feat(attack-paths): Task and endpoints (#9344)

- Added support to Neo4j
- Added Cartography as Attack Paths Scan
- Added Attack Path Scans endpoints for their management and run queries on those scan

Author: josema-xyz

.env

@@ -41,6 +41,25 @@ POSTGRES_DB=prowler_db
 # POSTGRES_REPLICA_MAX_ATTEMPTS=3
 # POSTGRES_REPLICA_RETRY_BASE_DELAY=0.5
 
+# Neo4j auth
+NEO4J_HOST=neo4j
+NEO4J_PORT=7687
+NEO4J_USER=neo4j
+NEO4J_PASSWORD=neo4j_password
+# Neo4j settings
+NEO4J_SERVER_MEMORY_PAGECACHE_SIZE=1G
+NEO4J_SERVER_MEMORY_HEAP_INITIAL__SIZE=1G
+NEO4J_SERVER_MEMORY_HEAP_MAX__SIZE=1G
+NEO4J_POC_EXPORT_FILE_ENABLED=true
+NEO4J_APOC_IMPORT_FILE_ENABLED=true
+NEO4J_APOC_IMPORT_FILE_USE_NEO4J_CONFIG=true
+NEO4J_PLUGINS=["apoc"]
+NEO4J_DBMS_SECURITY_PROCEDURES_ALLOWLIST=apoc.*
+NEO4J_DBMS_SECURITY_PROCEDURES_UNRESTRICTED=apoc.*
+NEO4J_DBMS_CONNECTOR_BOLT_LISTEN_ADDRESS=0.0.0.0:7687
+# Neo4j Prowler settings
+NEO4J_INSERT_BATCH_SIZE=500
+
 # Celery-Prowler task settings
 TASK_RETRY_DELAY_SECONDS=0.1
 TASK_RETRY_ATTEMPTS=5

README.md

@@ -75,6 +75,23 @@ prowler dashboard
 ```
 ![Prowler Dashboard](docs/images/products/dashboard.png)
 
+
+## Attack Paths
+
+Attack Paths automatically extends every completed AWS scan with a Neo4j graph that combines Cartography's cloud inventory with Prowler findings. The feature runs in the API worker after each scan and therefore requires:
+
+- An accessible Neo4j instance (the Docker Compose files already ships a `neo4j` service).
+- The following environment variables so Django and Celery can connect:
+
+  | Variable | Description | Default |
+  | --- | --- | --- |
+  | `NEO4J_HOST` | Hostname used by the API containers. | `neo4j` |
+  | `NEO4J_PORT` | Bolt port exposed by Neo4j. | `7687` |
+  | `NEO4J_USER` / `NEO4J_PASSWORD` | Credentials with rights to create per-tenant databases. | `neo4j` / `neo4j_password` |
+
+Every AWS provider scan will enqueue an Attack Paths ingestion job automatically. Other cloud providers will be added in future iterations.
+
+
 # Prowler at a Glance
 > [!Tip]
 > For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit [**Prowler Hub**](https://hub.prowler.com).

api/CHANGELOG.md

@@ -4,6 +4,9 @@ All notable changes to the **Prowler API** are documented in this file.
 
 ## [1.16.0] (Unreleased)
 
+### Added
+- Attack Paths backend support [(#9344)](https://github.com/prowler-cloud/prowler/pull/9344)
+
 ### Changed
 - Restore the compliance overview endpoint's mandatory filters [(#9330)](https://github.com/prowler-cloud/prowler/pull/9330)
 

api/Dockerfile

@@ -2,6 +2,9 @@ FROM python:3.12.10-slim-bookworm AS build
 
 LABEL maintainer="https://github.com/prowler-cloud/api"
 
+ARG CARTOGRAPHY_VERSION=0.117.0
+ENV CARTOGRAPHY_VERSION=${CARTOGRAPHY_VERSION}
+
 ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}
 
@@ -79,6 +82,8 @@ ENV PATH="/home/prowler/.local/bin:$PATH"
 RUN poetry install --no-root && \
     rm -rf ~/.cache/pip
 
+RUN poetry run python -m pip install cartography==${CARTOGRAPHY_VERSION}
+
 RUN poetry run python "$(poetry env info --path)/src/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py"
 
 COPY src/backend/ ./backend/

api/poetry.lock

@@ -35,7 +35,8 @@ dependencies = [
   "markdown (>=3.9,<4.0)",
   "drf-simple-apikey (==2.2.1)",
   "matplotlib (>=3.10.6,<4.0.0)",
-  "reportlab (>=4.4.4,<5.0.0)"
+  "reportlab (>=4.4.4,<5.0.0)",
+  "neo4j (<6.0.0)",
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"

api/pyproject.toml

@@ -1,4 +1,5 @@
 import logging
+import atexit
 import os
 import sys
 from pathlib import Path
@@ -30,6 +31,7 @@ class ApiConfig(AppConfig):
     def ready(self):
         from api import schema_extensions  # noqa: F401
         from api import signals  # noqa: F401
+        from api.attack_paths import database as graph_database
         from api.compliance import load_prowler_compliance
 
         # Generate required cryptographic keys if not present, but only if:
@@ -39,6 +41,10 @@ def ready(self):
         if "manage.py" not in sys.argv or os.environ.get("RUN_MAIN"):
             self._ensure_crypto_keys()
 
+        if not getattr(settings, "TESTING", False):
+            graph_database.init_driver()
+            atexit.register(graph_database.close_driver)
+
         load_prowler_compliance()
 
     def _ensure_crypto_keys(self):
@@ -54,7 +60,7 @@ def _ensure_crypto_keys(self):
         global _keys_initialized
 
         # Skip key generation if running tests
-        if hasattr(settings, "TESTING") and settings.TESTING:
+        if getattr(settings, "TESTING", False):
             return
 
         # Skip if already initialized in this process

api/src/backend/api/apps.py

@@ -0,0 +1,13 @@
+from api.attack_paths.query_definitions import (
+    AttackPathsQueryDefinition,
+    AttackPathsQueryParameterDefinition,
+    get_queries_for_provider,
+    get_query_by_id,
+)
+
+__all__ = [
+    "AttackPathsQueryDefinition",
+    "AttackPathsQueryParameterDefinition",
+    "get_queries_for_provider",
+    "get_query_by_id",
+]

api/src/backend/api/attack_paths/__init__.py

@@ -0,0 +1,131 @@
+import logging
+import threading
+
+from contextlib import contextmanager
+from typing import Iterator
+from uuid import UUID
+
+import neo4j
+
+from django.conf import settings
+
+import neo4j.exceptions
+
+# Without this Celery goes crazy with Neo4j logging
+logging.getLogger("neo4j").setLevel(logging.ERROR)
+logging.getLogger("neo4j").propagate = False
+
+# Module-level process-wide driver singleton
+_driver: neo4j.Driver | None = None
+_lock = threading.Lock()
+
+# Base Neo4j functions
+
+
+def get_uri() -> str:
+    host = settings.DATABASES["neo4j"]["HOST"]
+    port = settings.DATABASES["neo4j"]["PORT"]
+    return f"bolt://{host}:{port}"
+
+
+def init_driver() -> neo4j.Driver:
+    global _driver
+    if _driver is not None:
+        return _driver
+
+    with _lock:
+        if _driver is None:
+            uri = get_uri()
+            config = settings.DATABASES["neo4j"]
+
+            _driver = neo4j.GraphDatabase.driver(
+                uri, auth=(config["USER"], config["PASSWORD"])
+            )
+            _driver.verify_connectivity()
+
+    return _driver
+
+
+def get_driver() -> neo4j.Driver:
+    return init_driver()
+
+
+def close_driver() -> None:  # TODO: Use it
+    global _driver
+    with _lock:
+        if _driver is not None:
+            try:
+                _driver.close()
+
+            finally:
+                _driver = None
+
+
+@contextmanager
+def get_session(database: str | None = None) -> Iterator[neo4j.Session]:
+    try:
+        with get_driver().session(database=database) as session:
+            yield session
+
+    except neo4j.exceptions.Neo4jError as exc:
+        raise GraphDatabaseQueryException(message=exc.message, code=exc.code)
+
+
+def create_database(database: str) -> None:
+    query = "CREATE DATABASE $database IF NOT EXISTS"
+    parameters = {"database": database}
+
+    with get_session() as session:
+        session.run(query, parameters)
+
+
+def drop_database(database: str) -> None:
+    query = f"DROP DATABASE `{database}` IF EXISTS DESTROY DATA"
+
+    with get_session() as session:
+        session.run(query)
+
+
+def drop_subgraph(database: str, root_node_label: str, root_node_id: str) -> int:
+    query = """
+        MATCH (a:__ROOT_NODE_LABEL__ {id: $root_node_id})
+        CALL apoc.path.subgraphNodes(a, {})
+        YIELD node
+        DETACH DELETE node
+        RETURN COUNT(node) AS deleted_nodes_count
+    """.replace("__ROOT_NODE_LABEL__", root_node_label)
+    parameters = {"root_node_id": root_node_id}
+
+    with get_session(database) as session:
+        result = session.run(query, parameters)
+
+        try:
+            return result.single()["deleted_nodes_count"]
+
+        except neo4j.exceptions.ResultConsumedError:
+            return 0  # As there are no nodes to delete, the result is empty
+
+
+# Neo4j functions related to Prowler + Cartography
+DATABASE_NAME_TEMPLATE = "db-{attack_paths_scan_id}"
+
+
+def get_database_name(attack_paths_scan_id: UUID) -> str:
+    attack_paths_scan_id_str = str(attack_paths_scan_id).lower()
+    return DATABASE_NAME_TEMPLATE.format(attack_paths_scan_id=attack_paths_scan_id_str)
+
+
+# Exceptions
+
+
+class GraphDatabaseQueryException(Exception):
+    def __init__(self, message: str, code: str | None = None) -> None:
+        super().__init__(message)
+        self.message = message
+        self.code = code
+
+    def __str__(self) -> str:
+        if self.code:
+            return f"{self.code}: {self.message}"
+
+        return self.message