feat: implement Phase 2 stabilization
Some checks failed
CI / lint-and-test (push) Has been cancelled
Some checks failed
CI / lint-and-test (push) Has been cancelled
- Cache Graph API tokens with expiry-aware reuse in graph/auth.py - Add tenacity-based retry/backoff wrapper (utils/http.py) and apply to all Graph/source API calls - Add Pydantic request/response models (models/api.py) and FastAPI query constraints - Add unit tests for event_model, auth and integration tests for API endpoints - Configure ruff linter/formatter in pyproject.toml - Add GitHub Actions CI pipeline (.github/workflows/ci.yml) - Add requirements-dev.txt with pytest, mongomock, httpx, ruff - Clean up typing imports and fix ruff linting across codebase
This commit is contained in:
@@ -1,7 +1,8 @@
|
||||
import requests
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
from graph.auth import get_access_token
|
||||
from graph.resolve import resolve_directory_object, resolve_service_principal_owners
|
||||
from utils.http import get_with_retry
|
||||
|
||||
|
||||
def fetch_audit_logs(hours=24, max_pages=50):
|
||||
@@ -22,13 +23,13 @@ def fetch_audit_logs(hours=24, max_pages=50):
|
||||
raise RuntimeError(f"Aborting pagination after {max_pages} pages to avoid runaway fetch.")
|
||||
|
||||
try:
|
||||
res = requests.get(next_url, headers=headers, timeout=20)
|
||||
res = get_with_retry(next_url, headers=headers, timeout=20)
|
||||
res.raise_for_status()
|
||||
body = res.json()
|
||||
except requests.RequestException as exc:
|
||||
except RuntimeError:
|
||||
raise
|
||||
except Exception as exc:
|
||||
raise RuntimeError(f"Failed to fetch audit logs page: {exc}") from exc
|
||||
except ValueError as exc:
|
||||
raise RuntimeError(f"Invalid JSON response from Graph: {exc}") from exc
|
||||
|
||||
events.extend(body.get("value", []))
|
||||
next_url = body.get("@odata.nextLink")
|
||||
|
||||
@@ -1,9 +1,19 @@
|
||||
import time
|
||||
|
||||
import requests
|
||||
from config import TENANT_ID, CLIENT_ID, CLIENT_SECRET
|
||||
from config import CLIENT_ID, CLIENT_SECRET, TENANT_ID
|
||||
|
||||
_TOKEN_CACHE = {}
|
||||
|
||||
|
||||
def get_access_token(scope: str = "https://graph.microsoft.com/.default"):
|
||||
"""Request an application token from Microsoft identity platform."""
|
||||
"""Request an application token from Microsoft identity platform.
|
||||
Tokens are cached and reused until 5 minutes before expiry."""
|
||||
now = time.time()
|
||||
cached = _TOKEN_CACHE.get(scope)
|
||||
if cached and cached["exp"] > now + 300:
|
||||
return cached["token"]
|
||||
|
||||
url = f"https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token"
|
||||
data = {
|
||||
"grant_type": "client_credentials",
|
||||
@@ -14,9 +24,12 @@ def get_access_token(scope: str = "https://graph.microsoft.com/.default"):
|
||||
try:
|
||||
res = requests.post(url, data=data, timeout=15)
|
||||
res.raise_for_status()
|
||||
token = res.json().get("access_token")
|
||||
payload = res.json()
|
||||
token = payload.get("access_token")
|
||||
if not token:
|
||||
raise RuntimeError("Token endpoint returned no access_token")
|
||||
expires_in = payload.get("expires_in", 3600)
|
||||
_TOKEN_CACHE[scope] = {"token": token, "exp": now + expires_in}
|
||||
return token
|
||||
except requests.RequestException as exc:
|
||||
raise RuntimeError(f"Failed to obtain access token: {exc}") from exc
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
from typing import Dict, List, Optional
|
||||
|
||||
import requests
|
||||
from utils.http import get_with_retry
|
||||
|
||||
|
||||
def _name_from_payload(payload: dict, kind: str) -> str:
|
||||
@@ -26,18 +25,18 @@ def _name_from_payload(payload: dict, kind: str) -> str:
|
||||
return payload.get("displayName") or payload.get("id") or "Unknown"
|
||||
|
||||
|
||||
def _request_json(url: str, token: str) -> Optional[dict]:
|
||||
def _request_json(url: str, token: str) -> dict | None:
|
||||
try:
|
||||
res = requests.get(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
|
||||
res = get_with_retry(url, headers={"Authorization": f"Bearer {token}"}, timeout=10)
|
||||
if res.status_code == 404:
|
||||
return None
|
||||
res.raise_for_status()
|
||||
return res.json()
|
||||
except requests.RequestException:
|
||||
except Exception:
|
||||
return None
|
||||
|
||||
|
||||
def resolve_directory_object(object_id: str, token: str, cache: Dict[str, dict]) -> Optional[dict]:
|
||||
def resolve_directory_object(object_id: str, token: str, cache: dict[str, dict]) -> dict | None:
|
||||
"""
|
||||
Resolve a directory object (user, servicePrincipal, group, device) to a readable name.
|
||||
Uses a simple multi-endpoint probe with caching to avoid extra Graph traffic.
|
||||
@@ -69,7 +68,7 @@ def resolve_directory_object(object_id: str, token: str, cache: Dict[str, dict])
|
||||
return None
|
||||
|
||||
|
||||
def resolve_service_principal_owners(sp_id: str, token: str, cache: Dict[str, List[str]]) -> List[str]:
|
||||
def resolve_service_principal_owners(sp_id: str, token: str, cache: dict[str, list[str]]) -> list[str]:
|
||||
"""Return a list of owner display names for a service principal."""
|
||||
if not sp_id:
|
||||
return []
|
||||
|
||||
Reference in New Issue
Block a user