howler-api 3.4.0.dev955__tar.gz → 3.4.0.dev970__tar.gz

{howler_api-3.4.0.dev955 → howler_api-3.4.0.dev970}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: howler-api
-Version: 3.4.0.dev955
+Version: 3.4.0.dev970
 Summary: Howler - API server
 License: MIT
 Keywords: howler,alerting,gc,canada,cse-cst,cse,cst,cyber,cccs

{howler_api-3.4.0.dev955 → howler_api-3.4.0.dev970}/howler/datastore/collection.py

@@ -1364,6 +1364,43 @@ class ESCollection(Generic[ModelType]):
 
         return res["updated"]
 
+    def _expand_fl(self, fl: str) -> str:
+        """Expand wildcard patterns in a field list string using the model's flat_fields.
+
+        For each comma-separated entry in `fl`, if the entry contains a `*`, it is treated
+        as a glob-style wildcard pattern and matched against all fields returned by
+        ``flat_fields()``.  Entries without wildcards are kept as-is.
+
+        Args:
+            fl: Comma-separated list of field names, optionally containing ``*`` wildcards
+                (e.g. ``"howler.*,event.start"``).
+
+        Returns:
+            A comma-separated string of expanded field names.  If no model class is
+            associated with this collection the original ``fl`` string is returned
+            unchanged.
+        """
+        if not self.model_class or "*" not in fl:
+            return fl
+
+        all_fields = list(self.model_class.flat_fields().keys())
+        expanded: list[str] = []
+        for pattern in fl.split(","):
+            pattern = pattern.strip()
+            if not pattern:
+                # Skip empty entries (e.g. from trailing commas).
+                continue
+            if "*" not in pattern or pattern == "*":
+                # Exact names and the bare '*' (meaning "all fields") are kept as-is.
+                expanded.append(pattern)
+            else:
+                # Convert the glob-style wildcard to a full regex pattern.
+                # Replace '*' with '.*' and escape all other regex special characters.
+                regex = re.compile("^" + re.escape(pattern).replace(r"\*", ".*") + "$")
+                matched = [f for f in all_fields if regex.match(f)]
+                expanded.extend(matched if matched else [pattern])
+        return ",".join(expanded)
+
     def _format_output(self, result, fields=None, as_obj=True):
         # Getting search document data
         extra_fields = result.get("fields", {})
@@ -1735,6 +1772,7 @@ class ESCollection(Generic[ModelType]):
         ]
 
         if fl:
+            fl = self._expand_fl(fl)
             field_list = fl.split(",")
             args.append(("field_list", field_list))
         else:
@@ -1847,6 +1885,7 @@ class ESCollection(Generic[ModelType]):
             filters.append(access_control)
 
         if fl:
+            fl = self._expand_fl(fl)
             fl = fl.split(",")
 
         query_expression = {
@@ -1896,6 +1935,8 @@ class ESCollection(Generic[ModelType]):
 
         if not fl:
             fl = "howler.id"
+        else:
+            fl = self._expand_fl(fl)
 
         if rows is None:
             rows = 5
@@ -2226,6 +2267,7 @@ class ESCollection(Generic[ModelType]):
         filters.append("%s:*" % group_field)
 
         if fl:
+            fl = self._expand_fl(fl)
             field_list = fl.split(",")
             args.append(("field_list", field_list))
         else:

howler_api-3.4.0.dev970/howler/odm/models/ecs/file.py

@@ -0,0 +1,83 @@
+from howler import odm
+from howler.odm.models.ecs.code_signature import CodeSignature
+from howler.odm.models.ecs.elf import ELF
+from howler.odm.models.ecs.hash import Hashes
+from howler.odm.models.ecs.pe import PE
+
+# from howler.odm.models.ecs.x509 import X509
+
+FILE_TYPE = ["file", "dir", "symlink"]
+
+
+@odm.model(
+    index=True,
+    store=True,
+    description="A file is defined as a set of information that has been created on, or has existed on a filesystem.",
+)
+class File(odm.Model):
+    accessed: str | None = odm.Optional(odm.Date(description="Last time the file was accessed."))
+    attributes: list[str] | None = odm.Optional(odm.List(odm.Keyword(), description="Array of file attributes."))
+    created: str | None = odm.Optional(odm.Date(description="File creation time."))
+    ctime: str | None = odm.Optional(odm.Date(description="Last time the file attributes or metadata changed."))
+    device: str | None = odm.Optional(odm.Keyword(description="Device that is the source of the file."))
+    directory: str | None = odm.Optional(
+        odm.Keyword(
+            description="Directory where the file is located. It should include the drive letter, when appropriate."
+        )
+    )
+    drive_letter: str | None = odm.Optional(
+        odm.Keyword(description="Drive letter where the file is located. This field is only relevant on Windows.")
+    )
+    extension: str | None = odm.Optional(odm.Keyword(description="File extension, excluding the leading dot."))
+    fork_name: str | None = odm.Optional(
+        odm.Keyword(description="A fork is additional data associated with a filesystem object.")
+    )
+    gid: str | None = odm.Optional(odm.Keyword(description="Primary group ID (GID) of the file."))
+    group: str | None = odm.Optional(odm.Keyword(description="Primary group name of the file."))
+    inode: str | None = odm.Optional(odm.Keyword(description="Inode representing the file in the filesystem."))
+    mime_type: str | None = odm.Optional(
+        odm.Keyword(
+            description="MIME type should identify the format of the file or stream of "
+            "bytes using IANA official types, where possible."
+        )
+    )
+    mode: str | None = odm.Optional(odm.Keyword(description="Mode of the file in octal representation."))
+    mtime: str | None = odm.Optional(odm.Date(description="Last time the file content was modified."))
+    name: str | None = odm.Optional(
+        odm.Keyword(description="Name of the file including the extension, without the directory.")
+    )
+    owner: str | None = odm.Optional(odm.Keyword(description="File owner’s username."))
+    path: str | None = odm.Optional(
+        odm.Keyword(
+            description="Full path to the file, including the file name. "
+            "It should include the drive letter, when appropriate."
+        )
+    )
+    size: int | None = odm.Long(description="File size in bytes.", optional=True)
+    target_path: str | None = odm.Optional(odm.Keyword(description="Target path for symlinks."))
+    type: str | None = odm.Optional(odm.Enum(values=FILE_TYPE, description="File type (file, dir, or symlink)."))
+    uid: str | None = odm.Optional(
+        odm.Keyword(description="The user ID (UID) or security identifier (SID) of the file owner.")
+    )
+
+    code_signature: CodeSignature | None = odm.Optional(
+        odm.Compound(
+            CodeSignature,
+            description="These fields contain information about binary code signatures.",
+        )
+    )
+    elf: ELF | None = odm.Optional(
+        odm.Compound(
+            ELF,
+            description="These fields contain Linux Executable Linkable Format (ELF) metadata.",
+        )
+    )
+    hash: Hashes | None = odm.Optional(
+        odm.Compound(
+            Hashes,
+            description="Hashes, usually file hashes.",
+        )
+    )
+    pe: PE | None = odm.Optional(
+        odm.Compound(PE, description="These fields contain Windows Portable Executable (PE) metadata.")
+    )

{howler_api-3.4.0.dev955 → howler_api-3.4.0.dev970}/pyproject.toml

@@ -152,7 +152,7 @@ suppress-none-returning = true
 [tool.poetry]
 package-mode = true
 name = "howler-api"
-version = "3.4.0.dev955"
+version = "3.4.0.dev970"
 description = "Howler - API server"
 authors = [
     "Canadian Centre for Cyber Security <howler@cyber.gc.ca>",

howler_api-3.4.0.dev955/howler/odm/models/ecs/file.py

@@ -1,83 +0,0 @@
-from typing import Optional
-
-from howler import odm
-from howler.odm.models.ecs.code_signature import CodeSignature
-from howler.odm.models.ecs.elf import ELF
-from howler.odm.models.ecs.hash import Hashes
-from howler.odm.models.ecs.pe import PE
-
-# from howler.odm.models.ecs.x509 import X509
-
-FILE_TYPE = ["file", "dir", "symlink"]
-
-
-@odm.model(
-    index=True,
-    store=True,
-    description="A file is defined as a set of information that has been created on, or has existed on a filesystem.",
-)
-class File(odm.Model):
-    accessed: Optional[str] = odm.Optional(odm.Date(description="Last time the file was accessed."))
-    attributes: Optional[list[str]] = odm.Optional(odm.List(odm.Keyword(), description="Array of file attributes."))
-    created: Optional[str] = odm.Optional(odm.Date(description="File creation time."))
-    ctime: Optional[str] = odm.Optional(odm.Date(description="Last time the file attributes or metadata changed."))
-    device: Optional[str] = odm.Optional(odm.Keyword(description="Device that is the source of the file."))
-    directory: Optional[str] = odm.Optional(
-        odm.Keyword(
-            description="Directory where the file is located. It should include the drive letter, when appropriate."
-        )
-    )
-    drive_letter: Optional[str] = odm.Optional(
-        odm.Keyword(description="Drive letter where the file is located. This field is only relevant on Windows.")
-    )
-    extension: Optional[str] = odm.Optional(odm.Keyword(description="File extension, excluding the leading dot."))
-    fork_name: Optional[str] = odm.Optional(
-        odm.Keyword(description="A fork is additional data associated with a filesystem object.")
-    )
-    gid: Optional[str] = odm.Optional(odm.Keyword(description="Primary group ID (GID) of the file."))
-    group: Optional[str] = odm.Optional(odm.Keyword(description="Primary group name of the file."))
-    inode: Optional[str] = odm.Optional(odm.Keyword(description="Inode representing the file in the filesystem."))
-    mime_type: Optional[str] = odm.Optional(
-        odm.Keyword(
-            description="MIME type should identify the format of the file or stream of "
-            "bytes using IANA official types, where possible."
-        )
-    )
-    mode: Optional[str] = odm.Optional(odm.Keyword(description="Mode of the file in octal representation."))
-    mtime: Optional[str] = odm.Optional(odm.Date(description="Last time the file content was modified."))
-    name: Optional[str] = odm.Optional(
-        odm.Keyword(description="Name of the file including the extension, without the directory.")
-    )
-    owner: Optional[str] = odm.Optional(odm.Keyword(description="File owner’s username."))
-    path: Optional[str] = odm.Optional(
-        odm.Keyword(
-            description="Full path to the file, including the file name. "
-            "It should include the drive letter, when appropriate."
-        )
-    )
-    size: Optional[int] = odm.Integer(description="File size in bytes.", optional=True)
-    target_path: Optional[str] = odm.Optional(odm.Keyword(description="Target path for symlinks."))
-    type: Optional[str] = odm.Optional(odm.Enum(values=FILE_TYPE, description="File type (file, dir, or symlink)."))
-    uid: Optional[str] = odm.Optional(
-        odm.Keyword(description="The user ID (UID) or security identifier (SID) of the file owner.")
-    )
-
-    code_signature: Optional[CodeSignature] = odm.Optional(
-        odm.Compound(
-            CodeSignature,
-            description="These fields contain information about binary code signatures.",
-        )
-    )
-    elf: Optional[ELF] = odm.Optional(
-        odm.Compound(
-            ELF,
-            description="These fields contain Linux Executable Linkable Format (ELF) metadata.",
-        )
-    )
-    hash: Optional[Hashes] = odm.Optional(
-        odm.Compound(
-            Hashes,
-            description="These fields contain Windows Portable Executable (PE) metadata.",
-        )
-    )
-    pe: Optional[PE] = odm.Optional(odm.Compound(PE, description="Hashes, usually file hashes."))