-
Notifications
You must be signed in to change notification settings - Fork 586
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Context lookup API endpoint part 1 (#2440)
* ContextLinks part #1: + Configuration schema & file + API endpoint resource and routes + Some minor adjustments to make them work * Bug fixes * Added missing fields to the VT example. * Making the black-formatter happy. * More fixes for the black-formatter. * Another linter fix. * Refactored the API endpoint. It now includes the changes suggested by the reviewer. + Better readable input verification + More granular error message on bad entries + Less log entries * linter * black-formatter * Adding a unittest for the API endpoint. * black-formatter * Refactored the API endpoint based on review comments. + Removed the validation from the API endpoint. + Moved validation to tsctl + Changed validation to use jsonschema + Updated tests * black-formatter * bug fix * Adding jsonschema to requirements.txt
- Loading branch information
Showing
10 changed files
with
237 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# ------------------------------------------------------------------------ | ||
# -- CONTEXT LINKS -- | ||
# ------------------------------------------------------------------------ | ||
# | ||
# This is a config file to define context links for event attributes. | ||
# | ||
# Each context link consists of the following fields: | ||
# | ||
# context_link_name: | ||
# | ||
# short_name: Type: str | The name for the context link. | ||
# Will be displayed in the context link submenu. | ||
# | ||
# match_fields: Type: list[str] | List of field keys where | ||
# this context link should be available. Will | ||
# be checked as case insensitive! | ||
# | ||
# validation_regex: Type: str | OPTIONAL | ||
# A regex pattern that needs to be | ||
# matched by the field value to to make the | ||
# context link available. This can be used to | ||
# validate the format of a value (e.g. a hash). | ||
# | ||
# context_link: Type: str | The link that will be opened in a | ||
# new tab when the context link is clicked. | ||
# IMPORTANT: Add the placeholder "<ATTR_VALUE>" | ||
# where the attribute value should be inserted | ||
# into the link. | ||
# | ||
# redirect_warning: [TRUE]: If the context link is clicked it will | ||
# open a pop-up dialog first that asks the | ||
# user if they would like to proceed to | ||
# the linked page. (Recommended for | ||
# external pages.) | ||
# [FALSE]: The linked page will be opened without | ||
# any pop-up. (Recommended for internal | ||
# pages.) | ||
# | ||
# ------------------------------------------------------------------------ | ||
## Virustotal Example: | ||
# virustotal_hash_lookup: | ||
# short_name: 'VirusTotal' | ||
# match_fields: ['hash', 'sha256_hash', 'sha256', 'sha1_hash', 'sha1', 'md5_hash', 'md5'] | ||
# validation_regex: '/^[0-9a-f]{64}$|^[0-9a-f]{40}$|^[0-9a-f]{32}$/i' | ||
# context_link: 'https://www.virustotal.com/gui/search/<ATTR_VALUE>' | ||
# redirect_warning: TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -35,3 +35,4 @@ prometheus-client==0.9.0 | |
prometheus-flask-exporter==0.18.1 | ||
decorator==5.0.5 | ||
geoip2==4.2.0 | ||
jsonschema~=4.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
## Mock configuration file for testing the contrext links API endpoint! | ||
lookupone: | ||
short_name: 'LookupOne' | ||
match_fields: ['hash'] | ||
validation_regex: '/^[0-9a-f]{40}$|^[0-9a-f]{32}$/i' | ||
context_link: 'https://lookupone.local/q=<ATTR_VALUE>' | ||
redirect_warning: TRUE | ||
|
||
lookuptwo: | ||
short_name: 'LookupTwo' | ||
match_fields: ['sha256_hash', 'hash'] | ||
validation_regex: '/^[0-9a-f]{64}$/i' | ||
context_link: 'https://lookuptwo.local/q=<ATTR_VALUE>' | ||
redirect_warning: FALSE | ||
|
||
lookupthree: | ||
short_name: 'LookupThree' | ||
match_fields: ['url'] | ||
context_link: 'https://lookupthree.local/q=<ATTR_VALUE>' | ||
redirect_warning: TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# Copyright 2022 Google Inc. All rights reserved. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
"""Context link API for version 1 of the Timesketch API.""" | ||
|
||
from copy import deepcopy | ||
from flask import jsonify | ||
from flask_restful import Resource | ||
from flask_login import login_required | ||
|
||
from timesketch.api.v1 import resources | ||
from timesketch.api.v1.utils import load_yaml_config | ||
|
||
|
||
class ContextLinkConfigResource(resources.ResourceMixin, Resource): | ||
"""Resource to get context link information.""" | ||
|
||
@login_required | ||
def get(self): | ||
"""Handles GET request to the resource. | ||
HINT: | ||
In case of errors with loading the context links, use the | ||
tsctl tool to validate your config file! | ||
Example: tsctl validate-context-links-conf ./data/context_links.yaml | ||
Returns: | ||
JSON object including version info | ||
""" | ||
# HINT: In case of errors with loading the context links, use the | ||
# tsctl tool to validate your config file! | ||
# Example: tsctl validate-context-links-conf ./data/context_links.yaml | ||
|
||
context_link_yaml = load_yaml_config("CONTEXT_LINKS_CONFIG_PATH") | ||
|
||
response = {} | ||
if not context_link_yaml: | ||
return jsonify(response) | ||
|
||
for entry in context_link_yaml: | ||
entry_dict = context_link_yaml[entry] | ||
context_link_config = deepcopy(entry_dict) | ||
del context_link_config["match_fields"] | ||
for field in entry_dict.get("match_fields"): | ||
response.setdefault(field.lower(), []).append(context_link_config) | ||
|
||
return jsonify(response) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters