refactor(attack-paths): complete migration to private graph labels and properties (phase 2) (#10268)

This commit is contained in:
Josema Camacho
2026-03-16 12:34:58 +01:00
committed by GitHub
parent 361f8548bf
commit ad02801c74
12 changed files with 66 additions and 97 deletions
@@ -10,16 +10,12 @@ from tasks.jobs.attack_paths import aws
BATCH_SIZE = env.int("ATTACK_PATHS_BATCH_SIZE", 1000)
# Neo4j internal labels (Prowler-specific, not provider-specific)
# - `Internet`: Singleton node representing external internet access for exposed-resource queries
# - `ProwlerFinding`: Label for finding nodes created by Prowler and linked to cloud resources
# - `_ProviderResource`: Added to ALL synced nodes for provider isolation and drop/query ops
# - `Internet`: Singleton node representing external internet access for exposed-resource queries
INTERNET_NODE_LABEL = "Internet"
PROWLER_FINDING_LABEL = "ProwlerFinding"
PROVIDER_RESOURCE_LABEL = "_ProviderResource"
INTERNET_NODE_LABEL = "Internet"
# Phase 1 dual-write: deprecated label kept for drop_subgraph and infrastructure queries
# Remove in Phase 2 once all nodes use the private label exclusively
DEPRECATED_PROVIDER_RESOURCE_LABEL = "ProviderResource"
@dataclass(frozen=True)
@@ -31,7 +27,6 @@ class ProviderConfig:
uid_field: str # e.g., "arn"
# Label for resources connected to the account node, enabling indexed finding lookups.
resource_label: str # e.g., "_AWSResource"
deprecated_resource_label: str # e.g., "AWSResource"
ingestion_function: Callable
@@ -43,7 +38,6 @@ AWS_CONFIG = ProviderConfig(
root_node_label="AWSAccount",
uid_field="arn",
resource_label="_AWSResource",
deprecated_resource_label="AWSResource",
ingestion_function=aws.start_aws_ingestion,
)
@@ -56,18 +50,16 @@ PROVIDER_CONFIGS: dict[str, ProviderConfig] = {
INTERNAL_LABELS: list[str] = [
"Tenant", # From Cartography, but it looks like it's ours
PROVIDER_RESOURCE_LABEL,
DEPRECATED_PROVIDER_RESOURCE_LABEL,
# Add all provider-specific resource labels
*[config.resource_label for config in PROVIDER_CONFIGS.values()],
*[config.deprecated_resource_label for config in PROVIDER_CONFIGS.values()],
]
# Provider isolation properties
PROVIDER_ID_PROPERTY = "_provider_id"
PROVIDER_ELEMENT_ID_PROPERTY = "_provider_element_id"
PROVIDER_ISOLATION_PROPERTIES: list[str] = [
"_provider_id",
"_provider_element_id",
"provider_id",
"provider_element_id",
PROVIDER_ID_PROPERTY,
PROVIDER_ELEMENT_ID_PROPERTY,
]
# Cartography bookkeeping metadata
@@ -115,9 +107,3 @@ def get_provider_resource_label(provider_type: str) -> str:
"""Get the resource label for a provider type (e.g., `_AWSResource`)."""
config = PROVIDER_CONFIGS.get(provider_type)
return config.resource_label if config else "_UnknownProviderResource"
def get_deprecated_provider_resource_label(provider_type: str) -> str:
"""Get the deprecated resource label for a provider type (e.g., `AWSResource`)."""
config = PROVIDER_CONFIGS.get(provider_type)
return config.deprecated_resource_label if config else "UnknownProviderResource"