misp 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: db847f1e32b2e0a1064180b310b087ade5c9d608282bcbeebc5403f02b0cb71d
+  data.tar.gz: e1090389330d2de0bfd8b0c58cd0768f1a9bc58bb220d80c9d74aea6cb9ec738
+SHA512:
+  metadata.gz: a4b3e71c139193309e919b6dc344f4fb200521b07a90fd3e45384d272549632af96eec9852416fdc8ddbfda31c9675f5ab107ae4cb1b2ff61b98dbeba0979457
+  data.tar.gz: 16b98a9dae45d273b70600565f8130d43d592e4097b517f49a69177c367a8c88a5841e4eb238a9629f9a45d1ca12ce7addfb5118c27f52d45a9c4a0ae3e56f61

data/.gitignore

@@ -0,0 +1,52 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+.env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6
+before_install: gem install bundler -v 2.0.2

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in misp-rb.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Manabu Niseki
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,118 @@
+# misp-rb
+
+[![Build Status](https://travis-ci.com/ninoseki/misp-rb.svg?branch=master)](https://travis-ci.com/ninoseki/misp-rb)
+[![Coverage Status](https://coveralls.io/repos/github/ninoseki/misp-rb/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/misp-rb?branch=master)
+[![CodeFactor](https://www.codefactor.io/repository/github/ninoseki/misp-rb/badge)](https://www.codefactor.io/repository/github/ninoseki/misp-rb)
+
+A dead simple MISP API wrapper for Ruby.
+
+If you aren't a Rubyist, I highly recommend to use the official [PyMISP](https://github.com/MISP/PyMISP).
+
+## Installation
+
+```bash
+gem install misp
+```
+
+## Usage
+
+### Configuration
+
+By default, it tries to load configurations from environmental variables:
+
+- MISP API endpoint from ENV["MISP_API_ENDPOINT"]
+- MISP API key from ENV["MISP_API_KEY"]
+
+Also, you can configure them manually.
+
+```ruby
+require "misp"
+
+MISP.configure do |config|
+  config.api_endpoint = "https://misppriv.circl.lu"
+  config.api_key = "MISP_API_KEY"
+end
+```
+
+### Create an event
+
+```ruby
+event = MISP::Event.create(info: "my event")
+```
+
+### Retrive an event
+
+```ruby
+event = MISP::Event.get(15)
+```
+
+### Update an event
+
+```ruby
+event = MISP::Event.get(17)
+event.info = "my new info field"
+event.update
+```
+
+### Add an attribute
+
+```ruby
+event = MISP::Event.get(17)
+event.add_attribute(value: "8.8.8.8", type: "ip-dst")
+# or
+attribute = MISP::Attribute(value: "1.1.1.1", type: "ip-dst")
+event.add_attribute attribute
+event.update
+```
+
+### Tag an event
+
+```ruby
+event = MISP::Event.get(17)
+event.add_tag name: "my tag"
+event.update
+```
+
+### Tag an attribute
+
+```ruby
+attribute = MISP::Attribute.search(value: "8.8.8.8").first
+attribute.add_tag(name: "my tag")
+```
+
+### Create an event with attributes and tags already applied
+
+```ruby
+event = MISP::Event.new(
+  info: "my event",
+  Attribute: [
+    value: "8.8.8.8",
+    type: "ip-dst",
+    Tag: [
+      { name: "my attribute-level tag" }
+    ]
+  ],
+  Tag: [
+    { name: "my event-level tag" }
+  ]
+)
+event.create
+# or
+event = MISP::Event.new(info: "my event")
+
+attribute = MISP::Attribute.new(value: "8.8.8.8", type: "ip-dst")
+attribute.tags << MISP::Tag.new(name: "my attribute-level tag")
+
+event.attributes << attribute
+event.tags << MISP::Tag.new(name: "my event-level tag")
+
+event.create
+```
+
+## Acknowledgement
+
+The implementation design of this gem is highly influenced by [FloatingGhost/mispex](https://github.com/FloatingGhost/mispex).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/lib/misp.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require "misp/version"
+
+require "misp/configuration"
+
+require "misp/base"
+
+require "misp/org"
+require "misp/orgc"
+
+require "misp/feed"
+require "misp/server"
+
+require "misp/sharing_group_org"
+require "misp/sharing_group_server"
+require "misp/sharing_group"
+
+require "misp/galaxy_cluster"
+require "misp/galaxy"
+
+require "misp/tag"
+
+require "misp/attribute"
+
+require "misp/event"
+
+module MISP
+  class Error < StandardError; end
+end

data/lib/misp/attribute.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+module MISP
+  class Attribute < Base
+    attr_reader :id
+    attr_accessor :type
+    attr_accessor :category
+    attr_accessor :to_ids
+    attr_reader :uuid
+    attr_reader :event_id
+    attr_accessor :distribution
+    attr_accessor :timestamp
+    attr_accessor :comment
+    attr_accessor :sharing_group_id
+    attr_accessor :deleted
+    attr_accessor :disable_correlation
+    attr_accessor :value
+    attr_accessor :data
+
+    attr_accessor :sharing_groups
+    attr_accessor :shadow_attributes
+    attr_accessor :tags
+
+    def initialize(**attributes)
+      attributes = normalize_attributes(attributes)
+
+      @id = attributes.dig(:id)
+      @type = attributes.dig(:type)
+      @category = attributes.dig(:category)
+      @to_ids = attributes.dig(:to_ids)
+      @uuid = attributes.dig(:uuid)
+      @event_id = attributes.dig(:event_id)
+      @distribution = attributes.dig(:distribution)
+      @timestamp = attributes.dig(:timestamp)
+      @comment = attributes.dig(:comment)
+      @sharing_group_id = attributes.dig(:sharing_group_id)
+      @deleted = attributes.dig(:deleted)
+      @disable_correlation = attributes.dig(:disable_correlation)
+      @value = attributes.dig(:value)
+      @data = attributes.dig(:data)
+
+      @sharing_groups = build_plural_attribute(items: attributes.dig(:SharingGroup), klass: SharingGroup)
+      @shadow_attributes = build_plural_attribute(items: attributes.dig(:ShadowAttribute), klass: Attribute )
+      @tags = build_plural_attribute(items: attributes.dig(:Tag), klass: Tag)
+    end
+
+    def to_h
+      {
+        id: id,
+        type: type,
+        category: category,
+        to_ids: to_ids,
+        uuid: uuid,
+        event_id: event_id,
+        distribution: distribution,
+        timestamp: timestamp,
+        comment: comment,
+        sharing_group_id: sharing_group_id,
+        deleted: deleted,
+        disable_correlation: disable_correlation,
+        value: value,
+        data: data,
+        SharingGroup: sharing_groups.map(&:to_h),
+        ShadowAttribute: shadow_attributes.map(&:to_h),
+        Tag: tags.map(&:to_h)
+      }.compact
+    end
+
+    def get
+      _get("/attributes/#{id}") { |attribute| Attribute.new symbolize_keys(attribute) }
+    end
+
+    def self.get(id)
+      new(id: id).get
+    end
+
+    def delete
+      _post("/attributes/delete/#{id}") { |json| json }
+    end
+
+    def self.delete(id)
+      new(id: id).delete
+    end
+
+    def create(event_id)
+      _post("/attributes/add/#{event_id}", wrap(to_h)) { |attribute| Attribute.new symbolize_keys(attribute) }
+    end
+
+    def self.create(event_id, **attributes)
+      new(attributes).create(event_id)
+    end
+
+    def update(**attrs)
+      payload = to_h.merge(attrs)
+      payload[:timestamp] = nil
+      _post("/attributes/edit/#{id}", wrap(payload)) { |json| Attribute.new symbolize_keys(json.dig("response", "Attribute")) }
+    end
+
+    def search(**params)
+      base = {
+        returnFormat: "json",
+        limit: "100",
+        page: "0"
+      }
+
+      _post("/attributes/restSearch", base.merge(params)) do |json|
+        attributes = json.dig("response", "Attribute") || []
+        attributes.map { |attribute| Attribute.new symbolize_keys(attribute) }
+      end
+    end
+
+    def self.search(**params)
+      new.search params
+    end
+
+    def add_tag(tag)
+      tag = Tag.new(symbolize_keys(tag)) unless tag.is_a?(MISP::Tag)
+      payload = { uuid: uuid, tag: tag.name }
+      _post("/tags/attachTagToObject", payload) { |json| Tag.new symbolize_keys(json) }
+    end
+
+    def remove_tag(tag)
+      tag = Tag.new(symbolize_keys(tag)) unless tag.is_a?(MISP::Tag)
+      payload = { uuid: uuid, tag: tag.name }
+      _post("/tags/removeTagFromObject", payload) { |json| json }
+    end
+  end
+end

data/lib/misp/base.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+require "json"
+require "net/https"
+require "uri"
+
+module MISP
+  class Base
+    def api_endpoint
+      @api_endpoint ||= URI(MISP.configuration.api_endpoint)
+    end
+
+    def api_key
+      @api_key ||= MISP.configuration.api_key
+    end
+
+    private
+
+    def build_attribute(item:, klass:)
+      return nil unless item
+
+      klass.new symbolize_keys(item)
+    end
+
+    def build_plural_attribute(items:, klass:)
+      (items || []).map do |item|
+        klass.new symbolize_keys(item)
+      end
+    end
+
+    def symbolize_keys(hash)
+      hash.map { |k, v| [k.to_sym, v] }.to_h
+    end
+
+    def class_name
+      self.class.to_s.split("::").last.to_s
+    end
+
+    def normalize_attributes(attributes)
+      klass = class_name.to_sym
+
+      attributes.key?(klass) ? symbolize_keys(attributes.dig(klass)) : attributes
+    end
+
+    def wrap(params)
+      klass = class_name.to_sym
+      return params if params.key?(klass)
+
+      [[klass, params]].to_h
+    end
+
+    def hostname
+      @hostname ||= api_endpoint.hostname
+    end
+
+    def port
+      @port ||= api_endpoint.port
+    end
+
+    def scheme
+      @scheme ||= api_endpoint.scheme
+    end
+
+    def base_url
+      "#{scheme}://#{hostname}:#{port}"
+    end
+
+    def url_for(path)
+      URI(base_url + path)
+    end
+
+    def https_options
+      return nil if scheme != "https"
+
+      if proxy = ENV["HTTPS_PROXY"] || ENV["https_proxy"]
+        uri = URI(proxy)
+        {
+          proxy_address: uri.hostname,
+          proxy_port: uri.port,
+          proxy_from_env: false,
+          use_ssl: true,
+        }
+      else
+        { use_ssl: true }
+      end
+    end
+
+    def http_options
+      if proxy = ENV["HTTP_PROXY"] || ENV["http_proxy"]
+        uri = URI(proxy)
+        {
+          proxy_address: uri.hostname,
+          proxy_port: uri.port,
+          proxy_from_env: false,
+        }
+      else
+        {}
+      end
+    end
+
+    def parse_body(body)
+      JSON.parse body.to_s
+    rescue JSON::ParserError => _e
+      body.to_s
+    end
+
+    def request(req)
+      Net::HTTP.start(hostname, port, https_options || http_options) do |http|
+        req.initialize_http_header default_headers
+
+        response = http.request(req)
+        json = parse_body(response.body)
+
+        code = response.code
+        unless code.start_with? "20"
+          raise Error, "Unsupported response code returned: #{code} (#{json})"
+        end
+
+        yield json
+      end
+    end
+
+    def default_headers
+      {
+        "Content-Type": "application/json",
+        "Accept": "application/json",
+        "Authorization": api_key
+      }
+    end
+
+    def _get(path, params = {}, &block)
+      url = url_for(path)
+      url.query = URI.encode_www_form(params) unless params.empty?
+
+      get = Net::HTTP::Get.new(url)
+      request(get, &block)
+    end
+
+    def _post(path, params = {}, &block)
+      url = url_for(path)
+
+      post = Net::HTTP::Post.new(url)
+      post.body = params.is_a?(Hash) ? params.to_json : params.to_s
+
+      request(post, &block)
+    end
+
+    def _delete(path, params = {}, &block)
+      url = url_for(path)
+      url.query = URI.encode_www_form(params) unless params.empty?
+
+      delete = Net::HTTP::Delete.new(url)
+      request(delete, &block)
+    end
+  end
+end