Merge branch 'main' into BED-8246--full-path-highlight

Author: specter-flq

AGENTS.md

@@ -36,7 +36,11 @@
 ## Database migration instructions
 
 -   Migration files must use goose annotations: `-- +goose Up` and `-- +goose Down`
--   Migration filenames must follow the pattern: `YYYYMMDDHHMMSS_descriptive_name.sql`
+-   Migration filenames must follow the pattern: `<timestamp>_<version>_<name>.sql`
+    -   Timestamp: `YYYYMMDDHHMMSS`
+    -   Version: `v9`, `v10`, etc. (current major release)
+    -   Name: descriptive snake_case name
+    -   Example: `20260514120000_v9_add_feature_flags.sql`
 -   Never modify baseline migrations (`00000000000001_init.sql` or `00000000000002_init.sql`)
 -   Never modify migrations that have already been merged to main. The user should create a new migration instead
 -   Migration locations:

architecture/model/api-server.c4

@@ -111,6 +111,14 @@ model {
       technology 'Go'
     }
 
+    // ─── Feature Flags ─────────────────────────────────────────
+
+    featureFlagClient = component 'Feature Flag Client' {
+      #go #featureFlags
+      description 'OpenFeature SDK client used by application code to evaluate feature flags. The active provider is selected at build time, decoupling flag evaluation call sites from the backend. In BHCE the from-env provider reads flag defaults from environment variables; BHE swaps in LaunchDarkly (Fleet) or a Replicated-license-backed InMemoryProvider (On-Prem).'
+      technology 'Go / OpenFeature SDK'
+    }
+
     // ─── Data Access ───────────────────────────────────────────
 
     databaseClient = library 'Database Client' {

architecture/model/relationships.c4

@@ -109,5 +109,9 @@ model {
   bloodhound.apiServer.databaseClient -[sync]-> bloodhound.postgresql 'SQL queries'
   bloodhound.apiServer.graphClient -[sync]-> bloodhound.postgresqlGraph 'Graph operations (DAWGS)'
   bloodhound.apiServer.graphClient -[sync]-> bloodhound.neo4j 'Cypher queries'
+
+  // Feature flag evaluation
+  bloodhound.apiServer.restApi -[uses]-> bloodhound.apiServer.featureFlagClient 'Evaluates feature flags'
+  bloodhound.apiServer.analysisService -[uses]-> bloodhound.apiServer.featureFlagClient 'Evaluates feature flags'
 }
 

architecture/specification.c4

@@ -101,5 +101,6 @@ specification {
   tag react
   tag graphdb
   tag relationaldb
+  tag featureFlags
 }
 

architecture/views/api-server.c4

@@ -26,6 +26,11 @@ views {
       notation "Data access layer"
       color muted
     }
+
+    style bloodhound.apiServer.featureFlagClient {
+      notation "Feature flag client"
+      color slate
+    }
   }
 }
 

cmd/api/src/api/v2/assetgrouptags_test.go

@@ -61,7 +61,10 @@ import (
 )
 
 func TestResources_GetAssetGroupTags(t *testing.T) {
-	const queryParamTagType = "type"
+	const (
+		queryParamTagType = "type"
+		queryParamName    = "name"
+	)
 	var (
 		mockCtrl      = gomock.NewController(t)
 		mockDB        = mocks_db.NewMockDatabase(mockCtrl)
@@ -209,6 +212,50 @@ func TestResources_GetAssetGroupTags(t *testing.T) {
 					apitest.Equal(output, 2, tierCount)
 				},
 			},
+			{
+				Name: "NumericStringName",
+				Input: func(input *apitest.Input) {
+					apitest.AddQueryParam(input, queryParamName, "eq:123")
+				},
+				Setup: func() {
+					mockDB.EXPECT().
+						GetAssetGroupTags(gomock.Any(), model.SQLFilter{
+							SQLString: queryParamName + " = '123'",
+						}).
+						Return(model.AssetGroupTags{
+							model.AssetGroupTag{ID: 1, Name: "123"},
+						}, nil)
+				},
+				Test: func(output apitest.Output) {
+					resp := v2.GetAssetGroupTagsResponse{}
+					apitest.StatusCode(output, http.StatusOK)
+					apitest.UnmarshalData(output, &resp)
+					require.Len(t, resp.Tags, 1)
+					apitest.Equal(output, "123", resp.Tags[0].Name)
+				},
+			},
+			{
+				Name: "Bool-likeName",
+				Input: func(input *apitest.Input) {
+					apitest.AddQueryParam(input, queryParamName, "eq:t")
+				},
+				Setup: func() {
+					mockDB.EXPECT().
+						GetAssetGroupTags(gomock.Any(), model.SQLFilter{
+							SQLString: queryParamName + " = 't'",
+						}).
+						Return(model.AssetGroupTags{
+							model.AssetGroupTag{ID: 1, Name: "t"},
+						}, nil)
+				},
+				Test: func(output apitest.Output) {
+					resp := v2.GetAssetGroupTagsResponse{}
+					apitest.StatusCode(output, http.StatusOK)
+					apitest.UnmarshalData(output, &resp)
+					require.Len(t, resp.Tags, 1)
+					apitest.Equal(output, "t", resp.Tags[0].Name)
+				},
+			},
 			{
 				Name: "Check Selector counts",
 				Input: func(input *apitest.Input) {

cmd/api/src/api/v2/auth/auth.go

@@ -390,7 +390,7 @@ func (s ManagementResource) CreateUser(response http.ResponseWriter, request *ht
 			// The migration sets the default for all_environments to true, which will enable all users to have access to all environments until ETAC is explicitly enabled
 			userTemplate.AllEnvironments = false
 
-			if err := handleETACRequest(request.Context(), createUserRequest.UpdateUserRequest, roles, &userTemplate, s.GraphQuery); err != nil {
+			if err := handleETACRequest(createUserRequest.UpdateUserRequest, roles, &userTemplate, s.GraphQuery); err != nil {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
 				return
 			}
@@ -526,7 +526,7 @@ func (s ManagementResource) UpdateUser(response http.ResponseWriter, request *ht
 				effectiveRoles = roles
 			}
 
-			if err := handleETACRequest(request.Context(), updateUserRequest, effectiveRoles, &user, s.GraphQuery); err != nil {
+			if err := handleETACRequest(updateUserRequest, effectiveRoles, &user, s.GraphQuery); err != nil {
 				api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
 				return
 			}

cmd/api/src/api/v2/auth/auth_test.go

@@ -58,8 +58,6 @@ import (
 	"github.com/specterops/bloodhound/cmd/api/src/utils/test"
 	"github.com/specterops/bloodhound/cmd/api/src/utils/validation"
 	"github.com/specterops/bloodhound/packages/go/bhlog"
-	"github.com/specterops/bloodhound/packages/go/graphschema/ad"
-	"github.com/specterops/bloodhound/packages/go/graphschema/azure"
 	"github.com/specterops/bloodhound/packages/go/graphschema/common"
 	"github.com/specterops/bloodhound/packages/go/headers"
 	"github.com/specterops/bloodhound/packages/go/mediatypes"
@@ -1586,17 +1584,9 @@ func TestCreateUser_ETAC(t *testing.T) {
 				},
 			},
 			expectMocks: func(mockDB *mocks.MockDatabase, goodUser model.User, mockGraphDB *mocks_graph.MockGraph) {
-				mockGraphDB.EXPECT().FetchNodesByObjectIDsAndKinds(gomock.Any(), graph.Kinds{ad.Domain, azure.Tenant}, []string{"12345", "54321"}).Return(graph.NodeSet{
-					graph.ID(1): {
-						Properties: graph.AsProperties(map[string]any{
-							common.ObjectID.String(): "12345",
-						}),
-					},
-					graph.ID(2): {
-						Properties: graph.AsProperties(map[string]any{
-							common.ObjectID.String(): "54321",
-						}),
-					},
+				mockGraphDB.EXPECT().GetFilteredAndSortedNodes(gomock.Any(), gomock.Any()).Return([]*graph.Node{
+					{Properties: graph.AsProperties(map[string]any{common.ObjectID.String(): "12345"})},
+					{Properties: graph.AsProperties(map[string]any{common.ObjectID.String(): "54321"})},
 				}, nil)
 				mockDB.EXPECT().CreateUser(gomock.Any(), gomock.Any()).Return(goodUser, nil).AnyTimes()
 			},
@@ -1732,17 +1722,13 @@ func TestCreateUser_ETAC(t *testing.T) {
 				},
 			},
 			expectMocks: func(mockDB *mocks.MockDatabase, goodUser model.User, mockGraphDB *mocks_graph.MockGraph) {
-				mockGraphDB.EXPECT().FetchNodesByObjectIDsAndKinds(gomock.Any(), graph.Kinds{ad.Domain, azure.Tenant}, []string{"12345", "54321"}).Return(graph.NodeSet{
-					graph.ID(1): {
-						Properties: graph.AsProperties(map[string]any{
-							common.ObjectID.String(): "12345",
-						}),
-					},
+				mockGraphDB.EXPECT().GetFilteredAndSortedNodes(gomock.Any(), gomock.Any()).Return([]*graph.Node{
+					{Properties: graph.AsProperties(map[string]any{common.ObjectID.String(): "12345"})},
 				}, nil)
 			},
 			expectedStatus: http.StatusBadRequest,
 			assertBody: func(t *testing.T, body string) {
-				assert.Contains(t, body, "domain or tenant not found: 54321")
+				assert.Contains(t, body, "environment not found: 54321")
 			},
 		},
 	}
@@ -2995,12 +2981,8 @@ func TestManagementResource_UpdateUser_ETAC(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			assertBody:     func(t *testing.T, _ string) {},
 			expectMocks: func(mockDB *mocks.MockDatabase, goodUser model.User, mockGraphDB *mocks_graph.MockGraph) {
-				mockGraphDB.EXPECT().FetchNodesByObjectIDsAndKinds(gomock.Any(), graph.Kinds{ad.Domain, azure.Tenant}, []string{"12345"}).Return(graph.NodeSet{
-					graph.ID(1): {
-						Properties: graph.AsProperties(map[string]any{
-							common.ObjectID.String(): "12345",
-						}),
-					},
+				mockGraphDB.EXPECT().GetFilteredAndSortedNodes(gomock.Any(), gomock.Any()).Return([]*graph.Node{
+					{Properties: graph.AsProperties(map[string]any{common.ObjectID.String(): "12345"})},
 				}, nil)
 				mockDB.EXPECT().UpdateUser(gomock.Any(), gomock.Any()).Return(nil)
 			},
@@ -3086,15 +3068,11 @@ func TestManagementResource_UpdateUser_ETAC(t *testing.T) {
 			},
 			expectedStatus: http.StatusBadRequest,
 			assertBody: func(t *testing.T, body string) {
-				assert.Contains(t, body, "domain or tenant not found: 54321")
+				assert.Contains(t, body, "environment not found: 54321")
 			},
 			expectMocks: func(mockDB *mocks.MockDatabase, goodUser model.User, mockGraphDB *mocks_graph.MockGraph) {
-				mockGraphDB.EXPECT().FetchNodesByObjectIDsAndKinds(gomock.Any(), graph.Kinds{ad.Domain, azure.Tenant}, []string{"12345", "54321"}).Return(graph.NodeSet{
-					graph.ID(1): {
-						Properties: graph.AsProperties(map[string]any{
-							common.ObjectID.String(): "12345",
-						}),
-					},
+				mockGraphDB.EXPECT().GetFilteredAndSortedNodes(gomock.Any(), gomock.Any()).Return([]*graph.Node{
+					{Properties: graph.AsProperties(map[string]any{common.ObjectID.String(): "12345"})},
 				}, nil)
 			},
 		},

cmd/api/src/api/v2/auth/etac.go

@@ -17,7 +17,6 @@
 package auth
 
 import (
-	"context"
 	"errors"
 	"fmt"
 
@@ -26,17 +25,18 @@ import (
 	"github.com/specterops/bloodhound/cmd/api/src/auth"
 	"github.com/specterops/bloodhound/cmd/api/src/model"
 	"github.com/specterops/bloodhound/cmd/api/src/queries"
+	"github.com/specterops/bloodhound/packages/go/graphschema"
 	"github.com/specterops/bloodhound/packages/go/graphschema/ad"
 	"github.com/specterops/bloodhound/packages/go/graphschema/azure"
 	"github.com/specterops/bloodhound/packages/go/graphschema/common"
-	"github.com/specterops/dawgs/graph"
+	"github.com/specterops/dawgs/query"
 )
 
 // handleETACRequest will modify the user passed in to assign an etac list or grant all environment access
 // and will return an error on bad requests
 // Administrators and Power Users may not have an ETAC list applied to them
 // The user may not request all environments and have an ETAC list applied to them
-func handleETACRequest(ctx context.Context, updateUserRequest v2.UpdateUserRequest, roles model.Roles, user *model.User, graphDB queries.Graph) error {
+func handleETACRequest(updateUserRequest v2.UpdateUserRequest, roles model.Roles, user *model.User, graphDB queries.Graph) error {
 	if updateUserRequest.AllEnvironments.Valid || updateUserRequest.EnvironmentTargetedAccessControl != nil {
 		// Admin / Power Users can only have all_environments set to true
 		if (!hasValidRolesForETAC(roles)) &&
@@ -70,17 +70,27 @@ func handleETACRequest(ctx context.Context, updateUserRequest v2.UpdateUserReque
 		envIds = append(envIds, environment.EnvironmentID)
 	}
 
-	if nodes, err := graphDB.FetchNodesByObjectIDsAndKinds(ctx, graph.Kinds{
-		ad.Domain, azure.Tenant,
-	}, envIds...); err != nil {
+	if nodes, err := graphDB.GetFilteredAndSortedNodes(query.SortItems{},
+		query.And(
+			query.In(query.NodeProperty(common.ObjectID.String()), envIds),
+			query.Or(
+				query.In(query.NodeProperty(ad.DomainSID.String()), envIds),
+				query.In(query.NodeProperty(azure.TenantID.String()), envIds),
+				query.In(query.NodeProperty(graphschema.EnvironmentIDKey), envIds),
+			),
+		)); err != nil {
 		return fmt.Errorf("error fetching environments: %w", err)
-	} else if nodesByObject, err := nodeSetToObjectIDMap(nodes); err != nil {
-		return err
 	} else {
+		var validNodes = make(map[string]bool)
+		for _, node := range nodes {
+			if objectID, err := node.Properties.Get(common.ObjectID.String()).String(); err == nil {
+				validNodes[objectID] = true
+			}
+		}
 		user.EnvironmentTargetedAccessControl = make([]model.EnvironmentTargetedAccessControl, 0, len(envIds))
 		for _, envId := range envIds {
-			if _, ok := nodesByObject[envId]; !ok {
-				return fmt.Errorf("domain or tenant not found: %s", envId)
+			if !validNodes[envId] {
+				return fmt.Errorf("environment not found: %s", envId)
 			} else {
 				user.EnvironmentTargetedAccessControl = append(user.EnvironmentTargetedAccessControl, model.EnvironmentTargetedAccessControl{
 					UserID:        user.ID.String(),
@@ -93,22 +103,6 @@ func handleETACRequest(ctx context.Context, updateUserRequest v2.UpdateUserReque
 	return nil
 }
 
-func nodeSetToObjectIDMap(set graph.NodeSet) (map[string]bool, error) {
-	var (
-		objectIDs = make(map[string]bool)
-	)
-
-	for _, node := range set {
-		if objectID, err := node.Properties.Get(common.ObjectID.String()).String(); err != nil {
-			return objectIDs, err
-		} else {
-			objectIDs[objectID] = true
-		}
-	}
-
-	return objectIDs, nil
-}
-
 // hasValidRolesForETAC will check the passed in roles to determine if a user can have ETAC controls applied to theem
 // returning true if they may be ETAC controlled and false if they may not
 func hasValidRolesForETAC(roles model.Roles) bool {

cmd/api/src/api/v2/cypherquery.go

@@ -104,6 +104,32 @@ func (s Resources) CypherQuery(response http.ResponseWriter, request *http.Reque
 		return
 	}
 
+	auditLogEntry, err := model.NewAuditEntry(
+		model.AuditLogActionRunCypherQuery,
+		model.AuditLogStatusIntent,
+		model.AuditData{
+			"query":              preparedQuery.StrippedQuery,
+			"include_properties": payload.IncludeProperties,
+		},
+	)
+	if err != nil {
+		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
+		return
+	}
+
+	if err = s.DB.AppendAuditLog(request.Context(), auditLogEntry); err != nil {
+		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusInternalServerError, err.Error(), request), response)
+		return
+	}
+
+	auditLogEntry.Status = model.AuditLogStatusFailure
+
+	defer func() {
+		if err = s.DB.AppendAuditLog(request.Context(), auditLogEntry); err != nil {
+			slog.ErrorContext(request.Context(), "Failure to create run cypher query audit log", attr.Error(err))
+		}
+	}()
+
 	primaryDisplayKinds, err := s.DB.GetPrimaryDisplayKinds(request.Context())
 	if err != nil {
 		api.HandleDatabaseError(request, response, err)
@@ -138,6 +164,8 @@ func (s Resources) CypherQuery(response http.ResponseWriter, request *http.Reque
 		return
 	}
 
+	auditLogEntry.Status = model.AuditLogStatusSuccess
+
 	if !payload.IncludeProperties {
 		// removing node properties from the response
 		for id, node := range graphResponse.Nodes {