Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Fix for issue #31 * internal_commit * adding factors * trusted origin, full sync ok * api doc * run clean - added transform layer * Update oktaintel.py working full sync * Update oktaintel.py * updated doc * unit test foundation * Update __init__.py * lint * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * unit tests * cred setup * sync integration * Update okta_import_cleanup.json * lint bs * lint bs * Group member bug fix * PR Feedback * Update oktaintel.py * Update README.md * removing cli parameter * evan review part 1 * evan feedback part 2 - refactoring into smaller chunks * evan feedback - part 2 - CLI parameters * lint * utils * testing * bug fix * Update cli.py * splitting get and transform * Update users.py * Update groups.py * Update roles.py * fix doc * change unit test * Update test_syntax.py * fix unit test * fix index * Address Alex feedback - store data in memory vs graph call * fix * lint * Update okta_import_cleanup.json
- Loading branch information
1 parent
ab90760
commit c873d8d
Showing
33 changed files
with
2,563 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
{ | ||
"statements": [ | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaUser)-[:FACTOR]->(n:OktaUserFactor) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Deletate stale OktaUserFactor" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(:OktaUser)-[r:FACTOR]->(:OktaUserFactor) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaUserFactor to OktaUser relationship" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaUser) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaUser" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(:OktaGroup)<-[r:MEMBER_OF_OKTA_GROUP]-(:OktaUser) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaUser relationship to OktaGroup" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaGroup) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaGroup" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaApplication) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaApplication" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(:OktaApplication)<-[r:APPLICATION]-(n) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaApplication relationships" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaTrustedOrigin) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaTrustedOrigin" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(n:OktaAdministrationRole) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaAdministrationRole" | ||
}, | ||
{ | ||
"query": "MATCH (:OktaOrganization{id: {OKTA_ORG_ID}})-[:RESOURCE]->(:OktaAdministrationRole)<-[r:MEMBER_OF_OKTA_ROLE]-(n) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted", | ||
"iterative": true, | ||
"iterationsize": 100, | ||
"__comment__": "Delete stale OktaAdministrationRole relationships" | ||
}, | ||
{ | ||
"query": "MATCH (n:OktaOrganization{id: {OKTA_ORG_ID}}) WHERE n.lastupdated <> {UPDATE_TAG} DELETE (n)", | ||
"iterative": false, | ||
"__comment__": "Delete stale OktaOrganization" | ||
} | ||
], | ||
"name": "Okta intel module cleanup" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
import logging | ||
|
||
from okta.framework.OktaError import OktaError | ||
|
||
from cartography.intel.okta import applications | ||
from cartography.intel.okta import factors | ||
from cartography.intel.okta import groups | ||
from cartography.intel.okta import organization | ||
from cartography.intel.okta import origins | ||
from cartography.intel.okta import roles | ||
from cartography.intel.okta import users | ||
from cartography.intel.okta.sync_state import OktaSyncState | ||
from cartography.util import run_cleanup_job | ||
|
||
logger = logging.getLogger(__name__) | ||
|
||
|
||
def _cleanup_okta_organizations(session, common_job_parameters): | ||
""" | ||
Remove stale Okta organization | ||
:param session: The Neo4j session | ||
:param common_job_parameters: Parameters to carry to the cleanup job | ||
:return: Nothing | ||
""" | ||
|
||
run_cleanup_job('okta_import_cleanup.json', session, common_job_parameters) | ||
|
||
|
||
def start_okta_ingestion(neo4j_session, config): | ||
""" | ||
Starts the OKTA ingestion process | ||
:param neo4j_session: The Neo4j session | ||
:param config: A `cartography.config` object | ||
:return: Nothing | ||
""" | ||
|
||
logger.debug(f"Starting Okta sync on {config.okta_org_id}") | ||
|
||
common_job_parameters = { | ||
"UPDATE_TAG": config.update_tag, | ||
"OKTA_ORG_ID": config.okta_org_id, | ||
} | ||
|
||
state = OktaSyncState() | ||
|
||
organization.create_okta_organization(neo4j_session, config.okta_org_id, config.update_tag) | ||
users.sync_okta_users(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key, state) | ||
groups.sync_okta_groups(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key, state) | ||
applications.sync_okta_applications(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key) | ||
factors.sync_users_factors(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key, state) | ||
origins.sync_trusted_origins(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key) | ||
|
||
# need creds with permission | ||
# soft fail as some won't be able to get such high priv token | ||
# when we get the E0000006 error | ||
# see https://developer.okta.com/docs/reference/error-codes/ | ||
try: | ||
roles.sync_roles(neo4j_session, config.okta_org_id, config.update_tag, config.okta_api_key, state) | ||
except OktaError as okta_error: | ||
logger.warning(f"Unable to pull admin roles got {okta_error}") | ||
|
||
# Getting roles requires super admin which most won't be able to get easily | ||
if okta_error.error_code == "E0000006": | ||
logger.warning("Unable to sync admin roles - api token needs admin rights to pull admin roles data") | ||
|
||
_cleanup_okta_organizations(neo4j_session, common_job_parameters) |
Oops, something went wrong.