Merge pull request #141 from isimluk/if-not-modified-since

Implement If-Not-Modified-Since HTTP header on GetLatestIntelRuleFile call

Makefile

@@ -26,7 +26,7 @@ specs/swagger-stripped-oauth.json: specs/swagger-formatted.json
 
 specs/swagger-download-patch.json: specs/swagger-stripped-oauth.json
 	# We add missing binary response body spec to the swagger
-	jq '.definitions."domain.DownloadItem"."type"="string" | .definitions."domain.DownloadItem"."format"="binary" | .paths."/intel/entities/report-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"} | .paths."/intel/entities/rules-latest-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"} | .paths."/intel/entities/rules-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"}' $< > $@
+	jq '.definitions."domain.DownloadItem"."type"="string" | .definitions."domain.DownloadItem"."format"="binary" | .paths."/intel/entities/report-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"} | .paths."/intel/entities/rules-latest-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"} | .paths."/intel/entities/rules-files/v1"."get"."responses"."200"."schema"={"$$ref": "#/definitions/domain.DownloadItem"} | .paths."/intel/entities/rules-latest-files/v1".get.parameters |= . + [{type: "string", description: "Download Only if changed since", name: "If-Modified-Since", "in": "header"}] | .paths."/intel/entities/rules-latest-files/v1".get.responses."304" = {description: "Not Modified"}' $< > $@
 
 specs/swagger.json:
 	@echo "Sorry swagger.json needs to be obtained manually at this moment"

examples/falcon_intel_rules_download/main.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"bufio"
+	"bytes"
 	"context"
 	"flag"
 	"fmt"
@@ -20,6 +22,7 @@ func main() {
 	memberCID := flag.String("member-cid", os.Getenv("FALCON_MEMBER_CID"), "Member CID for MSSP (for cases when OAuth2 authenticates multiple CIDs)")
 	clientCloud := flag.String("cloud", os.Getenv("FALCON_CLOUD"), "Falcon cloud abbreviation (us-1, us-2, eu-1, us-gov-1)")
 	intelRuleType := flag.String("rule-type", "", fmt.Sprintf("Falcon Intelligence Rule Type: available types: %s", intel.RuleTypeValidValues))
+	since := flag.String("since", "", "Download file only if it was not modified since the given date. Example value: 'Fri, 16 Oct 2021 11:04:27 GMT'")
 	flag.Parse()
 
 	if *clientId == "" {
@@ -48,42 +51,50 @@ Falcon Client Secret`)
 	}
 
 	intelType := *intelRuleType
-	filepath := fmt.Sprintf("%s.tar.gz", intelType)
-	fmt.Printf("Downloading file %s\n", filepath)
-	err = DownloadLatestRuleFile(client, filepath, intelType)
+	fmt.Printf("Downloading %s\n", *intelRuleType)
+	buffer, err := DownloadLatestRuleFile(client, intelType, since)
 	if err != nil {
 		panic(err)
-
 	}
-}
+	if buffer != nil {
+		filename := fmt.Sprintf("%s.tar.gz", intelType)
+		fmt.Printf("Storing as %s\n", filename)
+		safeLocation := filepath.Clean(filename)
+		if strings.Contains(safeLocation, "/") || strings.Contains(safeLocation, "\\") || strings.Contains(safeLocation, "..") {
+			panic("Suspicious file location: " + safeLocation)
+		}
 
-func DownloadLatestRuleFile(client *client.CrowdStrikeAPISpecification, filename, intelType string) error {
-	safeLocation := filepath.Clean(filename)
-	if strings.Contains(safeLocation, "/") || strings.Contains(safeLocation, "\\") || strings.Contains(safeLocation, "..") {
-		panic("Suspicious file location: " + safeLocation)
-	}
+		file, err := os.OpenFile(safeLocation, os.O_CREATE|os.O_WRONLY, 0600)
+		if err != nil {
+			panic(err)
+		}
 
-	file, err := os.OpenFile(safeLocation, os.O_CREATE|os.O_WRONLY, 0600)
-	if err != nil {
-		return err
+		/* #nosec */
+		defer func() {
+			// (ignore possibly false positive https://github.com/securego/gosec/issues/714)
+			if err := file.Close(); err != nil {
+				fmt.Fprintf(os.Stderr, "Error closing file: %s\n", err)
+			}
+		}()
 	}
+}
 
-	/* #nosec */
-	defer func() {
-		// (ignore possibly false positive https://github.com/securego/gosec/issues/714)
-		if err := file.Close(); err != nil {
-			fmt.Fprintf(os.Stderr, "Error closing file: %s\n", err)
-		}
-	}()
-
+func DownloadLatestRuleFile(client *client.CrowdStrikeAPISpecification, intelType string, ifModifiedSince *string) (*bytes.Buffer, error) {
+	var buffer bytes.Buffer
 	gzip := "gzip"
-	_, err = client.Intel.GetLatestIntelRuleFile(&intel.GetLatestIntelRuleFileParams{
-		Context: context.Background(),
-		Type:    intelType,
-		Format:  &gzip,
-	}, file)
+
+	_, err := client.Intel.GetLatestIntelRuleFile(&intel.GetLatestIntelRuleFileParams{
+		Context:         context.Background(),
+		Type:            intelType,
+		Format:          &gzip,
+		IfModifiedSince: ifModifiedSince,
+	}, bufio.NewWriter(&buffer))
+
 	if err != nil {
-		return err
+		if success := err.(*intel.GetLatestIntelRuleFileNotModified); success != nil {
+			// File has not changed, return empty buffer
+			return nil, nil
+		}
 	}
-	return nil
+	return &buffer, err
 }