mihari 5.4.1 → 5.4.2

data/lib/mihari/cli/alert.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "mihari/commands/alert"
+
+module Mihari
+  module CLI
+    class Alert < Base
+      include Mihari::Commands::Alert
+    end
+  end
+end

data/lib/mihari/cli/main.rb

@@ -3,14 +3,16 @@
 require "thor"
 
 # Commands
+require "mihari/commands/alert"
+require "mihari/commands/database"
 require "mihari/commands/search"
 require "mihari/commands/version"
 require "mihari/commands/web"
-require "mihari/commands/database"
 
 # CLIs
 require "mihari/cli/base"
 
+require "mihari/cli/alert"
 require "mihari/cli/database"
 require "mihari/cli/rule"
 
@@ -26,6 +28,9 @@ module Mihari
 
       desc "rule", "Sub commands for rule"
       subcommand "rule", Rule
+
+      desc "alert", "Sub commands for alert"
+      subcommand "alert", Alert
     end
   end
 end

data/lib/mihari/commands/alert.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Commands
+    module Alert
+      class << self
+        def included(thor)
+          thor.class_eval do
+            desc "add [PATH]", "Add an alert"
+            #
+            # @param [String] path
+            #
+            def add(path)
+              Mihari::Database.with_db_connection do
+                proxy = Mihari::Services::AlertProxy.from_path(path)
+                proxy.validate!
+
+                runner = Mihari::Services::AlertRunner.new(proxy)
+
+                begin
+                  alert = runner.run
+                rescue ActiveRecord::RecordNotFound => e
+                  # if there is a ActiveRecord::RecordNotFound, output that error without the stack trace
+                  Mihari.logger.error e.to_s
+                  return
+                end
+
+                if alert.nil?
+                  Mihari.logger.info "There is no new artifact found"
+                  return
+                end
+
+                data = Mihari::Entities::Alert.represent(alert)
+                puts JSON.pretty_generate(data.as_json)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/mihari/commands/rule.rb

@@ -15,7 +15,7 @@ module Mihari
             # @param [String] path
             #
             def validate(path)
-              rule = Services::Rule.from_path_or_id(path)
+              rule = Services::RuleProxy.from_path_or_id(path)
 
               begin
                 rule.validate!
@@ -47,7 +47,7 @@ module Mihari
               # @return [Mihari::Services::Rule]
               #
               def rule_template
-                Services::Rule.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
+                Services::RuleProxy.from_path File.expand_path("../templates/rule.yml.erb", __dir__)
               end
 
               #

data/lib/mihari/commands/search.rb

@@ -4,60 +4,6 @@ module Mihari
   module Commands
     module Search
       class << self
-        class RuleWrapper
-          include Mixins::ErrorNotification
-
-          # @return [Nihari::Structs::Rule]
-          attr_reader :rule
-
-          # @return [Boolean]
-          attr_reader :force_overwrite
-
-          def initialize(rule, force_overwrite:)
-            @rule = rule
-            @force_overwrite = force_overwrite
-          end
-
-          def force_overwrite?
-            force_overwrite
-          end
-
-          #
-          # @return [Boolean]
-          #
-          def diff?
-            model = Mihari::Rule.find(rule.id)
-            model.data != rule.data.deep_stringify_keys
-          rescue ActiveRecord::RecordNotFound
-            false
-          end
-
-          def update_or_create
-            rule.to_model.save
-          end
-
-          def run
-            begin
-              analyzer = rule.to_analyzer
-            rescue ConfigurationError => e
-              # if there is a configuration error, output that error without the stack trace
-              Mihari.logger.error e.to_s
-              return
-            end
-
-            with_error_notification do
-              alert = analyzer.run
-              if alert.nil?
-                Mihari.logger.info "There is no new artifact found"
-                return
-              end
-
-              data = Mihari::Entities::Alert.represent(alert)
-              puts JSON.pretty_generate(data.as_json)
-            end
-          end
-        end
-
         def included(thor)
           thor.class_eval do
             desc "search [PATH]", "Search by a rule"
@@ -69,7 +15,7 @@ module Mihari
             #
             def search(path_or_id)
               Mihari::Database.with_db_connection do
-                rule = Services::Rule.from_path_or_id path_or_id
+                rule = Services::RuleProxy.from_path_or_id path_or_id
 
                 begin
                   rule.validate!
@@ -78,15 +24,30 @@ module Mihari
                 end
 
                 force_overwrite = options["force_overwrite"] || false
-                wrapper = RuleWrapper.new(rule, force_overwrite: force_overwrite)
+                runner = Services::RuleRunner.new(rule, force_overwrite: force_overwrite)
 
-                if wrapper.diff? && !force_overwrite
+                if runner.diff? && !force_overwrite
                   message = "There is diff in the rule (#{rule.id}). Are you sure you want to overwrite the rule? (y/n)"
                   return unless yes?(message)
                 end
 
-                wrapper.update_or_create
-                wrapper.run
+                runner.update_or_create
+
+                begin
+                  alert = runner.run
+                rescue ConfigurationError => e
+                  # if there is a configuration error, output that error without the stack trace
+                  Mihari.logger.error e.to_s
+                  return
+                end
+
+                if alert.nil?
+                  Mihari.logger.info "There is no new artifact found"
+                  return
+                end
+
+                data = Mihari::Entities::Alert.represent(alert)
+                puts JSON.pretty_generate(data.as_json)
               end
             end
           end

data/lib/mihari/config.rb

@@ -146,7 +146,7 @@ module Mihari
       @retry_times = ENV.fetch("RETRY_TIMES", 3).to_i
       @retry_interval = ENV.fetch("RETRY_INTERVAL", 5).to_i
 
-      @pagination_limit = ENV.fetch("PAGINATION_LIMIT", 1000).to_i
+      @pagination_limit = ENV.fetch("PAGINATION_LIMIT", 100).to_i
     end
   end
 end

data/lib/mihari/emitters/base.rb

@@ -14,7 +14,7 @@ module Mihari
 
       #
       # @param [Array<Mihari::Artifact>] artifacts
-      # @param [Mihari::Services::Rule] rule
+      # @param [Mihari::Services::RuleProxy] rule
       # @param [Hash] **_options
       #
       def initialize(artifacts:, rule:, **_options)

data/lib/mihari/emitters/database.rb

@@ -10,10 +10,10 @@ module Mihari
       #
       # Create an alert
       #
-      # @return [Mihari::Alert]
+      # @return [Mihari::Alert, nil]
       #
       def emit
-        return if artifacts.empty?
+        return nil if artifacts.empty?
 
         tags = rule.tags.filter_map { |name| Tag.find_or_create_by(name: name) }.uniq
         taggings = tags.map { |tag| Tagging.new(tag_id: tag.id) }

data/lib/mihari/errors.rb

@@ -15,17 +15,38 @@ module Mihari
 
   class RuleValidationError < Error; end
 
+  class AlertValidationError < Error; end
+
   class YAMLSyntaxError < Error; end
 
   class ConfigurationError < Error; end
 
+  # errors for HTTP interactions
   class HTTPError < Error; end
 
-  class StatusCodeError < HTTPError; end
-
   class NetworkError < HTTPError; end
 
   class TimeoutError < HTTPError; end
 
   class SSLError < HTTPError; end
+
+  class StatusCodeError < HTTPError
+    # @return [Integer]
+    attr_reader :status_code
+
+    # @return [String, nil]
+    attr_reader :body
+
+    #
+    # @param [String] msg
+    # @param [Integer] status_code
+    # @param [String, nil] body
+    #
+    def initialize(msg, status_code, body)
+      super(msg)
+
+      @status_code = status_code
+      @body = body
+    end
+  end
 end

data/lib/mihari/http.rb

@@ -94,7 +94,13 @@ module Mihari
       Net::HTTP.start(url.host, url.port, https_options) do |http|
         res = http.request(req)
 
-        raise StatusCodeError, "Unsuccessful response code returned: #{res.code}" unless res.is_a?(Net::HTTPSuccess)
+        unless res.is_a?(Net::HTTPSuccess)
+          raise StatusCodeError.new(
+            "Unsuccessful response code returned: #{res.code}",
+            res.code.to_i,
+            res.body
+          )
+        end
 
         res
       end

data/lib/mihari/schemas/alert.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Schemas
+    Alert = Dry::Schema.Params do
+      required(:rule_id).value(:string)
+      required(:artifacts).value(array[:string])
+    end
+
+    class AlertContract < Dry::Validation::Contract
+      params(Alert)
+    end
+  end
+end

data/lib/mihari/services/alert_proxy.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Services
+    class AlertProxy
+      # @return [Hash]
+      attr_reader :data
+
+      # @return [Array, nil]
+      attr_reader :errors
+
+      #
+      # Initialize
+      #
+      # @param [Hash] data
+      #
+      def initialize(data)
+        @data = data.deep_symbolize_keys
+
+        @errors = nil
+
+        validate
+      end
+
+      #
+      # @return [Boolean]
+      #
+      def errors?
+        return false if @errors.nil?
+
+        !@errors.empty?
+      end
+
+      def validate
+        contract = Schemas::AlertContract.new
+        result = contract.call(data)
+
+        @data = result.to_h
+        @errors = result.errors
+      end
+
+      def validate!
+        return unless errors?
+
+        Mihari.logger.error "Failed to parse the input as an alert:"
+        Mihari.logger.error JSON.pretty_generate(errors.to_h)
+
+        raise AlertValidationError, errors
+      end
+
+      def [](key)
+        data key.to_sym
+      end
+
+      #
+      # @return [String]
+      #
+      def rule_id
+        @rule_id ||= data[:rule_id]
+      end
+
+      #
+      # @return [Array<Mihari::Artifact>]
+      #
+      def artifacts
+        @artifacts ||= data[:artifacts].map do |data|
+          artifact = Artifact.new(data: data)
+          artifact.rule_id = rule_id
+          artifact
+        end.uniq(&:data).select(&:valid?)
+      end
+
+      #
+      # @return [Mihari::Services::RuleProxy]
+      #
+      def rule
+        @rule ||= Services::RuleProxy.from_model(Mihari::Rule.find(rule_id))
+      end
+
+      class << self
+        #
+        # Load rule from YAML string
+        #
+        # @param [String] yaml
+        #
+        # @return [Mihari::Services::Alert]
+        #
+        def from_yaml(yaml)
+          Services::AlertProxy.new YAML.safe_load(yaml, permitted_classes: [Date, Symbol])
+        rescue Psych::SyntaxError => e
+          raise YAMLSyntaxError, e.message
+        end
+
+        # @param [String] path
+        #
+        # @return [Mihari::Services::Alert, nil]
+        #
+        def from_path(path)
+          return nil unless Pathname(path).exist?
+
+          from_yaml File.read(path)
+        end
+      end
+    end
+  end
+end

data/lib/mihari/services/alert_runner.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Services
+    class AlertRunner
+      # @return [Mihari::Services::AlertProxy]
+      attr_reader :alert
+
+      def initialize(alert)
+        @alert = alert
+      end
+
+      #
+      # @return [Mihari::Alert]
+      #
+      def run
+        emitter = Mihari::Emitters::Database.new(artifacts: alert.artifacts, rule: alert.rule)
+        emitter.emit
+      end
+    end
+  end
+end

data/lib/mihari/services/{rule.rb → rule_proxy.rb}

@@ -9,7 +9,11 @@ require "yaml"
 
 module Mihari
   module Services
-    class Rule
+    #
+    # proxy (or converter) class for rule
+    # proxying rule schema data into analyzer & model
+    #
+    class RuleProxy
       include Mixins::FalsePositive
 
       # @return [Hash]
@@ -141,7 +145,7 @@ module Mihari
       #
       # @return [Mihari::Rule]
       #
-      def to_model
+      def model
         rule = Mihari::Rule.find(id)
 
         rule.title = title
@@ -161,7 +165,7 @@ module Mihari
       #
       # @return [Mihari::Analyzers::Rule]
       #
-      def to_analyzer
+      def analyzer
         Mihari::Analyzers::Rule.new self
       end
 
@@ -174,7 +178,7 @@ module Mihari
         # @return [Mihari::Services::Rule]
         #
         def from_yaml(yaml)
-          Services::Rule.new YAML.safe_load(ERB.new(yaml).result, permitted_classes: [Date, Symbol])
+          Services::RuleProxy.new YAML.safe_load(ERB.new(yaml).result, permitted_classes: [Date, Symbol])
         rescue Psych::SyntaxError => e
           raise YAMLSyntaxError, e.message
         end
@@ -185,7 +189,7 @@ module Mihari
         # @return [Mihari::Services::Rule]
         #
         def from_model(model)
-          Services::Rule.new model.data
+          Services::RuleProxy.new model.data
         end
 
         #
@@ -211,7 +215,7 @@ module Mihari
         def from_id(id)
           return nil unless Mihari::Rule.exists?(id)
 
-          Services::Rule.from_model Mihari::Rule.find(id)
+          Services::RuleProxy.from_model Mihari::Rule.find(id)
         end
 
         #

data/lib/mihari/services/rule_runner.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Mihari
+  module Services
+    class RuleRunner
+      include Mixins::ErrorNotification
+
+      # @return [Mihari::Services::RuleProxy]
+      attr_reader :rule
+
+      # @return [Boolean]
+      attr_reader :force_overwrite
+
+      def initialize(rule, force_overwrite:)
+        @rule = rule
+        @force_overwrite = force_overwrite
+      end
+
+      def force_overwrite?
+        force_overwrite
+      end
+
+      #
+      # @return [Boolean]
+      #
+      def diff?
+        model = Mihari::Rule.find(rule.id)
+        model.data != rule.data.deep_stringify_keys
+      rescue ActiveRecord::RecordNotFound
+        false
+      end
+
+      def update_or_create
+        rule.model.save
+      end
+
+      #
+      # @return [Mihari::Alert, nil]
+      #
+      def run
+        analyzer = rule.analyzer
+
+        with_error_notification do
+          analyzer.run
+        end
+      end
+    end
+  end
+end

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "5.4.1"
+  VERSION = "5.4.2"
 end

data/lib/mihari/web/endpoints/alerts.rb

@@ -67,6 +67,28 @@ module Mihari
           status 204
           present({ message: "" }, with: Entities::Message)
         end
+
+        desc "Create an alert", {
+          success: Entities::Alert,
+          summary: "Create an alert"
+        }
+        params do
+          requires :ruleId, type: String, documentation: { param_type: "body" }
+          requires :artifacts, type: Array, documentation: { type: String, is_array: true, param_type: "body" }
+        end
+        post "/" do
+          proxy = Services::AlertProxy.new(params.to_snake_keys)
+          runner = Services::AlertRunner.new(proxy)
+
+          begin
+            alert = runner.run
+          rescue ActiveRecord::RecordNotFound
+            error!({ message: "Rule:#{params["ruleId"]} is not found" }, 404)
+          end
+
+          status 201
+          present alert, with: Entities::Alert
+        end
       end
     end
   end

data/lib/mihari/web/endpoints/rules.rb

@@ -83,12 +83,12 @@ module Mihari
           id = params["id"].to_s
 
           begin
-            rule = Mihari::Services::Rule.from_model(Mihari::Rule.find(id))
+            rule = Mihari::Services::RuleProxy.from_model(Mihari::Rule.find(id))
           rescue ActiveRecord::RecordNotFound
             error!({ message: "ID:#{id} is not found" }, 404)
           end
 
-          analyzer = rule.to_analyzer
+          analyzer = rule.analyzer
           analyzer.run
 
           status 201
@@ -106,7 +106,7 @@ module Mihari
           yaml = params[:yaml]
 
           begin
-            rule = Services::Rule.from_yaml(yaml)
+            rule = Services::RuleProxy.from_yaml(yaml)
           rescue YAMLSyntaxError => e
             error!({ message: e.message }, 400)
           end
@@ -129,13 +129,13 @@ module Mihari
           end
 
           begin
-            rule.to_model.save
+            rule.model.save
           rescue ActiveRecord::RecordNotUnique
             error!({ message: "ID:#{rule.id} is already registered" }, 400)
           end
 
           status 201
-          present rule.to_model, with: Entities::Rule
+          present rule.model, with: Entities::Rule
         end
 
         desc "Update a rule", {
@@ -157,7 +157,7 @@ module Mihari
           end
 
           begin
-            rule = Services::Rule.from_yaml(yaml)
+            rule = Services::RuleProxy.from_yaml(yaml)
           rescue YAMLSyntaxError => e
             error!({ message: e.message }, 400)
           end
@@ -172,13 +172,13 @@ module Mihari
           end
 
           begin
-            rule.to_model.save
+            rule.model.save
           rescue ActiveRecord::RecordNotUnique
             error!({ message: "ID:#{id} is already registered" }, 400)
           end
 
           status 201
-          present rule.to_model, with: Entities::Rule
+          present rule.model, with: Entities::Rule
         end
 
         desc "Delete a rule", {