2017-09-22 17:03:25 +02:00
|
|
|
"""STIX 2.0 Objects that are neither SDOs nor SROs."""
|
2017-08-11 22:18:20 +02:00
|
|
|
|
2017-09-01 22:37:49 +02:00
|
|
|
from collections import OrderedDict
|
2017-10-26 17:39:45 +02:00
|
|
|
import importlib
|
|
|
|
import pkgutil
|
2017-08-11 22:18:20 +02:00
|
|
|
|
2017-11-01 16:03:02 +01:00
|
|
|
import stix2
|
|
|
|
|
|
|
|
from . import exceptions
|
2017-08-11 22:18:20 +02:00
|
|
|
from .base import _STIXBase
|
|
|
|
from .properties import IDProperty, ListProperty, Property, TypeProperty
|
2018-04-13 17:08:03 +02:00
|
|
|
from .utils import _get_dict, get_class_hierarchy_names
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
|
|
|
|
class STIXObjectProperty(Property):
|
|
|
|
|
2018-05-11 23:28:55 +02:00
|
|
|
def __init__(self, allow_custom=False, *args, **kwargs):
|
2017-10-09 23:33:12 +02:00
|
|
|
self.allow_custom = allow_custom
|
2018-05-11 23:28:55 +02:00
|
|
|
super(STIXObjectProperty, self).__init__(*args, **kwargs)
|
2017-10-09 23:33:12 +02:00
|
|
|
|
2017-08-11 22:18:20 +02:00
|
|
|
def clean(self, value):
|
2017-10-12 16:38:25 +02:00
|
|
|
# Any STIX Object (SDO, SRO, or Marking Definition) can be added to
|
|
|
|
# a bundle with no further checks.
|
2017-11-01 19:17:41 +01:00
|
|
|
if any(x in ('STIXDomainObject', 'STIXRelationshipObject', 'MarkingDefinition')
|
|
|
|
for x in get_class_hierarchy_names(value)):
|
2017-10-12 16:38:25 +02:00
|
|
|
return value
|
2017-08-11 22:18:20 +02:00
|
|
|
try:
|
2018-04-13 17:08:03 +02:00
|
|
|
dictified = _get_dict(value)
|
2017-08-11 22:18:20 +02:00
|
|
|
except ValueError:
|
|
|
|
raise ValueError("This property may only contain a dictionary or object")
|
|
|
|
if dictified == {}:
|
|
|
|
raise ValueError("This property may only contain a non-empty dictionary or object")
|
|
|
|
if 'type' in dictified and dictified['type'] == 'bundle':
|
|
|
|
raise ValueError('This property may not contain a Bundle object')
|
|
|
|
|
2017-10-09 23:33:12 +02:00
|
|
|
if self.allow_custom:
|
|
|
|
parsed_obj = parse(dictified, allow_custom=True)
|
|
|
|
else:
|
|
|
|
parsed_obj = parse(dictified)
|
2017-08-11 22:18:20 +02:00
|
|
|
return parsed_obj
|
|
|
|
|
|
|
|
|
|
|
|
class Bundle(_STIXBase):
|
2018-02-21 22:42:25 +01:00
|
|
|
"""For more detailed information on this object's properties, see
|
|
|
|
`the STIX 2.0 specification <http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709293>`__.
|
|
|
|
"""
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
_type = 'bundle'
|
2017-08-15 14:24:43 +02:00
|
|
|
_properties = OrderedDict()
|
|
|
|
_properties.update([
|
|
|
|
('type', TypeProperty(_type)),
|
|
|
|
('id', IDProperty(_type)),
|
|
|
|
('spec_version', Property(fixed="2.0")),
|
|
|
|
('objects', ListProperty(STIXObjectProperty)),
|
|
|
|
])
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
|
|
# Add any positional arguments to the 'objects' kwarg.
|
|
|
|
if args:
|
|
|
|
if isinstance(args[0], list):
|
|
|
|
kwargs['objects'] = args[0] + list(args[1:]) + kwargs.get('objects', [])
|
|
|
|
else:
|
|
|
|
kwargs['objects'] = list(args) + kwargs.get('objects', [])
|
|
|
|
|
2018-05-16 18:14:33 +02:00
|
|
|
self.__allow_custom = kwargs.get('allow_custom', False)
|
2018-05-16 21:37:30 +02:00
|
|
|
self._properties['objects'].contained.allow_custom = kwargs.get('allow_custom', False)
|
2017-10-09 23:33:12 +02:00
|
|
|
|
2017-08-11 22:18:20 +02:00
|
|
|
super(Bundle, self).__init__(**kwargs)
|
|
|
|
|
|
|
|
|
2017-10-26 17:39:45 +02:00
|
|
|
STIX2_OBJ_MAPS = {}
|
|
|
|
|
|
|
|
|
|
|
|
def parse(data, allow_custom=False, version=None):
|
2018-03-30 19:21:07 +02:00
|
|
|
"""Convert a string, dict or file-like object into a STIX object.
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
Args:
|
2017-09-08 18:39:36 +02:00
|
|
|
data (str, dict, file-like object): The STIX 2 content to be parsed.
|
2018-03-29 17:49:30 +02:00
|
|
|
allow_custom (bool): Whether to allow custom properties as well unknown
|
|
|
|
custom objects. Note that unknown custom objects cannot be parsed
|
|
|
|
into STIX objects, and will be returned as is. Default: False.
|
2017-10-26 17:39:45 +02:00
|
|
|
version (str): Which STIX2 version to use. (e.g. "2.0", "2.1"). If
|
|
|
|
None, use latest version.
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
Returns:
|
|
|
|
An instantiated Python STIX object.
|
|
|
|
|
2018-03-30 19:21:07 +02:00
|
|
|
WARNING: 'allow_custom=True' will allow for the return of any supplied STIX
|
|
|
|
dict(s) that cannot be found to map to any known STIX object types (both STIX2
|
|
|
|
domain objects or defined custom STIX2 objects); NO validation is done. This is
|
|
|
|
done to allow the processing of possibly unknown custom STIX objects (example
|
|
|
|
scenario: I need to query a third-party TAXII endpoint that could provide custom
|
|
|
|
STIX objects that I dont know about ahead of time)
|
|
|
|
|
2018-03-29 17:49:30 +02:00
|
|
|
"""
|
|
|
|
# convert STIX object to dict, if not already
|
2018-04-13 17:08:03 +02:00
|
|
|
obj = _get_dict(data)
|
2018-03-29 17:49:30 +02:00
|
|
|
|
|
|
|
# convert dict to full python-stix2 obj
|
|
|
|
obj = dict_to_stix2(obj, allow_custom, version)
|
|
|
|
|
|
|
|
return obj
|
|
|
|
|
|
|
|
|
|
|
|
def dict_to_stix2(stix_dict, allow_custom=False, version=None):
|
|
|
|
"""convert dictionary to full python-stix2 object
|
|
|
|
|
|
|
|
Args:
|
|
|
|
stix_dict (dict): a python dictionary of a STIX object
|
|
|
|
that (presumably) is semantically correct to be parsed
|
|
|
|
into a full python-stix2 obj
|
|
|
|
allow_custom (bool): Whether to allow custom properties as well unknown
|
|
|
|
custom objects. Note that unknown custom objects cannot be parsed
|
|
|
|
into STIX objects, and will be returned as is. Default: False.
|
|
|
|
|
2018-03-30 19:21:07 +02:00
|
|
|
Returns:
|
|
|
|
An instantiated Python STIX object
|
|
|
|
|
|
|
|
WARNING: 'allow_custom=True' will allow for the return of any supplied STIX
|
|
|
|
dict(s) that cannot be found to map to any known STIX object types (both STIX2
|
|
|
|
domain objects or defined custom STIX2 objects); NO validation is done. This is
|
|
|
|
done to allow the processing of possibly unknown custom STIX objects (example
|
|
|
|
scenario: I need to query a third-party TAXII endpoint that could provide custom
|
|
|
|
STIX objects that I dont know about ahead of time)
|
|
|
|
|
2017-09-08 18:39:36 +02:00
|
|
|
"""
|
2017-10-26 17:39:45 +02:00
|
|
|
if not version:
|
|
|
|
# Use latest version
|
2017-11-01 16:03:02 +01:00
|
|
|
v = 'v' + stix2.DEFAULT_VERSION.replace('.', '')
|
2017-10-26 17:39:45 +02:00
|
|
|
else:
|
|
|
|
v = 'v' + version.replace('.', '')
|
|
|
|
|
2017-11-01 15:48:28 +01:00
|
|
|
OBJ_MAP = STIX2_OBJ_MAPS[v]
|
2017-08-11 22:18:20 +02:00
|
|
|
|
2018-03-29 17:49:30 +02:00
|
|
|
if 'type' not in stix_dict:
|
|
|
|
raise exceptions.ParseError("Can't parse object with no 'type' property: %s" % str(stix_dict))
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
try:
|
2018-03-29 17:49:30 +02:00
|
|
|
obj_class = OBJ_MAP[stix_dict['type']]
|
2017-08-11 22:18:20 +02:00
|
|
|
except KeyError:
|
2018-03-29 17:49:30 +02:00
|
|
|
if allow_custom:
|
|
|
|
# flag allows for unknown custom objects too, but will not
|
|
|
|
# be parsed into STIX object, returned as is
|
|
|
|
return stix_dict
|
|
|
|
raise exceptions.ParseError("Can't parse unknown object type '%s'! For custom types, use the CustomObject decorator." % stix_dict['type'])
|
|
|
|
|
|
|
|
return obj_class(allow_custom=allow_custom, **stix_dict)
|
2017-08-11 22:18:20 +02:00
|
|
|
|
|
|
|
|
2017-10-26 17:39:45 +02:00
|
|
|
def _register_type(new_type, version=None):
|
2017-08-11 22:18:20 +02:00
|
|
|
"""Register a custom STIX Object type.
|
|
|
|
|
2017-10-26 17:39:45 +02:00
|
|
|
Args:
|
|
|
|
new_type (class): A class to register in the Object map.
|
|
|
|
version (str): Which STIX2 version to use. (e.g. "2.0", "2.1"). If
|
|
|
|
None, use latest version.
|
2017-09-08 18:39:36 +02:00
|
|
|
"""
|
2017-10-26 17:39:45 +02:00
|
|
|
if not version:
|
|
|
|
# Use latest version
|
2017-11-01 16:03:02 +01:00
|
|
|
v = 'v' + stix2.DEFAULT_VERSION.replace('.', '')
|
2017-10-26 17:39:45 +02:00
|
|
|
else:
|
|
|
|
v = 'v' + version.replace('.', '')
|
|
|
|
|
2017-11-01 15:48:28 +01:00
|
|
|
OBJ_MAP = STIX2_OBJ_MAPS[v]
|
2017-08-11 22:18:20 +02:00
|
|
|
OBJ_MAP[new_type._type] = new_type
|
2017-10-26 17:39:45 +02:00
|
|
|
|
|
|
|
|
|
|
|
def _collect_stix2_obj_maps():
|
|
|
|
"""Navigate the package once and retrieve all OBJ_MAP dicts for each v2X
|
|
|
|
package."""
|
|
|
|
if not STIX2_OBJ_MAPS:
|
|
|
|
top_level_module = importlib.import_module('stix2')
|
|
|
|
path = top_level_module.__path__
|
|
|
|
prefix = str(top_level_module.__name__) + '.'
|
|
|
|
|
|
|
|
for module_loader, name, is_pkg in pkgutil.walk_packages(path=path,
|
|
|
|
prefix=prefix):
|
|
|
|
if name.startswith('stix2.v2') and is_pkg:
|
2017-10-26 18:39:27 +02:00
|
|
|
mod = importlib.import_module(name, str(top_level_module.__name__))
|
2017-10-26 17:39:45 +02:00
|
|
|
STIX2_OBJ_MAPS[name.split('.')[-1]] = mod.OBJ_MAP
|