mihari 6.2.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d49d8a079c765cb4b7ad7a08825a9d0bd4e9e21fbaf2c0f185c4f27e8f2f2ca6
-  data.tar.gz: aa693115eb1dacc09d13ca0942d859e24566c09a4cd6d702840ec9df6c3cc87a
+  metadata.gz: f027c5c24759f4e09d5dad277df4cad58a1705478eba1f3b9b6b354a896a29a5
+  data.tar.gz: a908c432c313bab4f4af70b0b32fb1f2e65c9f40926dc3099c4869330080005c
 SHA512:
-  metadata.gz: e50a254b0c5565c3691cc34df0413258a1903f8864f0ced141fab63cb673f02998451723036917f2adf21f759ec3f0086b772e98a02ee0436869dd5846bf3427
-  data.tar.gz: 63738367f8edd23331518eb839c188dde8fb67257b83b5cd6a11e79dc725aa89b151753e7429515ff1b2f7c689da77adf4eac998241b7bfd04f88302aa52c923
+  metadata.gz: 8110df87f854b6e06ea8477c94c6563b2450dae4585738f256da9c94203d14c6fb3ce11e775a470dae04d4d3934549ae71068e6b3f3d3eca48ea3689d87a4cd4
+  data.tar.gz: 375855d7dba59d13ff894472f5f6d5ccc82f36de73aeb12c4144c05863c64283f2ff451dd4531643ba3ddbb218181937d57da1a42bb28970f78170e3fae5dfbf

data/lib/mihari/entities/artifact.rb

@@ -42,5 +42,13 @@ module Mihari
         status.ports.empty? ? nil : status.ports
       end
     end
+
+    class ArtifactsWithPagination < Grape::Entity
+      expose :artifacts, using: Entities::Artifact,
+        documentation: { type: Entities::Artifact, is_array: true, required: true }
+      expose :total, documentation: { type: Integer, required: true }
+      expose :current_page, documentation: { type: Integer, required: true }, as: :currentPage
+      expose :page_size, documentation: { type: Integer, required: true }, as: :pageSize
+    end
   end
 end

data/lib/mihari/models/alert.rb

@@ -30,8 +30,7 @@ module Mihari
           offset = (page - 1) * limit
 
           relation = build_relation(filter.without_pagination)
-          alert_ids = relation.limit(limit).offset(offset).order(id: :desc).pluck(:id).uniq
-          eager_load(:artifacts, :tags).where(id: [alert_ids]).order(id: :desc)
+          relation.limit(limit).offset(offset).order(id: :desc)
         end
 
         #
@@ -48,39 +47,17 @@ module Mihari
 
         private
 
-        #
-        # @param [Mihari::Structs::Filters::Alert::SearchFilter] filter
-        #
-        # @return [Array<Integer>]
-        #
-        def get_artifact_ids_by_filter(filter)
-          artifact_ids = []
-
-          if filter.artifact_data
-            artifact = Artifact.where(data: filter.artifact_data)
-            artifact_ids = artifact.pluck(:id)
-            # set invalid ID if nothing is matched with the filters
-            artifact_ids = [-1] if artifact_ids.empty?
-          end
-
-          artifact_ids
-        end
-
         #
         # @param [Mihari::Structs::Filters::Alert::SearchFilter] filter
         #
         # @return [Mihari::Models::Alert]
         #
         def build_relation(filter)
-          artifact_ids = get_artifact_ids_by_filter(filter)
-
-          relation = includes(:artifacts, :tags)
-
-          relation = relation.where(artifacts: { id: artifact_ids }) unless artifact_ids.empty?
-          relation = relation.where(tags: { name: filter.tag_name }) if filter.tag_name
+          relation = eager_load(:artifacts, :tags)
 
+          relation = relation.where(artifacts: { data: filter.artifact }) if filter.artifact
+          relation = relation.where(tags: { name: filter.tag }) if filter.tag
           relation = relation.where(rule_id: filter.rule_id) if filter.rule_id
-
           relation = relation.where("alerts.created_at >= ?", filter.from_at) if filter.from_at
           relation = relation.where("alerts.created_at <= ?", filter.to_at) if filter.to_at
 

data/lib/mihari/models/artifact.rb

@@ -77,6 +77,18 @@ module Mihari
         artifact.created_at < decayed_at
       end
 
+      #
+      # Count artifacts
+      #
+      # @param [Mihari::Structs::Filters::Artifact::SearchFilter] filter
+      #
+      # @return [Integer]
+      #
+      def count(filter)
+        relation = build_relation(filter)
+        relation.distinct("artifact.id").count
+      end
+
       #
       # Enrich whois record
       #
@@ -105,7 +117,7 @@ module Mihari
       # @param [Mihari::Enrichers::Shodan] enricher
       #
       def enrich_reverse_dns(enricher = Enrichers::Shodan.new)
-        return unless can_enrich_revese_dns?
+        return unless can_enrich_reverse_dns?
 
         self.reverse_dns_names = ReverseDnsName.build_by_ip(data, enricher: enricher)
       end
@@ -195,6 +207,56 @@ module Mihari
         methods.each { |method| send(method, enricher) if respond_to?(method) }
       end
 
+      class << self
+        #
+        # Search artifacts
+        #
+        # @param [Mihari::Structs::Filters::Artifact::SearchFilterWithPagination] filter
+        #
+        # @return [Array<Artifact>]
+        #
+        def search(filter)
+          limit = filter.limit.to_i
+          raise ArgumentError, "limit should be bigger than zero" unless limit.positive?
+
+          page = filter.page.to_i
+          raise ArgumentError, "page should be bigger than zero" unless page.positive?
+
+          offset = (page - 1) * limit
+
+          relation = build_relation(filter.without_pagination)
+          relation.limit(limit).offset(offset).order(id: :desc)
+        end
+
+        #
+        # Count artifacts
+        #
+        # @param [Mihari::Structs::Filters::Artifact::SearchFilter] filter
+        #
+        # @return [Integer]
+        #
+        def count(filter)
+          relation = build_relation(filter)
+          relation.distinct("artifacts.id").count
+        end
+
+        #
+        # @param [Mihari::Structs::Filters::Artifact::SearchFilter] filter
+        #
+        # @return [Mihari::Models::Artifact]
+        #
+        def build_relation(filter)
+          relation = eager_load(alert: :tags)
+
+          relation = relation.where(alert: { rule_id: filter.rule_id }) if filter.rule_id
+          relation = relation.where(alert: { tags: { name: filter.tag } }) if filter.tag
+          relation = relation.where("artifacts.created_at >= ?", filter.from_at) if filter.from_at
+          relation = relation.where("artifacts.created_at <= ?", filter.to_at) if filter.to_at
+
+          relation
+        end
+      end
+
       private
 
       def ipinfo
@@ -219,7 +281,7 @@ module Mihari
         %w[domain url].include?(data_type) && dns_records.empty?
       end
 
-      def can_enrich_revese_dns?
+      def can_enrich_reverse_dns?
         data_type == "ip" && reverse_dns_names.empty?
       end
 

data/lib/mihari/models/rule.rb

@@ -40,10 +40,7 @@ module Mihari
           offset = (page - 1) * limit
 
           relation = build_relation(filter.without_pagination)
-
-          # TODO: improve queires
-          rule_ids = relation.limit(limit).offset(offset).order(created_at: :desc).pluck(:id).uniq
-          where(id: [rule_ids]).order(created_at: :desc)
+          relation.limit(limit).offset(offset).order(created_at: :desc)
         end
 
         #
@@ -68,7 +65,7 @@ module Mihari
         def build_relation(filter)
           relation = includes(alerts: :tags)
 
-          relation = relation.where(alerts: { tags: { name: filter.tag_name } }) if filter.tag_name
+          relation = relation.where(alerts: { tags: { name: filter.tag } }) if filter.tag
 
           relation = relation.where("rules.title LIKE ?", "%#{filter.title}%") if filter.title
           relation = relation.where("rules.description LIKE ?", "%#{filter.description}%") if filter.description

data/lib/mihari/structs/filters.rb

@@ -3,19 +3,63 @@
 module Mihari
   module Structs
     module Filters
+      module Artifact
+        class SearchFilter < Dry::Struct
+          # @!attribute [r] data_type
+          #   @return [String, nil]
+          attribute? :data_type, Types::String.optional
+
+          # @!attribute [r] rule_id
+          #   @return [String, nil]
+          attribute? :rule_id, Types::String.optional
+
+          # @!attribute [r] tag
+          #   @return [String, nil]
+          attribute? :tag, Types::String.optional
+
+          # @!attribute [r] from_at
+          #   @return [DateTime, nil]
+          attribute? :from_at, Types::DateTime.optional
+
+          # @!attribute [r] to_at
+          #   @return [DateTime, nil]
+          attribute? :to_at, Types::DateTime.optional
+        end
+
+        class SearchFilterWithPagination < SearchFilter
+          # @!attribute [r] page
+          #   @return [Integer, nil]
+          attribute? :page, Types::Int.default(1)
+
+          # @!attribute [r] limit
+          #   @return [Integer, nil]
+          attribute? :limit, Types::Int.default(10)
+
+          def without_pagination
+            SearchFilter.new(
+              data_type: data_type,
+              from_at: from_at,
+              rule_id: rule_id,
+              tag: tag,
+              to_at: to_at
+            )
+          end
+        end
+      end
+
       module Alert
         class SearchFilter < Dry::Struct
-          # @!attribute [r] artifact_data
+          # @!attribute [r] artifact
           #   @return [String, nil]
-          attribute? :artifact_data, Types::String.optional
+          attribute? :artifact, Types::String.optional
 
           # @!attribute [r] rule_id
           #   @return [String, nil]
           attribute? :rule_id, Types::String.optional
 
-          # @!attribute [r] tag_name
+          # @!attribute [r] tag
           #   @return [String, nil]
-          attribute? :tag_name, Types::String.optional
+          attribute? :tag, Types::String.optional
 
           # @!attribute [r] from_at
           #   @return [DateTime, nil]
@@ -37,10 +81,10 @@ module Mihari
 
           def without_pagination
             SearchFilter.new(
-              artifact_data: artifact_data,
+              artifact: artifact,
               from_at: from_at,
               rule_id: rule_id,
-              tag_name: tag_name,
+              tag: tag,
               to_at: to_at
             )
           end
@@ -53,9 +97,9 @@ module Mihari
           #   @return [String, nil]
           attribute? :description, Types::String.optional
 
-          # @!attribute [r] tag_name
+          # @!attribute [r] tag
           #   @return [String, nil]
-          attribute? :tag_name, Types::String.optional
+          attribute? :tag, Types::String.optional
 
           # @!attribute [r] title
           #   @return [String, nil]
@@ -83,7 +127,7 @@ module Mihari
             SearchFilter.new(
               description: description,
               from_at: from_at,
-              tag_name: tag_name,
+              tag: tag,
               title: title,
               to_at: to_at
             )

data/lib/mihari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Mihari
-  VERSION = "6.2.0"
+  VERSION = "6.3.0"
 end

data/lib/mihari/web/endpoints/alerts.rb

@@ -36,18 +36,10 @@ module Mihari
           # @return [ResultValue]
           #
           def call(params)
-            filter = params.to_h.to_snake_keys
-
-            # normalize keys
-            filter["artifact_data"] = filter["artifact"]
-            filter["tag_name"] = filter["tag"]
-            # symbolize hash keys
-            filter = filter.to_h.symbolize_keys
-
+            filter = params.to_h.to_snake_keys.symbolize_keys
             search_filter_with_pagination = Structs::Filters::Alert::SearchFilterWithPagination.new(**filter)
             alerts = Mihari::Models::Alert.search(search_filter_with_pagination)
             total = Mihari::Models::Alert.count(search_filter_with_pagination.without_pagination)
-
             ResultValue.new(alerts: alerts, total: total, filter: filter)
           end
         end
@@ -83,7 +75,7 @@ module Mihari
             optional :page, type: Integer, default: 1
             optional :limit, type: Integer, default: 10
             optional :artifact, type: String
-            optional :rule_id, type: String
+            optional :ruleId, type: String
             optional :tag, type: String
             optional :fromAt, type: DateTime
             optional :toAt, type: DateTime

data/lib/mihari/web/endpoints/artifacts.rb

@@ -61,7 +61,71 @@ module Mihari
           end
         end
 
+        class ArtifactSearcher < Mihari::Service
+          class ResultValue
+            # @return [Array<Mihari::Models::Artifacts>]
+            attr_reader :artifacts
+
+            # @return [Integer]
+            attr_reader :total
+
+            # @return [Mihari::Structs::Filters::Artifact::SearchFilterWithPagination]
+            attr_reader :filter
+
+            #
+            # @param [Array<Mihari::Models::Artifact>] artifacts
+            # @param [Integer] total
+            # @param [Mihari::Structs::Filters::Artifacts::SearchFilterWithPagination] filter
+            #
+            def initialize(artifacts:, total:, filter:)
+              @artifacts = artifacts
+              @total = total
+              @filter = filter
+            end
+          end
+
+          #
+          # @param [Hash] params
+          #
+          # @return [ResultValue]
+          #
+          def call(params)
+            filter = params.to_h.to_snake_keys.symbolize_keys
+            search_filter_with_pagination = Structs::Filters::Artifact::SearchFilterWithPagination.new(**filter)
+            artifacts = Mihari::Models::Artifact.search(search_filter_with_pagination)
+            total = Mihari::Models::Artifact.count(search_filter_with_pagination.without_pagination)
+            ResultValue.new(artifacts: artifacts, total: total, filter: filter)
+          end
+        end
+
         namespace :artifacts do
+          desc "Search artifacts", {
+            is_array: true,
+            success: Entities::ArtifactsWithPagination,
+            summary: "Search artifacts"
+          }
+          params do
+            optional :page, type: Integer, default: 1
+            optional :limit, type: Integer, default: 10
+            optional :dataType, type: String
+            optional :ruleId, type: String
+            optional :tag, type: String
+            optional :fromAt, type: DateTime
+            optional :toAt, type: DateTime
+          end
+          get "/" do
+            value = ArtifactSearcher.call(params.to_h)
+            present(
+              {
+                artifacts: value.artifacts,
+                total: value.total,
+                current_page: value.filter[:page].to_i,
+                page_size: value.filter[:limit].to_i
+              },
+              with: Entities::ArtifactsWithPagination
+            )
+          end
+
           desc "Get an artifact", {
             success: Entities::Artifact,
             failure: [{ code: 404, model: Entities::Message }],

data/lib/mihari/web/endpoints/rules.rb

@@ -36,17 +36,10 @@ module Mihari
           # @return [ResultValue]
           #
           def call(params)
-            filter = params.to_h.to_snake_keys
-
-            # normalize keys
-            filter["tag_name"] = filter["tag"]
-            # symbolize hash keys
-            filter = filter.to_h.symbolize_keys
-
+            filter = params.to_h.to_snake_keys.symbolize_keys
             search_filter_with_pagination = Mihari::Structs::Filters::Rule::SearchFilterWithPagination.new(**filter)
             rules = Mihari::Models::Rule.search(search_filter_with_pagination)
             total = Mihari::Models::Rule.count(search_filter_with_pagination.without_pagination)
-
             ResultValue.new(rules: rules, total: total, filter: filter)
           end
         end