cti-python-stix2/stix2/sources/taxii.py

import requests
from requests.auth import HTTPBasicAuth

from stix2.sources import DataSource

# TODO: -Should we make properties for the TAXIIDataSource address and other
# possible variables that are found in "self.taxii_info"


TAXII_FILTERS = ['added_after', 'id', 'type', 'version']

test = True


class TAXIIDataSource(DataSource):
    """STIX 2.0 Data Source - TAXII 2.0 module"""

    def __init__(self, api_root=None, auth=None, name="TAXII"):
        super(TAXIIDataSource, self).__init__(name=name)

        if not api_root:
            api_root = "http://localhost:5000"
        if not auth:
            auth = {"user": "admin", "pass": "taxii"}

        self.taxii_info = {
            "api_root": {
                "url": api_root
            },
            "auth": auth
        }

        if test:
            return

        try:
            # check api-root is reachable/exists and grab api collections
            coll_url = self.taxii_info['api_root']['url'] + "/collections/"
            headers = {}

            resp = requests.get(coll_url,
                                headers=headers,
                                auth=HTTPBasicAuth(self.taxii_info['auth']['user'],
                                                   self.taxii_info['auth']['pass']))
            # TESTING
            # print("\n-------__init__() ----\n")
            # print(resp.text)
            # print("\n")
            # print(resp.status_code)
            # END TESTING

            # raise http error if request returned error code
            resp.raise_for_status()

            resp_json = resp.json()

            try:
                self.taxii_info['api_root']['collections'] = resp_json['collections']
            except KeyError as e:
                if e == "collections":
                    raise
                    # raise type(e), type(e)(e.message +
                    # "To connect to the TAXII collections, the API root
                    # resource must contain a collection endpoint URL.
                    # This was not found in the API root resource received
                    # from the API root" ), sys.exc_info()[2]

        except requests.ConnectionError as e:
            raise
            # raise type(e), type(e)(e.message +
            #     "Attempting to connect to %s" % coll_url)

    def get(self, id_, _composite_filters=None):
        """Get STIX 2.0 object from TAXII source by specified 'id'

        Notes:
            Just pass _composite_filters to the query() as they are applied
            there. de-duplication of results is also done within query()

        Args:
            id_ (str): id of STIX object to retrieve

            _composite_filters (list): filters passed from a Composite Data
                Source (if this data source is attached to one)

        Returns:

        """

        # make query in TAXII query format since 'id' is TAXii field
        query = [
            {
                "field": "match[id]",
                "op": "=",
                "value": id_
            }
        ]

        all_data = self.query(query=query, _composite_filters=_composite_filters)

        # reduce to most recent version
        stix_obj = sorted(all_data, key=lambda k: k['modified'])[0]

        return stix_obj

    def all_versions(self, id_, _composite_filters=None):
        """Get all versions of STIX 2.0 object from TAXII source by
        specified 'id'

        Notes:
            Just passes _composite_filters to the query() as they are applied
            there. de-duplication of results is also done within query()

        Args:
            id_ (str): id of STIX objects to retrieve
            _composite_filters (list): filters passed from a Composite Data
                Source (if this data source is attached to one)

        Returns:
            The query results with filters applied.
        """

        # make query in TAXII query format since 'id' is TAXII field
        query = [
            {
                "field": "match[id]",
                "op": "=",
                "value": id_
            }
        ]

        all_data = self.query(query=query, _composite_filters=_composite_filters)

        return all_data

    def query(self, query=None, _composite_filters=None):
        """Query the TAXII data source for STIX objects matching the query

        The final full query could contain filters from:
            -the current API call
            -Composite Data source filters (that are passed in via
                '_composite_filters')
            -TAXII data source filters that are attached

        TAXII filters ['added_after', 'match[<>]'] are extracted and sent
        to TAXII if they are present

        TODO: Authentication for TAXII

        Args:

            query(list): list of filters (dicts) to search on

            _composite_filters (list): filters passed from a
                Composite Data Source (if this data source is attached to one)

        Returns:


        """

        all_data = []

        if query is None:
            query = []

        # combine all query filters
        if self.filters:
            query += self.filters.values()
        if _composite_filters:
            query += _composite_filters

        # separate taxii query terms (can be done remotely)
        taxii_filters = self._parse_taxii_filters(query)

        # for each collection endpoint - send query request
        for collection in self.taxii_info['api_root']['collections']:

            coll_obj_url = "/".join([self.taxii_info['api_root']['url'],
                                     "collections", str(collection['id']),
                                     "objects"])
            headers = {}
            try:
                resp = requests.get(coll_obj_url,
                                    params=taxii_filters,
                                    headers=headers,
                                    auth=HTTPBasicAuth(self.taxii_info['auth']['user'],
                                                       self.taxii_info['auth']['pass']))
                # TESTING
                # print("\n-------query() ----\n")
                # print("Request that was sent: \n")
                # print(resp.url)
                # print("Response: \n")
                # print(json.dumps(resp.json(),indent=4))
                # print("\n")
                # print(resp.status_code)
                # print("------------------")
                # END TESTING

                # raise http error if request returned error code
                resp.raise_for_status()
                resp_json = resp.json()

                # grab all STIX 2.0 objects in json response
                for stix_obj in resp_json['objects']:
                    all_data.append(stix_obj)

            except requests.exceptions.RequestException as e:
                raise
                # raise type(e), type(e)(e.message +
                # "Attempting to connect to %s" % coll_url)

            # TODO: Is there a way to collect exceptions while carrying
            # on then raise all of them at the end?

        # deduplicate data (before filtering as reduces wasted filtering)
        all_data = self.deduplicate(all_data)

        # apply local (composite and data source filters)
        all_data = self.apply_common_filters(all_data, query)

        return all_data

    def _parse_taxii_filters(self, query):
        """Parse out TAXII filters that the TAXII server can filter on

        TAXII filters should be analgous to how they are supplied
        in the url to the TAXII endpoint. For instance
        "?match[type]=indicator,sighting" should be in a query dict as follows
        {
            "field": "match[type]"
            "op": "=",
            "value": "indicator,sighting"
        }

        Args:
            query (list): list of filters to extract which ones are TAXII
                specific.

        Returns:
            params (dict): dict of the TAXII filters but in format required
                for 'requests.get()'.
        """

        params = {}

        for q in query:
            if q['field'] in TAXII_FILTERS:
                if q['field'] == 'added_after':
                    params[q['field']] = q['value']
                else:
                    taxii_field = 'match[' + q['field'] + ']'
                    params[taxii_field] = q['value']
        return params

    def close(self):
        """Close down the Data Source - if any clean up is required.

        """
        pass

    # TODO: - getters/setters (properties) for TAXII config info
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`import requests`
			`from requests.auth import HTTPBasicAuth`

			`from stix2.sources import DataSource`

Code style changes. 2017-05-26 21:24:33 +02:00			`# TODO: -Should we make properties for the TAXIIDataSource address and other`
			`# possible variables that are found in "self.taxii_info"`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00

tests for TAXII data source; some bug fixes 2017-05-30 22:56:27 +02:00			`TAXII_FILTERS = ['added_after', 'id', 'type', 'version']`

			`test = True`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00

			`class TAXIIDataSource(DataSource):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""STIX 2.0 Data Source - TAXII 2.0 module"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
Code style changes. 2017-05-26 21:24:33 +02:00			`def __init__(self, api_root=None, auth=None, name="TAXII"):`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`super(TAXIIDataSource, self).__init__(name=name)`

tests for TAXII data source; some bug fixes 2017-05-30 22:56:27 +02:00			`if not api_root:`
			`api_root = "http://localhost:5000"`
			`if not auth:`
More style fixes 2017-05-31 17:02:37 +02:00			`auth = {"user": "admin", "pass": "taxii"}`
tests for TAXII data source; some bug fixes 2017-05-30 22:56:27 +02:00
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`self.taxii_info = {`
			`"api_root": {`
Code style changes. 2017-05-26 21:24:33 +02:00			`"url": api_root`
			`},`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`"auth": auth`
			`}`

tests for TAXII data source; some bug fixes 2017-05-30 22:56:27 +02:00			`if test:`
			`return`

Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`try:`
			`# check api-root is reachable/exists and grab api collections`
			`coll_url = self.taxii_info['api_root']['url'] + "/collections/"`
			`headers = {}`

			`resp = requests.get(coll_url,`
			`headers=headers,`
Code style changes. 2017-05-26 21:24:33 +02:00			`auth=HTTPBasicAuth(self.taxii_info['auth']['user'],`
			`self.taxii_info['auth']['pass']))`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`# TESTING`
			`# print("\n-------__init__() ----\n")`
			`# print(resp.text)`
			`# print("\n")`
			`# print(resp.status_code)`
			`# END TESTING`

			`# raise http error if request returned error code`
			`resp.raise_for_status()`

			`resp_json = resp.json()`

			`try:`
			`self.taxii_info['api_root']['collections'] = resp_json['collections']`
			`except KeyError as e:`
			`if e == "collections":`
			`raise`
			`# raise type(e), type(e)(e.message +`
Code style changes. 2017-05-26 21:24:33 +02:00			`# "To connect to the TAXII collections, the API root`
			`# resource must contain a collection endpoint URL.`
			`# This was not found in the API root resource received`
			`# from the API root" ), sys.exc_info()[2]`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`except requests.ConnectionError as e:`
			`raise`
			`# raise type(e), type(e)(e.message +`
			`# "Attempting to connect to %s" % coll_url)`

			`def get(self, id_, _composite_filters=None):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""Get STIX 2.0 object from TAXII source by specified 'id'`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
Code style changes. 2017-05-26 21:24:33 +02:00			`Notes:`
			`Just pass _composite_filters to the query() as they are applied`
			`there. de-duplication of results is also done within query()`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Args:`
			`id_ (str): id of STIX object to retrieve`

Code style changes. 2017-05-26 21:24:33 +02:00			`_composite_filters (list): filters passed from a Composite Data`
			`Source (if this data source is attached to one)`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Returns:`

Code style changes. 2017-05-26 21:24:33 +02:00			`"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`# make query in TAXII query format since 'id' is TAXii field`
			`query = [`
			`{`
			`"field": "match[id]",`
			`"op": "=",`
			`"value": id_`
			`}`
			`]`

			`all_data = self.query(query=query, _composite_filters=_composite_filters)`

			`# reduce to most recent version`
			`stix_obj = sorted(all_data, key=lambda k: k['modified'])[0]`

			`return stix_obj`

			`def all_versions(self, id_, _composite_filters=None):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""Get all versions of STIX 2.0 object from TAXII source by`
			`specified 'id'`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
Code style changes. 2017-05-26 21:24:33 +02:00			`Notes:`
			`Just passes _composite_filters to the query() as they are applied`
			`there. de-duplication of results is also done within query()`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Args:`
			`id_ (str): id of STIX objects to retrieve`
Code style changes. 2017-05-26 21:24:33 +02:00			`_composite_filters (list): filters passed from a Composite Data`
			`Source (if this data source is attached to one)`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Returns:`
More style fixes 2017-05-31 17:02:37 +02:00			`The query results with filters applied.`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`# make query in TAXII query format since 'id' is TAXII field`
			`query = [`
			`{`
			`"field": "match[id]",`
			`"op": "=",`
			`"value": id_`
			`}`
			`]`

			`all_data = self.query(query=query, _composite_filters=_composite_filters)`

			`return all_data`

			`def query(self, query=None, _composite_filters=None):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""Query the TAXII data source for STIX objects matching the query`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`The final full query could contain filters from:`
			`-the current API call`
Code style changes. 2017-05-26 21:24:33 +02:00			`-Composite Data source filters (that are passed in via`
			`'_composite_filters')`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`-TAXII data source filters that are attached`

Code style changes. 2017-05-26 21:24:33 +02:00			`TAXII filters ['added_after', 'match[<>]'] are extracted and sent`
			`to TAXII if they are present`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`TODO: Authentication for TAXII`

			`Args:`

			`query(list): list of filters (dicts) to search on`

Code style changes. 2017-05-26 21:24:33 +02:00			`_composite_filters (list): filters passed from a`
			`Composite Data Source (if this data source is attached to one)`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Returns:`


Code style changes. 2017-05-26 21:24:33 +02:00			`"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`all_data = []`

			`if query is None:`
			`query = []`

			`# combine all query filters`
			`if self.filters:`
			`query += self.filters.values()`
			`if _composite_filters:`
			`query += _composite_filters`

Code style changes. 2017-05-26 21:24:33 +02:00			`# separate taxii query terms (can be done remotely)`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`taxii_filters = self._parse_taxii_filters(query)`

			`# for each collection endpoint - send query request`
			`for collection in self.taxii_info['api_root']['collections']:`

Code style changes. 2017-05-26 21:24:33 +02:00			`coll_obj_url = "/".join([self.taxii_info['api_root']['url'],`
			`"collections", str(collection['id']),`
			`"objects"])`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`headers = {}`
			`try:`
			`resp = requests.get(coll_obj_url,`
			`params=taxii_filters,`
			`headers=headers,`
Code style changes. 2017-05-26 21:24:33 +02:00			`auth=HTTPBasicAuth(self.taxii_info['auth']['user'],`
			`self.taxii_info['auth']['pass']))`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`# TESTING`
			`# print("\n-------query() ----\n")`
			`# print("Request that was sent: \n")`
			`# print(resp.url)`
Code style changes. 2017-05-26 21:24:33 +02:00			`# print("Response: \n")`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`# print(json.dumps(resp.json(),indent=4))`
			`# print("\n")`
			`# print(resp.status_code)`
			`# print("------------------")`
			`# END TESTING`

			`# raise http error if request returned error code`
			`resp.raise_for_status()`
			`resp_json = resp.json()`

			`# grab all STIX 2.0 objects in json response`
			`for stix_obj in resp_json['objects']:`
			`all_data.append(stix_obj)`

			`except requests.exceptions.RequestException as e:`
			`raise`
			`# raise type(e), type(e)(e.message +`
			`# "Attempting to connect to %s" % coll_url)`

Code style changes. 2017-05-26 21:24:33 +02:00			`# TODO: Is there a way to collect exceptions while carrying`
			`# on then raise all of them at the end?`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`# deduplicate data (before filtering as reduces wasted filtering)`
			`all_data = self.deduplicate(all_data)`

			`# apply local (composite and data source filters)`
			`all_data = self.apply_common_filters(all_data, query)`

			`return all_data`

			`def _parse_taxii_filters(self, query):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""Parse out TAXII filters that the TAXII server can filter on`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`TAXII filters should be analgous to how they are supplied`
			`in the url to the TAXII endpoint. For instance`
			`"?match[type]=indicator,sighting" should be in a query dict as follows`
			`{`
Code style changes. 2017-05-26 21:24:33 +02:00			`"field": "match[type]"`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`"op": "=",`
Code style changes. 2017-05-26 21:24:33 +02:00			`"value": "indicator,sighting"`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`}`

			`Args:`
Code style changes. 2017-05-26 21:24:33 +02:00			`query (list): list of filters to extract which ones are TAXII`
			`specific.`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`Returns:`
Code style changes. 2017-05-26 21:24:33 +02:00			`params (dict): dict of the TAXII filters but in format required`
			`for 'requests.get()'.`
			`"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
			`params = {}`

			`for q in query:`
			`if q['field'] in TAXII_FILTERS:`
tests for TAXII data source; some bug fixes 2017-05-30 22:56:27 +02:00			`if q['field'] == 'added_after':`
			`params[q['field']] = q['value']`
			`else:`
			`taxii_field = 'match[' + q['field'] + ']'`
			`params[taxii_field] = q['value']`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`return params`

			`def close(self):`
Code style changes. 2017-05-26 21:24:33 +02:00			`"""Close down the Data Source - if any clean up is required.`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00
Code style changes. 2017-05-26 21:24:33 +02:00			`"""`
Initial code for TAXII data source. 2017-05-24 17:25:40 +02:00			`pass`

Code style changes. 2017-05-26 21:24:33 +02:00			`# TODO: - getters/setters (properties) for TAXII config info`