Add 2 additional edges + fix ManagerOf lookup logic

src/openhound_okta/graph.py

@@ -11,6 +11,7 @@
 @dataclass
 class OktaNodeProperties(BaseProperties):
     tenant: str
+    tenant_domain: str
     id: str
 
 

src/openhound_okta/lookup.py

@@ -21,13 +21,34 @@ def has_role_permission(self, role_id: str, permission: str) -> bool:
             f"""SELECT label FROM {self.schema}.custom_role_permissions WHERE role_id = ? AND label = ?""",
             [role_id, permission],
         )
-        return res is not None
+        return res
+
+    @lru_cache
+    def application_by_id(self, app_id: str) -> bool:
+        res = self._find_single_object(
+            f"""SELECT id FROM {self.schema}.applications WHERE id = ?""",
+            [app_id],
+        )
+        return res
+
+    @lru_cache
+    def application_settings(self, app_id: str) -> bool:
+        res = self._find_single_object(
+            f"""SELECT settings FROM {self.schema}.applications WHERE id = ?""",
+            [app_id],
+        )
+        return res
 
     @lru_cache
     def all_groups(self):
         res = self._find_all_objects(f"""SELECT id FROM {self.schema}.groups""")
         return res
 
+    @lru_cache
+    def non_admin_groups(self):
+        res = self._find_all_objects(f"""SELECT id FROM {self.schema}.non_admin_groups""")
+        return res
+
     @lru_cache
     def all_users(self):
         res = self._find_all_objects(f"""SELECT id FROM {self.schema}.users""")
@@ -43,6 +64,57 @@ def all_applications(self):
         res = self._find_all_objects(f"""SELECT id FROM {self.schema}.applications""")
         return res
 
+    @lru_cache
+    def application_ids_by_name(self, app_name: str):
+        res = self._find_all_objects(
+            f"""SELECT id FROM {self.schema}.applications WHERE name = ?""",
+            [app_name],
+        )
+        return res
+
+    @lru_cache
+    def application_secret_ids(self, app_id: str):
+        res = self._find_all_objects(
+            f"""SELECT id FROM {self.schema}.application_secrets WHERE app_id = ?""",
+            [app_id],
+        )
+        return res
+
+    @lru_cache
+    def resource_set_application_ids(self, resource_set_id: str):
+        return self._resource_set_resource_ids(
+            resource_set_id, "apps", self.all_applications()
+        )
+
+    @lru_cache
+    def resource_set_group_ids(self, resource_set_id: str):
+        return self._resource_set_resource_ids(
+            resource_set_id, "groups", self.all_groups()
+        )
+
+    @lru_cache
+    def resource_set_non_admin_group_ids(self, resource_set_id: str):
+        resource_set_groups = set(self.resource_set_group_ids(resource_set_id))
+        non_admin_groups = {group_id for (group_id,) in self.non_admin_groups()}
+        return tuple(sorted(resource_set_groups & non_admin_groups))
+
+    def _resource_set_resource_ids(
+        self, resource_set_id: str, resource_type: str, all_resource_rows
+    ):
+        rows = self._find_all_objects(
+            f"""SELECT orn FROM {self.schema}.resources WHERE resource_set_id = ? AND contains(orn, ?)""",
+            [resource_set_id, f":{resource_type}"],
+        )
+
+        resource_ids: set[str] = set()
+        for (orn,) in rows:
+            split_orn = orn.split(":")
+            if len(split_orn) == 5 and split_orn[-1] == resource_type:
+                resource_ids.update(resource_id for (resource_id,) in all_resource_rows)
+            elif len(split_orn) == 6 and split_orn[-2] == resource_type:
+                resource_ids.add(split_orn[-1])
+        return tuple(sorted(resource_ids))
+
     @lru_cache
     def all_policies(self):
         res = self._find_all_objects(f"""SELECT id FROM {self.schema}.policies""")
@@ -70,14 +142,7 @@ def all_devices(self):
     @lru_cache
     def manager_id(self, manager_login: str):
         res = self._find_single_object(
-            f"""SELECT id, json_value(profile, 'login') AS login FROM {self.schema}.users WHERE login = ?""",
+            f"""SELECT id FROM {self.schema}.users WHERE json_extract_string(profile, '$.login') = ?""",
             [manager_login],
         )
         return res
-
-    # @lru_cache
-    # def group_member_ids(self, group_id: str):
-    #     res = self._find_all_objects(
-    #         f"""SELECT id FROM {self.schema}.group_memberships WHERE group_id = ?""",
-    #         [group_id]
-    #     return res

src/openhound_okta/main.py

@@ -1,11 +1,12 @@
+import dlt
 from dlt.extract.source import DltSource
 from openhound.core.app import OpenHound
 from openhound.core.collect import CollectContext
 from openhound.core.convert import ConvertContext
 from openhound.core.preproc import PreProcContext
 
-from openhound_okta.transforms import transforms
 from openhound_okta.lookup import OktaLookup
+from openhound_okta.transforms import transforms
 
 app = OpenHound("okta", source_kind="Okta", help="OpenGraph collector for Okta")
 
@@ -23,15 +24,16 @@ def collect(ctx: CollectContext) -> DltSource:
 
 
 @app.convert(lookup=OktaLookup)
-def convert(ctx: ConvertContext) -> tuple[DltSource, dict]:
+def convert(ctx: ConvertContext):
     """Register a Typer CLI command that converts previously collected Okta resources into OpenGraph nodes and edges.
 
     Args:
         ctx (ConvertContext): Returns DLT pipeline context.
     """
     from openhound_okta.source import source as okta_source
-
-    return okta_source(), {"tenant": "somethingsomething"}
+    from urllib.parse import urlparse
+    tenant_url = dlt.secrets.get("sources.source.okta.credentials.base_url")
+    return okta_source(), {"tenant": urlparse(tenant_url).netloc}
 
 
 @app.preproc(transformer=transforms)
@@ -41,14 +43,14 @@ def preprocess(ctx: PreProcContext):
         "users": "users",
         "groups": "groups",
         "applications": "applications",
+        "application_secrets": "application_secrets",
         "devices": "devices",
         "authorization_servers": "authorization_servers",
         "identity_providers": "identity_providers",
         "policies": "policies",
+        "resources": "resources",
         "user_role_assignments": "user_role_assignments",
         "group_role_assignments": "group_role_assignments",
         "client_role_assignments": "client_role_assignments",
         "custom_role_permissions": "custom_role_permissions",
-        # "application_secrets": "application_secrets",
-        # "custom_role_permissions": "custom_role_permissions",
     }

src/openhound_okta/models/agent.py

@@ -83,6 +83,7 @@ def as_node(self):
             kinds=[nk.AGENT],
             properties=AgentProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 id=self.id,
                 name=self.name,
                 displayname=self.name,
@@ -95,10 +96,13 @@ def as_node(self):
 
     @property
     def _hosts_agent_edge(self):
-        # TODO: It seems that the agent name in Okta has TEST- prepended. Check the conditional logic
         if self.agent_type == "AD":
+            # The agent name has a prefix that needs to be stripped before matching is possible
+            agent_name_split = self.name.split("-")
+            agent_name = '-'.join(agent_name_split[1:])
+            agent_match = f"{agent_name.upper()}.{self.agent_pool_name.upper()}"
             match_with = PropertyMatch(
-                key="domain", value=f"{self.name}.{self.agent_pool_name}"
+                key="name", value=agent_match
             )
             yield Edge(
                 start=ConditionalEdgePath(

src/openhound_okta/models/agent_pool.py

@@ -83,6 +83,7 @@ def as_node(self):
             kinds=[nk.AGENT_POOL],
             properties=AgentPoolProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 id=self.id,
                 name=self.name,
                 displayname=self.name,

src/openhound_okta/models/api_service.py

@@ -1,4 +1,4 @@
-from dataclasses import dataclass, field
+from dataclasses import dataclass
 from datetime import datetime
 
 from openhound.core.asset import BaseAsset, EdgeDef, NodeDef
@@ -17,9 +17,6 @@ class ApiServiceProperties(OktaNodeProperties):
     app_type: str
     created_at: datetime
     oauth_scopes: list[str] | None = None
-    collected: bool = field(
-        default=True, metadata={"description": "Collected/generated by OpenHound"}
-    )
 
 
 @app.asset(
@@ -64,6 +61,7 @@ def as_node(self):
             kinds=[nk.INTEGRATION],
             properties=ApiServiceProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 id=self.id,
                 name=self.name,
                 displayname=self.name,

src/openhound_okta/models/api_token.py

@@ -58,6 +58,7 @@ def as_node(self):
             kinds=[nk.API_TOKEN],
             properties=ApiTokenProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 id=self.id,
                 name=self.name,
                 displayname=self.name,

src/openhound_okta/models/application.py

@@ -1,4 +1,4 @@
-from dataclasses import dataclass, field
+from dataclasses import dataclass
 from datetime import datetime
 from typing import ClassVar
 
@@ -8,8 +8,6 @@
     Edge,
     EdgePath,
     EdgeProperties,
-    ConditionalEdgePath,
-    PropertyMatch,
 )
 from pydantic import BaseModel, ConfigDict, Field
 
@@ -28,9 +26,6 @@ class ApplicationProperties(OktaNodeProperties):
     last_updated: datetime | None = None
     sign_on_mode: str | None = None
     orn: str | None = None
-    collected: bool = field(
-        default=True, metadata={"description": "Collected/generated by OpenHound"}
-    )
 
 
 class JWK(BaseModel):
@@ -121,6 +116,7 @@ def as_node(self):
             kinds=[nk.APPLICATION],
             properties=ApplicationProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 id=self.id,
                 name=self.name,
                 displayname=self.label or self.name,
@@ -136,7 +132,8 @@ def as_node(self):
 
     @property
     def _outbound_jamf_sso_edge(self):
-        # TODO: Should this be conditional on sign_on_mode == SAML_2_0?
+        # SAML == SAML_2_0
+        # SWA == SECURE_PASSWORD_STORE, BROWSER_PLUGIN or AUTO_LOGIN
         if self.name == "jamfsoftwareserver":
             jamf_domain = self.settings.app.get("domain")
             if jamf_domain:
@@ -148,38 +145,31 @@ def _outbound_jamf_sso_edge(self):
                     properties=EdgeProperties(traversable=True),
                 )
 
-    # @property
-    # def _outbound_jamf_swa_edge(self):
-    #     # TODO: Should this be conditional on sign_on_mode SECURE_PASSWORD_STORE, BROWSER_PLUGIN or AUTO_LOGIN?
-    #     if self.name == "jamfsoftwareserver":
-    #         jamf_domain = self.settings.app.get("domain")
-    #         if jamf_domain:
-    #             jamf_domain = jamf_domain.replace('"', "")
-    #             yield Edge(
-    #                 kind=ek.OUTBOUND_ORG_SSO,
-    #                 start=EdgePath(value=self.id, match_by="id"),
-    #                 end=EdgePath(value=f"{jamf_domain}-SSO", match_by="id"),
-    #                 properties=EdgeProperties(traversable=True),
-    #             )
-
     # @property
     # def _outbount_github_sso_edge(self):
-    # TODO: Github matching based on domain only may cause conflicts, should we actually do this before conditional matching?
+    # TODO: Wait for the Github Enterprise (v.s. org) implementation is finalized
     #     if self.name == "githubcloud":
+    #         yield Edge(
+    #             kind=ek.OUTBOUND_ORG_SSO,
+    #             start=EdgePath(value=self.id, match_by="id"),
+    #             ....
+    #             properties=EdgeProperties(traversable=True),
+    #         )
     #
 
-    @property
-    def _kerberos_sso_edge(self):
-        # TODO: Check logic
-        if self.name == "active_directory":
-            domain = self.label.split(".")[-2]
-            end_spn = f"HTTP/{domain}.kerberos.okta.com"
-            condition = PropertyMatch(key="serviceprincipalnames", value=end_spn)
-            yield Edge(
-                kind=ek.KERBEROS_SSO,
-                start=ConditionalEdgePath(kind="User", property_matchers=[condition]),
-                end=EdgePath(value=self.id, match_by="id"),
-            )
+    # @property
+    # def _kerberos_sso_edge(self):
+    #     # TODO: matching against arrays needs to be supported by the BH API before this will
+    #     # match with nodes
+    #     if self.name == "active_directory":
+    #         domain = self.label.split(".")[-2]
+    #         end_spn = f"HTTP/{domain}.kerberos.okta.com"
+    #         condition = PropertyMatch(key="serviceprincipalnames", value=end_spn)
+    #         yield Edge(
+    #             kind=ek.KERBEROS_SSO,
+    #             start=ConditionalEdgePath(kind="User", property_matchers=[condition]),
+    #             end=EdgePath(value=self.id, match_by="id"),
+    #         )
 
     @property
     def _contains_edge(self):
@@ -192,6 +182,7 @@ def _contains_edge(self):
 
     @property
     def edges(self):
+        # Disabled until BHE supports array-based matching
+        # yield from self._kerberos_sso_edge
         yield from self._contains_edge
         yield from self._outbound_jamf_sso_edge
-        yield from self._kerberos_sso_edge

src/openhound_okta/models/application_jwks.py

@@ -74,6 +74,7 @@ def as_node(self):
             kinds=[nk.JWK],
             properties=JWKProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 name=self.display_name,
                 displayname=self.display_name,
                 id=self.id,

src/openhound_okta/models/application_secrets.py

@@ -1,4 +1,5 @@
 from dataclasses import dataclass
+from dataclasses import field
 from datetime import datetime
 
 from openhound.core.asset import BaseAsset, EdgeDef, NodeDef
@@ -9,8 +10,6 @@
 from openhound_okta.kinds import edges as ek, nodes as nk
 from openhound_okta.main import app
 
-from dataclasses import field
-
 
 @dataclass
 class SecretProperties(OktaNodeProperties):
@@ -68,6 +67,7 @@ def as_node(self):
             kinds=[nk.CLIENT_SECRET],
             properties=SecretProperties(
                 tenant=self._lookup.org_id(),
+                tenant_domain=self._extras["tenant"],
                 name=self.secret_hash,
                 displayname=self.secret_hash,
                 id=self.id,