clue-api 1.3.0.dev15__tar.gz → 1.3.0.dev28__tar.gz

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: clue-api
-Version: 1.3.0.dev15
+Version: 1.3.0.dev28
 Summary: Clue distributed enrichment service
 License: MIT
 License-File: LICENSE

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/api/v1/lookup.py

@@ -205,13 +205,16 @@ def enrich(type_name: str, value: str, **kwargs) -> dict[str, QueryResult]:
     user = kwargs["user"]
 
     # For backwards compatability, if eml is used it is replaced with email
-    type_name = type_name.replace("eml", "email")
+    type_name = type_name.lower().replace("eml", "email")
 
     if type_name == "telemetry":
         try:
             json.loads(urllib.parse.unquote(value))
         except json.JSONDecodeError:
             return bad_request(err="If type is telemetry, value must be a valid JSON object.")
+    else:
+        # Normalize to lowercase all non-telemetry inputs
+        value = value.lower()
 
     # re-encode the type after being decoded going through flask/wsgi route
     value = urllib.parse.quote(value, safe="")

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/constants/supported_types.py

@@ -37,4 +37,4 @@ SUPPORTED_TYPES = {
     "tenant-id": UUID4_REGEX,
 }
 
-CASE_INSENSITIVE_TYPES = ["ip", "domain", "port", "tenant-id"]
+CASE_INSENSITIVE_TYPES = ["ip", "domain", "port", "tenant-id", "hbs_oid", "hbs_agent_id"]

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/models/config.py

@@ -69,7 +69,7 @@ class OAuthProvider(BaseModel):
     classification_map: dict[str, str] = Field(
         default={}, description="A mapping of OAuth groups to classification levels"
     )
-    access_token_url: str | None = Field(description="URL to get access token")
+    access_token_url: str = Field(description="URL to get access token")
     authorize_url: str | None = Field(description="URL used to authorize access to a resource")
     api_base_url: str | None = Field(description="Base URL for downloading the user's and groups info")
     audience: str | None = Field(

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/models/selector.py

@@ -1,9 +1,10 @@
 # ruff: noqa: D101
 import ipaddress
 import json
+from typing import Annotated
 
 from flask import request
-from pydantic import BaseModel, Field, model_validator
+from pydantic import BaseModel, Field, StringConstraints, model_validator
 from typing_extensions import Self
 
 from clue.common.logging import get_logger
@@ -14,7 +15,7 @@ logger = get_logger(__file__)
 
 
 class Selector(BaseModel):
-    type: str
+    type: Annotated[str, StringConstraints(to_lower=True, strip_whitespace=True)]
     value: str
     classification: str | None = Field(default=None)
     sources: list[str] | None = Field(default=None)
@@ -41,8 +42,7 @@ class Selector(BaseModel):
                 json.loads(self.value)
             except json.JSONDecodeError as e:
                 raise AssertionError("If type is telemetry, value must be a valid JSON object.") from e
-
-        if self.type in CASE_INSENSITIVE_TYPES:
+        elif self.type in CASE_INSENSITIVE_TYPES:
             self.value = self.value.lower()
 
         if not self.classification:

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/services/auth_service.py

@@ -2,7 +2,7 @@ import base64
 import hashlib
 from typing import Any, Optional, Union
 
-import elasticapm
+from elasticapm.traces import capture_span
 from flask import request
 
 from clue.common.exceptions import (
@@ -17,7 +17,7 @@ from clue.config import config, get_redis
 from clue.models.config import ExternalSource
 from clue.remote.datatypes.set import ExpiringSet
 from clue.security.obo import get_obo_token
-from clue.security.utils import decode_jwt_payload, generate_random_secret
+from clue.security.utils import generate_random_secret
 from clue.services import jwt_service, user_service
 
 logger = get_logger(__file__)
@@ -123,7 +123,7 @@ def validate_token(username: str, token: str) -> Optional[list[str]]:
     return None
 
 
-@elasticapm.capture_span(span_type="authentication")
+@capture_span(span_type="authentication")
 def bearer_auth(
     data: str, skip_jwt: bool = False, skip_internal: bool = False
 ) -> tuple[Optional[dict[str, Any]], Optional[list[str]]]:
@@ -164,7 +164,7 @@ def bearer_auth(
             raise InvalidDataException("Not a valid authentication type for this endpoint.")
 
 
-@elasticapm.capture_span(span_type="authentication")
+@capture_span(span_type="authentication")
 def validate_apikey(name: str, apikey: str) -> tuple[Optional[dict[str, Any]], Optional[list[str]]]:
     """This function identifies the user via the internal API key functionality.
 
@@ -243,7 +243,7 @@ def decode_b64(b64_str: str) -> str:
         raise InvalidDataException("Basic authentication data must be base64 encoded") from e
 
 
-@elasticapm.capture_span(span_type="authentication")
+@capture_span(span_type="authentication")
 def basic_auth(
     data: str, is_base64: bool = True, skip_apikey: bool = False, skip_password: bool = False
 ) -> tuple[Optional[dict[str, Any]], Optional[list[str]]]:
@@ -267,6 +267,7 @@ def basic_auth(
     [username, data] = key_pair.split(":", maxsplit=1)
 
     validated_user = None
+    priv = None
     if not skip_apikey:
         validated_user, priv = validate_apikey(username, data)
 
@@ -299,16 +300,6 @@ def basic_auth(
     return validated_user, priv
 
 
-def extract_audience(access_token: str) -> list[str]:
-    "Extract the audience from an encoded JWT."
-    audience: list[str] | str | None = decode_jwt_payload(access_token).get("aud", None)
-
-    if not audience:
-        return []
-
-    return [audience] if not isinstance(audience, list) else audience
-
-
 # TODO: sa-clue support
 def check_obo(source: ExternalSource, access_token: str, username: str) -> tuple[Optional[str], Optional[str]]:
     """Checks whether a token's audience matches the source, and if it doesn't, tries to get an OBO token for the source
@@ -333,7 +324,7 @@ def check_obo(source: ExternalSource, access_token: str, username: str) -> tuple
 
             access_token = sa_token
 
-        audience = extract_audience(access_token)
+        audience = jwt_service.extract_audience(access_token)
 
         # Check if this is a standard clue token
         if jwt_service.get_audience(jwt_service.get_provider(access_token)) in audience:

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/clue/services/jwt_service.py

@@ -11,6 +11,7 @@ from jwt.api_jwk import PyJWK
 from clue.common.exceptions import ClueKeyError, ClueValueError
 from clue.common.logging import get_logger
 from clue.config import cache, config
+from clue.security.utils import decode_jwt_payload
 
 logger = get_logger(__file__)
 
@@ -19,6 +20,9 @@ def get_jwk(access_token: str) -> PyJWK:
     """Get the JSON Web Key associated with the given JWT"""
     # "kid" is the JSON Web Key's identifier. It tells us which key was used to validate the token.
     kid = jwt.get_unverified_header(access_token).get("kid")
+    if not kid or not isinstance(kid, str):
+        raise ClueValueError("Unexpected kid value in access token: %s", kid)
+
     jwks, _ = get_jwks()
 
     try:
@@ -50,6 +54,9 @@ def get_provider(access_token: str) -> str:
     """
     # "kid" is the JSON Web Key's identifier. It tells us which key was used to validate the token.
     kid = jwt.get_unverified_header(access_token).get("kid")
+    if not kid or not isinstance(kid, str):
+        raise ClueValueError("Unexpected kid value in access token: %s", kid)
+
     _, providers = get_jwks()
 
     try:
@@ -93,6 +100,16 @@ def get_jwks() -> tuple[dict[str, dict[str, Any]], dict[str, str]]:
     return (jwks, providers)
 
 
+def extract_audience(access_token: str) -> list[str]:
+    "Extract the audience from an encoded JWT."
+    audience: list[str] | str | None = decode_jwt_payload(access_token).get("aud", None)
+
+    if not audience:
+        return []
+
+    return [audience] if not isinstance(audience, list) else audience
+
+
 def get_audience(oauth_provider: str) -> str:
     """Get the audience for the specified OAuth provider
 
@@ -156,7 +173,7 @@ def decode(
             options={"verify_aud": validate_audience},
             **kwargs,
         )  # type: ignore
-    except jwt.InvalidAudienceError:
+    except jwt.exceptions.InvalidAudienceError:
         logger.debug("Default audience did not match - checking additional audiences")
         if config.auth.oauth.other_audiences is not None:
             # The main audience isn't valid, let's try the others
@@ -174,7 +191,11 @@ def decode(
                 except jwt.InvalidAudienceError:
                     continue
 
-        logger.debug("Default and additional audiences failed to validate")
+        logger.warning(
+            "Default and additional audiences failed to validate. Expected: %s, Actual: %s",
+            audience,
+            ",".join(extract_audience(access_token)),
+        )
         raise
 
 

{clue_api-1.3.0.dev15 → clue_api-1.3.0.dev28}/pyproject.toml

@@ -146,7 +146,7 @@ log_cli_level = "WARN"
 [tool.poetry]
 package-mode = true
 name = "clue-api"
-version = "1.3.0.dev15"
+version = "1.3.0.dev28"
 description = "Clue distributed enrichment service"
 authors = ["Canadian Centre for Cyber Security <contact@cyber.gc.ca>"]
 license = "MIT"