrypoint.go	Expands ContentSecurityPolicy format string to include connect-src, frame-src, and additional placeholders for style-src and font-src; Entrypoint now formats CSP with six args.
DB migration: OpenGraph feature flags cmd/api/src/database/migration/migrations/v8.5.1.sql	Adds opengraph_pathfinding feature flag (disabled, non-user-updatable) and enables opengraph_search.
CanRDP error handling packages/go/analysis/ad/local_groups.go	PostCanRDP now ignores NotFound only when fetching CanRDP computer data; other errors still propagate.
Dependency update go.mod	Bumps github.com/specterops/dawgs from v0.4.2 to v0.4.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: Update explore search results to return custom node icon data BED-6887 #2128 — Related changes to conversions.go handling of FontAwesome icon text/prefix and test adjustments.
• feat (api): Extract enable_user_analytics and Introduce a Dyanamic CSP - BED-6449 #1870 — Related updates to ContentSecurityPolicy constant and its runtime formatting.
• BED-5021 -- Citrix CanRDP rework #1945 — Related CanRDP construction/handling changes affecting packages/go/analysis/ad behavior.

Suggested labels

api

Suggested reviewers

• elikmiller
• AD7ZJ
• wes-mil

Poem

🐰 I hop with a font and a flair,
CSP lines trailing in air,
Flags planted neat,
CanRDP discrete,
A tiny update with care ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 17.78% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the PR as a merge of the v8.5.1 release stage branch into main, with the associated ticket reference, accurately reflecting the changeset's primary objective.
Description check	✅ Passed	The PR description covers the key required sections: description, motivation/context with ticket reference, types of changes, and completed checklist items. However, the 'How Has This Been Tested?' section is blank, which is a notable omission.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

cmd/api/src/analysis/ad/adcs_integration_test.go (1)

41-53: Handle BuildCache errors in FetchADCSPrereqs.
BuildCache returns an error in the main code path; ignoring it here can mask failures and make tests pass incorrectly.

🛠️ Suggested fix

-		cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates)
-		return localGroupData, cache.GetEnterpriseCertAuthorities(), cache.GetCertTemplates(), cache.GetDomains(), cache, nil
+		if err := cache.BuildCache(context.Background(), db, enterpriseCertAuthorities, certTemplates); err != nil {
+			return nil, nil, nil, nil, ad2.ADCSCache{}, err
+		}
+		return localGroupData, cache.GetEnterpriseCertAuthorities(), cache.GetCertTemplates(), cache.GetDomains(), cache, nil

packages/go/analysis/ad/post.go (1)

208-224: Use NodeProperty in FetchAdminGroups node filter.

StartProperty/EndProperty are relationship-scoped and will not match in a node query. Switch to NodeProperty to match the pattern used elsewhere in the codebase (see packages/go/analysis/ad/ad.go for a similar check). This also allows removing the unnecessary Or() wrapper.

🔧 Proposed fix

-	return tx.Nodes().Filter(query.And(
-		query.Or(
-			query.StringEndsWith(query.StartProperty(common.ObjectID.String()), wellknown.AdministratorsSIDSuffix.String()),
-			query.StringEndsWith(query.EndProperty(common.ObjectID.String()), wellknown.AdministratorsSIDSuffix.String()),
-		),
-	)).FetchIDs(func(cursor graph.Cursor[graph.ID]) error {
+	return tx.Nodes().Filter(
+		query.StringEndsWith(query.NodeProperty(common.ObjectID.String()), wellknown.AdministratorsSIDSuffix.String()),
+	).FetchIDs(func(cursor graph.Cursor[graph.ID]) error {

🤖 Fix all issues with AI agents

In `@packages/go/analysis/ad/local_groups.go`:
- Around line 66-85: The BatchOperation error is being logged and cancelled but
not propagated, causing callers to see success despite failures; update the
BatchOperation call in PostLocalGroups (and the similar block in PostCanRDP) to
return the error to the caller instead of swallowing it: when
graphDB.BatchOperation(...) returns err, remove the unconditional nil return
path, keep the slog.Error(...) and done() handling, then propagate that err up
by returning it from the enclosing function (and do the same for the other
occurrence around lines 221-240). Ensure the enclosing function signatures
already allow returning an error or update them so the error can be returned.

🧹 Nitpick comments (4)

cmd/api/src/analysis/membership_integration_test.go (1)

78-80: Replace deprecated integration test harness.

Staticcheck flags integration.NewGraphTestContext as deprecated; please migrate to the newer integration utils to avoid future breakage.

cmd/api/src/analysis/ad/ad_integration_test.go (1)

1144-1146: Consider updating error message to reflect new operation.

The error message "error expanding groups in integration test" is slightly misleading since the operation is now FetchLocalGroupData, not group expansion. This is a minor cosmetic issue.

-		if localGroupData, err := adAnalysis.FetchLocalGroupData(testContext.Context(), db); err != nil {
-			t.Fatalf("error expanding groups in integration test; %v", err)
+		if localGroupData, err := adAnalysis.FetchLocalGroupData(testContext.Context(), db); err != nil {
+			t.Fatalf("error fetching local group data in integration test; %v", err)

packages/go/analysis/ad/ad.go (1)

475-483: Add a defensive guard for nil LocalGroupData.
This avoids a panic if a caller passes a nil or partially initialized struct.

🛡️ Suggested guard

 func CalculateCrossProductNodeSets(localGroupData *LocalGroupData, nodeSlices ...[]*graph.Node) cardinality.Duplex[uint64] {
+	if localGroupData == nil || localGroupData.GroupMembershipCache == nil {
+		slog.Error("Cross products require LocalGroupData with GroupMembershipCache")
+		return cardinality.NewBitmap64()
+	}
 	if len(nodeSlices) < 2 {
 		slog.Error("Cross products require at least 2 nodesets")
 		return cardinality.NewBitmap64()
 	}

cmd/api/src/analysis/ad/ntlm_integration_test.go (1)

154-157: Rename grouplocalGroupData to localGroupData for clarity.
The current name reads like a typo and makes the flow harder to scan.