misp 0.1.0

data/lib/misp/configuration.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module MISP
+  class Configuration
+    # @return [URI]
+    attr_accessor :api_endpoint
+
+    # @return [String]
+    attr_accessor :api_key
+
+    def initialize
+      @api_endpoint = ENV["MISP_API_ENDPOINT"]
+      @api_key = ENV["MISP_API_KEY"]
+    end
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  def self.configure
+    yield configuration
+  end
+end

data/lib/misp/event.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+module MISP
+  class Event < Base
+    attr_reader :id
+    attr_accessor :orgc_id
+    attr_accessor :org_id
+    attr_accessor :date
+    attr_accessor :threat_level_id
+    attr_accessor :info
+    attr_accessor :published
+    attr_reader :uuid
+    attr_accessor :attribute_count
+    attr_accessor :analysis
+    attr_accessor :timestamp
+    attr_accessor :distribution
+    attr_accessor :proposal_email_lock
+    attr_accessor :locked
+    attr_accessor :publish_timestamp
+    attr_accessor :sharing_group_id
+    attr_accessor :disable_correlation
+    attr_accessor :event_creator_email
+
+    attr_accessor :org
+    attr_accessor :orgc
+
+    attr_accessor :sharing_groups
+    attr_accessor :attributes
+    attr_accessor :shadow_attributes
+    attr_accessor :related_events
+    attr_accessor :galaxies
+    attr_accessor :tags
+
+    def initialize(**attrs)
+      attrs = normalize_attributes(attrs)
+
+      @id = attrs.dig(:id)
+      @orgc_id = attrs.dig(:orgc_id)
+      @org_id = attrs.dig(:org_id)
+      @date = attrs.dig(:date)
+      @threat_level_id = attrs.dig(:threat_level_id)
+      @info = attrs.dig(:info)
+      @published = attrs.dig(:published) || false
+      @uuid = attrs.dig(:uuid)
+      @attribute_count = attrs.dig(:attribute_count)
+      @analysis = attrs.dig(:analysis)
+      @timestamp = attrs.dig(:timestamp)
+      @distribution = attrs.dig(:distribution)
+      @proposal_email_lock = attrs.dig(:proposal_email_lock)
+      @locked = attrs.dig(:locked) || false
+      @publish_timestamp = attrs.dig(:publish_timestamp)
+      @sharing_group_id = attrs.dig(:sharing_group_id)
+      @disable_correlation = attrs.dig(:disable_correlation)
+      @event_creator_email = attrs.dig(:event_creator_email)
+
+      @org = build_attribute(item: attrs.dig(:Org), klass: Org)
+      @orgc = build_attribute(item: attrs.dig(:Orgc), klass: Orgc)
+
+      @sharing_groups = build_plural_attribute(items: attrs.dig(:SharingGroup), klass: SharingGroup)
+      @attributes = build_plural_attribute(items: attrs.dig(:Attribute), klass: Attribute)
+      @shadow_attributes = build_plural_attribute(items: attrs.dig(:ShadowAttribute), klass: Attribute )
+      @related_events = build_plural_attribute(items: attrs.dig(:RelatedEvent), klass: Attribute)
+      @galaxies = build_plural_attribute(items: attrs.dig(:Galaxy), klass: Galaxy)
+      @tags = build_plural_attribute(items: attrs.dig(:Tag), klass: Tag)
+    end
+
+    def to_h
+      compact(
+        id: id,
+        orgc_id: orgc_id,
+        org_id: org_id,
+        date: date,
+        threat_level_id: threat_level_id,
+        info: info,
+        published: published,
+        uuid: uuid,
+        attribute_count: attribute_count,
+        analysis: analysis,
+        timestamp: timestamp,
+        distribution: distribution,
+        proposal_email_lock: proposal_email_lock,
+        locked: locked,
+        publish_timestamp: publish_timestamp,
+        sharing_group_id: sharing_group_id,
+        disable_correlation: disable_correlation,
+        event_creator_email: event_creator_email,
+        Org: org.to_h,
+        Orgc: orgc.to_h,
+        SharingGroup: sharing_groups.map(&:to_h),
+        Attribute: attributes.map(&:to_h),
+        ShadowAttribute: shadow_attributes.map(&:to_h),
+        RelatedEvent: related_events.map(&:to_h),
+        Galaxy: galaxies.map(&:to_h),
+        Tag: tags.map(&:to_h)
+      )
+    end
+
+    def get(id)
+      _get("/events/#{id}") { |event| Event.new symbolize_keys(event) }
+    end
+
+    def self.get(id)
+      new.get id
+    end
+
+    def create(**attrs)
+      payload = to_h.merge(attrs)
+      _post("/events/add", wrap(payload)) { |event| Event.new symbolize_keys(event) }
+    end
+
+    def self.create(**attrs)
+      new.create attrs
+    end
+
+    def delete
+      _delete("/events/#{id}") { |json| json }
+    end
+
+    def self.delete(id)
+      new(id: id).delete
+    end
+
+    def list
+      _get("/events/index") do |events|
+        events.map do |event|
+          Event.new symbolize_keys(event)
+        end
+      end
+    end
+
+    def self.list
+      new.list
+    end
+
+    def update(**attrs)
+      payload = to_h.merge(attrs)
+      payload[:timestamp] = nil
+      _post("/events/#{id}", wrap(payload)) { |event| Event.new symbolize_keys(event) }
+    end
+
+    def self.update(id, **attrs)
+      new(id: id).update attrs
+    end
+
+    def search(**params)
+      base = {
+        returnFormat: "json",
+        limit: "100",
+        page: "0"
+      }
+
+      _post("/events/restSearch", base.merge(params)) do |json|
+        events = json.dig("response") || []
+        events.map { |event| Event.new symbolize_keys(event) }
+      end
+    end
+
+    def self.search(**params)
+      new.search params
+    end
+
+    def add_attribute(attribute)
+      attribute = Attribute.new(symbolize_keys(attribute)) unless attribute.is_a?(Attribute)
+      attributes << attribute
+      self
+    end
+
+    def add_tag(tag)
+      tag = Tag.new(symbolize_keys(tag)) unless tag.is_a?(MISP::Tag)
+      tags << tag
+      self
+    end
+
+    private
+
+    def compact(hash)
+      hash.compact.reject { |_k, v| (v.is_a?(Hash) || v.is_a?(Array)) && v.empty? }
+    end
+  end
+end

data/lib/misp/feed.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module MISP
+  class Feed < Base
+    attr_reader :id
+    attr_reader :name
+    attr_reader :provider
+    attr_reader :url
+    attr_reader :rules
+    attr_reader :enabled
+    attr_reader :distribution
+    attr_reader :sharing_group_id
+    attr_reader :tag_id
+    attr_reader :default
+    attr_reader :source_format
+    attr_reader :fixed_event
+    attr_reader :delta_merge
+    attr_reader :event_id
+    attr_reader :publish
+    attr_reader :override_ids
+    attr_reader :settings
+    attr_reader :input_source
+    attr_reader :delete_local_file
+    attr_reader :lookup_visible
+    attr_reader :headers
+    attr_reader :caching_enabled
+
+    def initialize(**attributes)
+      attributes = normalize_attributes(attributes)
+
+      @id = attributes.dig(:id)
+      @name = attributes.dig(:name) || "feed name"
+      @provider = attributes.dig(:provider) || "my provider"
+      @url = attributes.dig(:url) || "http://example.com"
+      @rules = attributes.dig(:rules) || ""
+      @enabled = attributes.dig(:enabled)
+      @distribution = attributes.dig(:distribution)
+      @sharing_group_id = attributes.dig(:sharing_group_id)
+      @tag_id = attributes.dig(:tag_id) || "0"
+      @default = attributes.dig(:default) || true
+      @source_format = attributes.dig(:source_format) || "misp"
+      @fixed_event = attributes.dig(:fixed_event) || true
+      @delta_merge = attributes.dig(:delta_merge) || false
+      @event_id = attributes.dig(:event_id) || "0"
+      @publish = attributes.dig(:publish) || true
+      @override_ids = attributes.dig(:override_ids) || false
+      @settings = attributes.dig(:settings) || ""
+      @input_source = attributes.dig(:input_source) || "network"
+      @delete_local_file = attributes.dig(:delete_local_file) || false
+      @lookup_visible = attributes.dig(:lookup_visible) || true
+      @headers = attributes.dig(:headers) || ""
+      @caching_enabled = attributes.dig(:caching_enabled) || true
+    end
+
+    def to_h
+      {
+        id: id,
+        name: name,
+        provider: provider,
+        url: url,
+        rules: rules,
+        enabled: enabled,
+        distribution: distribution,
+        sharing_group_id: sharing_group_id,
+        tag_id: tag_id,
+        default: default,
+        source_format: source_format,
+        fixed_event: fixed_event,
+        delta_merge: delta_merge,
+        event_id: event_id,
+        publish: publish,
+        override_ids: override_ids,
+        settings: settings,
+        input_source: input_source,
+        delete_local_file: delete_local_file,
+        lookup_visible: lookup_visible,
+        headers: headers,
+        caching_enabled: caching_enabled,
+      }.compact
+    end
+
+    def list
+      _get("/feeds/index") do |feeds|
+        feeds.map do |feed|
+          Feed.new symbolize_keys(feed)
+        end
+      end
+    end
+
+    def self.list
+      new.list
+    end
+
+    def get
+      _get("/feeds/view/#{id}") { |feed| Feed.new symbolize_keys(feed) }
+    end
+
+    def self.get(id)
+      new(id: id).get
+    end
+
+    def create(**attributes)
+      _post("/feeds/add", wrap(attributes)) { |feed| Feed.new symbolize_keys(feed) }
+    end
+
+    def self.create(attributes)
+      new.create attributes
+    end
+  end
+end

data/lib/misp/galaxy.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module MISP
+  class Galaxy < Base
+    attr_reader :id
+    attr_reader :uuid
+    attr_reader :name
+    attr_reader :type
+    attr_reader :description
+    attr_reader :version
+
+    attr_reader :galaxy_clusters
+
+    def initialize(**attributes)
+      attributes = normalize_attributes(attributes)
+
+      @id = attributes.dig(:id)
+      @uuid = attributes.dig(:uuid)
+      @name = attributes.dig(:name)
+      @type = attributes.dig(:type)
+      @description = attributes.dig(:description)
+      @version = attributes.dig(:version)
+
+      @galaxy_clusters = build_plural_attribute(items: attributes.dig(:GalaxyCluster), klass: GalaxyCluster)
+    end
+
+    def to_h
+      {
+        id: id,
+        uuid: uuid,
+        name: name,
+        type: type,
+        description: description,
+        version: version,
+        GalaxyCluster: galaxy_clusters.map(&:to_h)
+      }.compact
+    end
+
+    def list
+      _get("/galaxies/") do |galaxies|
+        galaxies.map do |galaxy|
+          Galaxy.new symbolize_keys(galaxy)
+        end
+      end
+    end
+
+    def self.list
+      new.list
+    end
+
+    def get
+      _get("/galaxies/view/#{id}") { |galaxy| Galaxy.new symbolize_keys(galaxy) }
+    end
+
+    def self.get(id)
+      new(id: id).get
+    end
+  end
+end

data/lib/misp/galaxy_cluster.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module MISP
+  class GalaxyCluster < Base
+    attr_reader :id
+    attr_reader :uuid
+    attr_reader :type
+    attr_reader :value
+    attr_reader :tag_name
+    attr_reader :description
+    attr_reader :galaxy_id
+    attr_reader :source
+    attr_reader :authors
+    attr_reader :tag_id
+    attr_reader :meta
+
+    def initialize(**attributes)
+      attributes = normalize_attributes(attributes)
+
+      @id = attributes.dig(:id)
+      @uuid = attributes.dig(:uuid)
+      @type = attributes.dig(:type)
+      @value = attributes.dig(:value)
+      @tag_name = attributes.dig(:tag_name)
+      @description = attributes.dig(:description)
+      @galaxy_id = attributes.dig(:galaxy_id)
+      @source = attributes.dig(:source)
+      @authors = attributes.dig(:authors)
+      @tag_id = attributes.dig(:tag_id)
+      @meta = attributes.dig(:meta)
+    end
+
+    def to_h
+      {
+        id: id,
+        uuid: uuid,
+        type: type,
+        value: value,
+        tag_name: tag_name,
+        description: description,
+        galaxy_id: galaxy_id,
+        source: source,
+        authors: authors,
+        tag_id: tag_id,
+        meta: meta,
+      }.compact
+    end
+  end
+end

data/lib/misp/org.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module MISP
+  class Org < Base
+    attr_reader :id
+    attr_reader :name
+    attr_reader :uuid
+
+    def initialize(**attributes)
+      attributes = normalize_attributes(attributes)
+
+      @id = attributes.dig(:id)
+      @name = attributes.dig(:name)
+      @uuid = attributes.dig(:uuid)
+    end
+
+    def to_h
+      {
+        id: id,
+        name: name,
+        uuid: uuid,
+      }.compact
+    end
+  end
+end