feat(api): private labels and properties in Attack Paths graph - phase 1 (#10124)

This commit is contained in:
Josema Camacho
2026-02-23 11:30:26 +01:00
committed by GitHub
parent b5d2a75151
commit 75c7f61513
8 changed files with 133 additions and 28 deletions
@@ -10,13 +10,17 @@ from tasks.jobs.attack_paths import aws
BATCH_SIZE = env.int("ATTACK_PATHS_BATCH_SIZE", 1000)
# Neo4j internal labels (Prowler-specific, not provider-specific)
# - `ProwlerFinding`: Label for finding nodes created by Prowler and linked to cloud resources.
# - `ProviderResource`: Added to ALL synced nodes for provider isolation and drop/query ops.
# - `Internet`: Singleton node representing external internet access for exposed-resource queries.
# - `ProwlerFinding`: Label for finding nodes created by Prowler and linked to cloud resources
# - `_ProviderResource`: Added to ALL synced nodes for provider isolation and drop/query ops
# - `Internet`: Singleton node representing external internet access for exposed-resource queries
PROWLER_FINDING_LABEL = "ProwlerFinding"
PROVIDER_RESOURCE_LABEL = "ProviderResource"
PROVIDER_RESOURCE_LABEL = "_ProviderResource"
INTERNET_NODE_LABEL = "Internet"
# Phase 1 dual-write: deprecated label kept for drop_subgraph and infrastructure queries
# Remove in Phase 2 once all nodes use the private label exclusively
DEPRECATED_PROVIDER_RESOURCE_LABEL = "ProviderResource"
@dataclass(frozen=True)
class ProviderConfig:
@@ -26,7 +30,8 @@ class ProviderConfig:
root_node_label: str # e.g., "AWSAccount"
uid_field: str # e.g., "arn"
# Label for resources connected to the account node, enabling indexed finding lookups.
resource_label: str # e.g., "AWSResource"
resource_label: str # e.g., "_AWSResource"
deprecated_resource_label: str # e.g., "AWSResource"
ingestion_function: Callable
@@ -37,7 +42,8 @@ AWS_CONFIG = ProviderConfig(
name="aws",
root_node_label="AWSAccount",
uid_field="arn",
resource_label="AWSResource",
resource_label="_AWSResource",
deprecated_resource_label="AWSResource",
ingestion_function=aws.start_aws_ingestion,
)
@@ -48,10 +54,12 @@ PROVIDER_CONFIGS: dict[str, ProviderConfig] = {
# Labels added by Prowler that should be filtered from API responses
# Derived from provider configs + common internal labels
INTERNAL_LABELS: list[str] = [
"Tenant",
"Tenant", # From Cartography, but it looks like it's ours
PROVIDER_RESOURCE_LABEL,
DEPRECATED_PROVIDER_RESOURCE_LABEL,
# Add all provider-specific resource labels
*[config.resource_label for config in PROVIDER_CONFIGS.values()],
*[config.deprecated_resource_label for config in PROVIDER_CONFIGS.values()],
]
@@ -83,6 +91,12 @@ def get_node_uid_field(provider_type: str) -> str:
def get_provider_resource_label(provider_type: str) -> str:
"""Get the resource label for a provider type (e.g., `AWSResource`)."""
"""Get the resource label for a provider type (e.g., `_AWSResource`)."""
config = PROVIDER_CONFIGS.get(provider_type)
return config.resource_label if config else "UnknownProviderResource"
return config.resource_label if config else "_UnknownProviderResource"
def get_deprecated_provider_resource_label(provider_type: str) -> str:
"""Get the deprecated resource label for a provider type (e.g., `AWSResource`)."""
config = PROVIDER_CONFIGS.get(provider_type)
return config.deprecated_resource_label if config else "UnknownProviderResource"