-
Notifications
You must be signed in to change notification settings - Fork 3
/
qradar.go
239 lines (204 loc) · 5.67 KB
/
qradar.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
// Package qradar provides an API client for the QRadar API.
// See examples of the usage in the examples folder.
package qradar
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
)
const (
libraryVersion = "1.0.2"
apiVersion = "10.1"
userAgent = "go-qradar/" + libraryVersion
// ErrUnauthorized assigned on 401 http error.
ErrUnauthorized = "unathorized"
)
// JobStatus represents status of the job: search, etc.
type JobStatus string
const (
// StatusWait wait
StatusWait JobStatus = "WAIT"
// StatusExecute executing
StatusExecute JobStatus = "EXECUTE"
// StatusSorting sorting
StatusSorting JobStatus = "SORTING"
// StatusCompleted completed
StatusCompleted JobStatus = "COMPLETED"
// StatusCanceled canceled
StatusCanceled JobStatus = "CANCELED"
// StatusError errored
StatusError JobStatus = "ERROR"
)
// Client manages communication with the QRadar API.
type Client struct {
Client *http.Client
BaseURL *url.URL
UserAgent string
SECKey string
common service
Ariel *ArielService
SIEM *SIEMService
Config *ConfigService
}
type service struct {
client *Client
}
// NewClient returns a new QRadar API client.
func NewClient(baseurl string, opts ...func(*Client) error) (*Client, error) {
u, err := url.Parse(baseurl)
if err != nil {
return nil, err
}
c := &Client{
Client: http.DefaultClient,
UserAgent: userAgent,
BaseURL: u,
}
c.common.client = c
c.Ariel = (*ArielService)(&c.common)
c.SIEM = (*SIEMService)(&c.common)
c.Config = (*ConfigService)(&c.common)
for _, f := range opts {
err := f(c)
if err != nil {
return c, err
}
}
return c, nil
}
// SetHTTPClient sets an HTTP client.
func SetHTTPClient(httpClient *http.Client) func(*Client) error {
return func(c *Client) error {
c.Client = httpClient
return nil
}
}
// SetSECKey sets a key to auth on the QRadar API
func SetSECKey(key string) func(*Client) error {
return func(c *Client) error {
c.SECKey = key
return nil
}
}
// NewRequest constructs and new request to send.
func (c *Client) NewRequest(method, urlStr string, body interface{}) (*http.Request, error) {
if !strings.HasSuffix(c.BaseURL.Path, "/") {
return nil, fmt.Errorf("BaseURL must have a trailing slash, but %q does not", c.BaseURL)
}
u, err := c.BaseURL.Parse(urlStr)
if err != nil {
return nil, err
}
var buf io.ReadWriter
if body != nil {
buf = new(bytes.Buffer)
enc := json.NewEncoder(buf)
enc.SetEscapeHTML(false)
err := enc.Encode(body)
if err != nil {
return nil, err
}
}
req, err := http.NewRequest(method, u.String(), buf)
if err != nil {
return nil, err
}
req.Header.Set("Accept", "application/json")
req.Header.Set("Version", apiVersion)
if c.SECKey != "" {
req.Header.Set("SEC", c.SECKey)
}
if c.UserAgent != "" {
req.Header.Set("User-Agent", c.UserAgent)
}
return req, nil
}
// Do sends an API request and returns the API response. The API response is
// JSON decoded and stored in the value pointed to by v, or returned as an
// error if an API error has occurred. If v implements the io.Writer
// interface, the raw response body will be written to v, without attempting to
// first decode it.
//
// The provided ctx must be non-nil. If it is canceled or times out,
// ctx.Err() will be returned.
func (c *Client) Do(ctx context.Context, req *http.Request, v interface{}) (*http.Response, error) {
req = req.WithContext(ctx)
resp, err := c.Client.Do(req)
if err != nil {
// If we got an error, and the context has been canceled,
// the context's error is probably more useful.
select {
case <-ctx.Done():
return nil, ctx.Err()
default:
}
return nil, err
}
defer resp.Body.Close()
err = CheckResponse(resp)
if err != nil {
return resp, err
}
if v != nil {
if w, ok := v.(io.Writer); ok {
io.Copy(w, resp.Body)
} else {
decErr := json.NewDecoder(resp.Body).Decode(v)
if decErr == io.EOF {
decErr = nil // ignore EOF errors caused by empty response body
}
if decErr != nil {
err = decErr
}
}
}
return resp, err
}
// CheckResponse checks the API response for errors.
func CheckResponse(r *http.Response) error {
switch r.StatusCode {
case http.StatusOK, http.StatusCreated:
return nil
case http.StatusUnauthorized:
return fmt.Errorf("%s %d: %s", r.Request.URL.Path, r.StatusCode, ErrUnauthorized)
case http.StatusNotFound, http.StatusConflict, http.StatusUnprocessableEntity, http.StatusInternalServerError, http.StatusServiceUnavailable, http.StatusForbidden:
var v ErrorMessage
err := json.NewDecoder(r.Body).Decode(&v)
if err != nil {
return fmt.Errorf("%s %d: %s", r.Request.URL.Path, r.StatusCode, err.Error())
}
v.resp = r
return &v
default:
return fmt.Errorf("%s %d: unknown error", r.Request.URL.Path, r.StatusCode)
}
}
// ErrorMessage represents generic error message by the QRadar API.
type ErrorMessage struct {
resp *http.Response
Code json.Number `json:"code,omitempty"`
Contexts []string `json:"contexts,omitempty"`
Message string `json:"message,omitempty"`
Description string `json:"description,omitempty"`
Severity string `json:"severity,omitempty"`
Details struct {
Reason string `json:"reason,omitempty"`
Code int `json:"code,omitempty"`
StartIndex int `json:"start_index,omitempty"`
LineNumber int `json:"line_number,omitempty"`
QueryString string `json:"query_string,omitempty"`
TokenText string `json:"token_text,omitempty"`
} `json:"details,omitempty"`
}
// Error satisfies the error interface.
func (e *ErrorMessage) Error() string {
return fmt.Sprintf(
"%s %d: %s [%s]",
e.resp.Request.URL.Path, e.resp.StatusCode, e.Message, string(e.Code),
)
}