howler-api 3.0.0.dev374__py3-none-any.whl

howler/common/logging/audit.py

@@ -0,0 +1,138 @@
+import logging
+import os
+import sys
+
+from flask import request
+
+from howler.common.logging.format import HWL_AUDIT_FORMAT, HWL_DATE_FORMAT, HWL_ISO_DATE_FORMAT, HWL_LOG_FORMAT
+from howler.config import DEBUG, config
+
+AUDIT = config.ui.audit
+
+AUDIT_KW_TARGET = [
+    "sid",
+    "sha256",
+    "copy_sid",
+    "filter",
+    "query",
+    "username",
+    "group",
+    "rev",
+    "wq_id",
+    "index",
+    "cache_key",
+    "alert_key",
+    "alert_id",
+    "url",
+    "q",
+    "fq",
+    "file_hash",
+    "heuristic_id",
+    "error_key",
+    "mac",
+    "vm_type",
+    "vm_name",
+    "config_name",
+    "servicename",
+    "vm",
+    "transition",
+    "data",
+    "id",
+    "comment_id",
+    "label_set",
+    "tool_name",
+    "operation_id",
+    "category",
+    "label",
+]
+
+AUDIT_LOG = logging.getLogger("howler.api.audit")
+AUDIT_LOG.propagate = False
+
+if AUDIT:
+    AUDIT_LOG.setLevel(logging.DEBUG)
+
+if not os.path.exists(config.logging.log_directory):
+    os.makedirs(config.logging.log_directory)
+
+fh = logging.FileHandler(os.path.join(config.logging.log_directory, "hwl_audit.log"))
+fh.setLevel(logging.DEBUG)
+fh.setFormatter(
+    logging.Formatter(
+        HWL_LOG_FORMAT if DEBUG else HWL_AUDIT_FORMAT,
+        HWL_DATE_FORMAT if DEBUG else HWL_ISO_DATE_FORMAT,
+    )
+)
+AUDIT_LOG.addHandler(fh)
+
+ch = logging.StreamHandler(sys.stdout)
+ch.setLevel(logging.INFO)
+ch.setFormatter(
+    logging.Formatter(
+        HWL_LOG_FORMAT if DEBUG else HWL_AUDIT_FORMAT,
+        HWL_DATE_FORMAT if DEBUG else HWL_ISO_DATE_FORMAT,
+    )
+)
+AUDIT_LOG.addHandler(ch)
+
+#########################
+# End of prepare logger #
+#########################
+
+
+def audit(args, kwargs, logged_in_uname, user, func, impersonator=None):
+    """Log audit information for a given function executed by a given user."""
+    try:
+        json_blob = request.json
+        if not isinstance(json_blob, dict):
+            json_blob = {}
+    except Exception:
+        json_blob = {}
+
+    try:
+        req_args = ["%s='%s'" % (k, v) for k, v in request.args.items() if k in AUDIT_KW_TARGET]
+    except RuntimeError:
+        req_args = []
+
+    params_list = (
+        list(args)
+        + ["%s='%s'" % (k, v) for k, v in kwargs.items() if k in AUDIT_KW_TARGET]
+        + req_args
+        + ["%s='%s'" % (k, v) for k, v in json_blob.items() if k in AUDIT_KW_TARGET]
+    )
+
+    if impersonator:
+        audit_user = f"{impersonator} on behalf of {logged_in_uname}"
+    else:
+        audit_user = logged_in_uname
+    if DEBUG:
+        # In debug mode, you'll get an output like:
+        # 23/03/20 14:26:56 DEBUG howler.api.audit | goose - search(index='...', query='...')
+        AUDIT_LOG.debug(
+            "%s - %s(%s)",
+            audit_user,
+            func.__name__,
+            ", ".join(params_list),
+        )
+    else:
+        # In prod, you'll get an output like:
+        # {
+        #     "date": "2023-03-20T18:33:27-0400",
+        #     "type": "audit",
+        #     "app_name": "howler",
+        #     "api": "howler.api.audit",
+        #     "severity": "INFO",
+        #     "user": "goose",
+        #     "function": "search(index='hit', query='howler.escalation:alert AND howler.status:open')",
+        #     "method": "POST",
+        #     "path": "/api/v1/search/hit/"
+        # }
+        AUDIT_LOG.info(
+            "",
+            extra={
+                "user": audit_user,
+                "function": f"{func.__name__}({', '.join(params_list)})",
+                "method": request.method,
+                "path": request.path,
+            },
+        )

howler/common/logging/format.py

@@ -0,0 +1,38 @@
+import json
+import os
+
+APP_NAME = os.environ.get("APP_NAME", "howler")
+
+try:
+    from howler.common.net import get_hostname
+
+    hostname = get_hostname()
+except Exception:
+    hostname = "unknownhost"
+
+HWL_SYSLOG_FORMAT = f"HWL %(levelname)8s {hostname} %(process)5d %(name)40s | %(message)s"
+HWL_LOG_FORMAT = "%(asctime)s %(levelname)s %(name)s | %(message)s"
+HWL_DATE_FORMAT = "%y/%m/%d %H:%M:%S"
+HWL_JSON_FORMAT = (
+    f"{{"
+    f'"@timestamp": "%(asctime)s", '
+    f'"event": {{ "module": "{APP_NAME}", "dataset": "%(name)s" }}, '
+    f'"host": {{ "hostname": "{hostname}" }}, '
+    f'"log": {{ "level": "%(levelname)s", "logger": "%(name)s" }}, '
+    f'"process": {{ "pid": "%(process)d" }}, '
+    f'"message": %(message)s}}'
+)
+HWL_ISO_DATE_FORMAT = "%Y-%m-%dT%H:%M:%S%z"
+HWL_AUDIT_FORMAT = json.dumps(
+    {
+        "date": "%(asctime)s",
+        "type": "audit",
+        "app_name": APP_NAME,
+        "api": "howler.api.audit",
+        "severity": "%(levelname)s",
+        "user": "%(user)s",
+        "function": "%(function)s",
+        "method": "%(method)s",
+        "path": "%(path)s",
+    }
+).replace('"msg"', "%(message)s")

howler/common/net.py

@@ -0,0 +1,79 @@
+import socket
+import uuid
+from ipaddress import IPv4Network, ip_address
+from typing import Union
+
+from howler.common.net_static import TLDS_ALPHA_BY_DOMAIN
+
+
+def is_valid_port(value: Union[int, str, float]) -> bool:
+    "Check if a port is valid"
+    try:
+        if 1 <= int(value) <= 65535:
+            return True
+    except ValueError:
+        pass
+
+    return False
+
+
+def is_valid_domain(domain: str) -> bool:
+    "Check if a domain is valid"
+    if "@" in domain:
+        return False
+
+    if "." in domain:
+        tld = domain.split(".")[-1]
+        return tld.upper() in TLDS_ALPHA_BY_DOMAIN
+
+    return False
+
+
+def is_valid_ip(ip: str) -> bool:
+    "Check if an ip is valid"
+    parts = ip.split(".")
+    if len(parts) == 4:
+        for p in parts:
+            try:
+                if not (0 <= int(p) <= 255):
+                    return False
+            except ValueError:
+                return False
+
+        if int(parts[0]) == 0:
+            return False
+
+        if int(parts[3]) == 0:
+            return False
+
+        return True
+
+    return False
+
+
+def is_ip_in_network(ip: str, network: IPv4Network) -> bool:
+    "Check if an ip is in a given network"
+    if not is_valid_ip(ip):
+        return False
+
+    return ip_address(ip) in network
+
+
+def is_valid_email(email: str) -> bool:
+    "Check if an email is valid"
+    parts = email.split("@")
+    if len(parts) == 2:
+        if is_valid_domain(parts[1]):
+            return True
+
+    return False
+
+
+def get_hostname() -> str:
+    "Get the hostname of the computer howler is running on"
+    return socket.gethostname()
+
+
+def get_mac_address() -> str:
+    "Get the mac address of the computer howler is running on"
+    return "".join(["{0:02x}".format((uuid.getnode() >> i) & 0xFF) for i in range(0, 8 * 6, 8)][::-1]).upper()