graph LR
query_interface["query_interface"]
local_policy_simulation["local_policy_simulation"]
query_actions["query_actions"]
query_orgs["query_orgs"]
query_utils["query_utils"]
presets["presets"]
repl["repl"]
query_interface -- "utilizes" --> local_policy_simulation
local_policy_simulation -- "provides policy evaluation services to" --> query_interface
query_actions -- "orchestrates" --> presets
presets -- "depends on" --> query_utils
repl -- "invokes" --> query_actions
repl -- "invokes" --> query_interface
repl -- "invokes" --> presets
The Graph Query & Analysis Interface subsystem is primarily encapsulated within the principalmapper.querying package. This subsystem provides the core functionality for interacting with the IAM graph, performing authorization checks, and executing predefined analysis patterns.
Serves as the primary entry point for authorization checks within the system. It provides core functions like search_authorization_for and local_check_authorization_handling_mfa, and is responsible for preparing the necessary condition contexts for policy evaluation.
Related Classes/Methods:
The core engine for evaluating IAM policies. It assesses policies against specified actions, resources, and principals, taking into account various conditions to determine authorization outcomes.
Related Classes/Methods:
Manages the overall flow for handling user queries. This includes dispatching requests to pre-defined query patterns (presets) and providing help information for query construction. It acts as a command dispatcher for the query interface.
Related Classes/Methods:
Specializes in querying and processing organizational data, particularly Service Control Policies (SCPs). It includes functionality for recursive traversal of organizational units to apply policy analysis.
Related Classes/Methods:
Provides common utility functions essential for graph traversal and connectivity analysis. Examples include get_search_list for pathfinding and is_connected for determining graph connectivity.
Related Classes/Methods:
Contains modules that implement specific, pre-defined queries or analysis patterns (e.g., clusters, connected, privesc). These presets simplify complex security analysis tasks by encapsulating common graph traversal and analysis logic.
Related Classes/Methods:
Implements a Read-Eval-Print Loop (REPL) for interactive querying and analysis. This component serves as the direct command-line interface (CLI) for users to interact with the IAM graph and execute queries or analysis patterns.
Related Classes/Methods: