synapse 2.160.0__py311-none-any.whl → 2.162.0__py311-none-any.whl

synapse/lib/stormlib/gen.py

@@ -105,10 +105,32 @@ class LibGen(s_stormtypes.Lib):
                        'desc': 'Type normalization will fail silently instead of raising an exception.'},
                   ),
                   'returns': {'type': 'node', 'desc': 'A lang:language node with the given code.'}}},
+        {'name': 'itAvScanResultByTarget',
+         'desc': 'Returns an it:av:scan:result node by deconflicting with a target and signature name, adding the node if it does not exist.',
+         'type': {'type': 'function', '_funcname': '_storm_query',
+                  'args': (
+                      {'name': 'form', 'type': 'str', 'desc': 'The target form.'},
+                      {'name': 'value', 'type': 'str', 'desc': 'The target value.'},
+                      {'name': 'signame', 'type': 'str', 'desc': 'The signature name.'},
+                      {'name': 'scanner', 'type': 'str', 'default': None,
+                       'desc': 'An optional scanner software name to include in deconfliction.'},
+                      {'name': 'time', 'type': 'time', 'default': None,
+                       'desc': 'An optional time when the scan was run to include in the deconfliction.'},
+                      {'name': 'try', 'type': 'boolean', 'default': False,
+                       'desc': 'Type normalization will fail silently instead of raising an exception.'},
+                  ),
+                  'returns': {'type': 'node', 'desc': 'An it:av:scan:result node.'}}},
     )
     _storm_lib_path = ('gen',)
 
     _storm_query = '''
+        function __maybeCast(try, type, valu) {
+            if $try {
+                return($lib.trycast($type, $valu))
+            }
+            return(($lib.true, $lib.cast($type, $valu)))
+        }
+
         function orgIdType(name) {
             ou:id:type:name=$name
             return($node)
@@ -128,12 +150,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function orgByName(name, try=$lib.false) {
-            if $try {
-                ($ok, $name) = $lib.trycast(ou:name, $name)
-                if (not $ok) { return() }
-            } else {
-                $name = $lib.cast(ou:name, $name)
-            }
+            ($ok, $name) = $__maybeCast($try, ou:name, $name)
+            if (not $ok) { return() }
 
             ou:name=$name -> ou:org
             return($node)
@@ -143,12 +161,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function orgByFqdn(fqdn, try=$lib.false) {
-            if $try {
-                ($ok, $fqdn) = $lib.trycast("inet:fqdn", $fqdn)
-                if (not $ok) { return() }
-            } else {
-                $fqdn = $lib.cast(inet:fqdn, $fqdn)
-            }
+            ($ok, $fqdn) = $__maybeCast($try, inet:fqdn, $fqdn)
+            if (not $ok) { return() }
 
             inet:fqdn=$fqdn -> ou:org
             return($node)
@@ -180,12 +194,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function newsByUrl(url, try=$lib.false) {
-            if $try {
-                ($ok, $url) = $lib.trycast(inet:url, $url)
-                if (not $ok) { return() }
-            } else {
-                $url = $lib.cast(inet:url, $url)
-            }
+            ($ok, $url) = $__maybeCast($try, inet:url, $url)
+            if (not $ok) { return() }
 
             media:news:url=$url
             return($node)
@@ -205,12 +215,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function vulnByCve(cve, try=$lib.false) {
-            if $try {
-                ($ok, $cve) = $lib.trycast("it:sec:cve", $cve)
-                if (not $ok) { return() }
-            } else {
-                $cve = $lib.cast(it:sec:cve, $cve)
-            }
+            ($ok, $cve) = $__maybeCast($try, it:sec:cve, $cve)
+            if (not $ok) { return() }
 
             risk:vuln:cve=$cve
             return($node)
@@ -258,14 +264,11 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function psContactByEmail(type, email, try=$lib.false) {
+            ($ok, $email) = $__maybeCast($try, inet:email, $email)
+            if (not $ok) { return() }
 
-            if $try {
-                ($ok, $email) = $lib.trycast("inet:email", $email)
-                if (not $ok) { return() }
-            } else {
-                $type = $lib.cast(ps:contact:type:taxonomy, $type)
-                $email = $lib.cast(inet:email, $email)
-            }
+            ($ok, $type) = $__maybeCast($try, ps:contact:type:taxonomy, $type)
+            if (not $ok) { return() }
 
             ps:contact:email = $email
             +:type = $type
@@ -279,12 +282,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function polCountryByIso2(iso2, try=$lib.false) {
-            if $try {
-                ($ok, $iso2) = $lib.trycast("pol:iso2", $iso2)
-                if (not $ok) { return() }
-            } else {
-                $iso2 = $lib.cast(pol:iso2, $iso2)
-            }
+            ($ok, $iso2) = $__maybeCast($try, pol:iso2, $iso2)
+            if (not $ok) { return() }
 
             pol:country:iso2=$iso2
             return($node)
@@ -313,13 +312,8 @@ class LibGen(s_stormtypes.Lib):
         }
 
         function langByCode(code, try=$lib.false) {
-
-            if $try {
-                ($ok, $code) = $lib.trycast(lang:code, $code)
-                if (not $ok) { return() }
-            } else {
-                $code = $lib.cast(lang:code, $code)
-            }
+            ($ok, $code) = $__maybeCast($try, lang:code, $code)
+            if (not $ok) { return() }
 
             lang:language:code=$code
             return($node)
@@ -339,6 +333,54 @@ class LibGen(s_stormtypes.Lib):
             [ ou:campaign=(gen, name, reporter, $name, $reporter) :name=$name :reporter:name=$reporter ]
             return($node)
         }
+
+        function itAvScanResultByTarget(form, value, signame, scanner=$lib.null, time=$lib.null, try=$lib.false) {
+
+            ($ok, $value) = $__maybeCast($try, $form, $value)
+            if (not $ok) { return() }
+
+            switch $form {
+                "file:bytes":   { $tprop = target:file }
+                "inet:fqdn":    { $tprop = target:fqdn }
+                "inet:ipv4":    { $tprop = target:ipv4 }
+                "inet:ipv6":    { $tprop = target:ipv6 }
+                "inet:url":     { $tprop = target:url  }
+                "it:exec:proc": { $tprop = target:proc }
+                "it:host":      { $tprop = target:host }
+                *: {
+                    $lib.raise(BadArg, `Unsupported target form {$form}`)
+                }
+            }
+
+            ($ok, $signame) = $__maybeCast($try, it:av:signame, $signame)
+            if (not $ok) { return() }
+
+            if ($scanner != $lib.null) {
+                ($ok, $scanner) = $__maybeCast($try, it:prod:softname, $scanner)
+                if (not $ok) { return() }
+            }
+
+            if ($time != $lib.null) {
+                ($ok, $time) = $__maybeCast($try, time, $time)
+                if (not $ok) { return() }
+            }
+
+            $tlift = `it:av:scan:result:{$tprop}`
+
+            *$tlift=$value +:signame=$signame
+            if ($time != $lib.null) { +:time=$time }
+            if ($scanner != $lib.null) { +:scanner:name=$scanner }
+            return($node)
+
+            [ it:av:scan:result=(gen, target, $form, $value, $signame, $scanner, $time)
+                :signame=$signame
+                :$tprop=$value
+                :scanner:name?=$scanner
+                :time?=$time
+            ]
+
+            return($node)
+        }
     '''
 
 stormcmds = (
@@ -507,4 +549,37 @@ stormcmds = (
         ),
         'storm': 'yield $lib.gen.langByName($cmdopts.name)',
     },
+    # todo: remove it:av:filehit example in 3.x.x
+    {
+        'name': 'gen.it.av.scan.result',
+        'descr': '''
+            Lift (or create) the it:av:scan:result node by deconflicting the target and signature time.
+
+            The scan time and scanner name may also optionally be provided for deconfliction.
+
+            Examples:
+
+                // Yield the it:av:scan:result node for an FQDN and signature name
+                gen.it.av.scan.result inet:fqdn vertex.link foosig
+
+                // Also deconflict by scanner name and scan time
+                gen.it.av.scan.result inet:fqdn fqdn vertex.link foosig --scanner-name barscanner --time 2022-11-03
+
+                // Generate an it:av:scan:result node from an it:av:filehit node
+                it:av:filehit#foo | gen.it.av.scan.result file:bytes :file :sig:name
+        ''',
+        'cmdargs': (
+            ('form', {'help': 'The target form.'}),
+            ('value', {'help': 'The target value.'}),
+            ('signame', {'help': 'The signature name.'}),
+            ('--scanner-name', {'help': 'An optional scanner software name to include in deconfliction.'}),
+            ('--time', {'help': 'An optional time when the scan was run to include in the deconfliction.'}),
+            ('--try', {'help': 'Type normalization will fail silently instead of raising an exception.',
+                       'action': 'store_true'}),
+        ),
+        'storm': '''
+            yield $lib.gen.itAvScanResultByTarget($cmdopts.form, $cmdopts.value, $cmdopts.signame,
+                                                  scanner=$cmdopts.scanner_name, time=$cmdopts.time, try=$cmdopts.try)
+        ''',
+    }
 )

synapse/lib/stormlib/stix.py

@@ -247,7 +247,7 @@ _DefaultConfig = {
                         'name': '{+:name return(:name)} return($node.repr())',
                         'size': '+:size return(:size)',
                         'hashes': '''
-                            init { $dict = $lib.dict() }
+                            init { $dict = ({}) }
                             { +:md5 $dict.MD5 = :md5 }
                             { +:sha1 $dict."SHA-1" = :sha1 }
                             { +:sha256 $dict."SHA-256" = :sha256 }
@@ -392,7 +392,7 @@ _DefaultConfig = {
                         'description': 'if (:desc) { return (:desc) }',
                         'created': 'return($lib.stix.export.timestamp(.created))',
                         'modified': 'return($lib.stix.export.timestamp(.created))',
-                        'external_references': 'if :cve { $cve=:cve $cve=$cve.upper() $list=$lib.list($lib.dict(source_name=cve, external_id=$cve)) return($list) }'
+                        'external_references': 'if :cve { $cve=:cve $cve=$cve.upper() $list=$lib.list(({"source_name": "cve", "external_id": $cve})) return($list) }'
                     },
                     'rels': (
 
@@ -1405,7 +1405,10 @@ class StixBundle(s_stormtypes.Prim):
 
     async def _callStorm(self, text, node):
 
-        opts = {'vars': {'bundle': self}}
+        varz = self.runt.getScopeVars()
+        varz['bundle'] = self
+
+        opts = {'vars': varz}
         query = await self.runt.snap.core.getStormQuery(text)
         async with self.runt.getCmdRuntime(query, opts=opts) as runt:
 

synapse/lib/stormlib/vault.py

@@ -477,7 +477,8 @@ class LibVault(s_stormtypes.Lib):
         name = await s_stormtypes.tostr(name)
 
         vault = self.runt.snap.core.reqVaultByName(name)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ)
+        mesg = f'User requires read permission on vault: {name}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ, mesg=mesg)
 
         return Vault(self.runt, vault.get('iden'))
 
@@ -485,7 +486,8 @@ class LibVault(s_stormtypes.Lib):
         iden = await s_stormtypes.tostr(iden)
 
         vault = self.runt.snap.core.reqVault(iden)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ)
+        mesg = f'User requires read permission on vault: {iden}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ, mesg=mesg)
 
         return Vault(self.runt, iden)
 
@@ -496,7 +498,10 @@ class LibVault(s_stormtypes.Lib):
         vault = self.runt.snap.core.getVaultByType(vtype, self.runt.user.iden, scope)
         if not vault:
             return None
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ)
+
+        iden = vault.get('iden')
+        mesg = f'User requires read permission on vault: {iden}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_READ, mesg=mesg)
 
         return Vault(self.runt, vault.get('iden'))
 
@@ -523,12 +528,14 @@ class VaultConfigs(s_stormtypes.Prim):
         self.runt = runt
 
         vault = self.runt.snap.core.reqVault(valu)
-        s_stormtypes.confirmEasyPerm(vault, self._vault_perm)
+        mesg = f'User requires {s_cell.permnames.get(self._vault_perm)} permission on vault: {valu}.'
+        s_stormtypes.confirmEasyPerm(vault, self._vault_perm, mesg=mesg)
 
     @s_stormtypes.stormfunc(readonly=False)
     async def setitem(self, name, valu):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT)
+        mesg = f'User requires edit permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT, mesg=mesg)
 
         name = await s_stormtypes.tostr(name)
 
@@ -541,7 +548,8 @@ class VaultConfigs(s_stormtypes.Prim):
 
     async def deref(self, name):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, self._vault_perm)
+        mesg = f'User requires {s_cell.permnames.get(self._vault_perm)} permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, self._vault_perm, mesg=mesg)
 
         name = await s_stormtypes.tostr(name)
 
@@ -550,7 +558,8 @@ class VaultConfigs(s_stormtypes.Prim):
 
     async def iter(self):
         vault = self.runt.snap.core.reqVault(self.valu)
-        self.runt.confirmEasyPerm(vault, self._vault_perm)
+        mesg = f'User requires {s_cell.permnames.get(self._vault_perm)} permission on vault: {self.valu}.'
+        self.runt.confirmEasyPerm(vault, self._vault_perm, mesg=mesg)
 
         data = vault.get(self._vault_field_name)
 
@@ -564,13 +573,15 @@ class VaultConfigs(s_stormtypes.Prim):
 
     async def stormrepr(self):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, self._vault_perm)
+        mesg = f'User requires {s_cell.permnames.get(self._vault_perm)} permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, self._vault_perm, mesg=mesg)
         data = vault.get(self._vault_field_name)
         return repr(data)
 
     def value(self):
         vault = self.runt.snap.core.reqVault(self.valu)
-        self.runt.confirmEasyPerm(vault, self._vault_perm)
+        mesg = f'User requires {s_cell.permnames.get(self._vault_perm)} permission on vault: {self.valu}.'
+        self.runt.confirmEasyPerm(vault, self._vault_perm, mesg=mesg)
         return vault.get(self._vault_field_name)
 
 class VaultSecrets(VaultConfigs):
@@ -580,7 +591,8 @@ class VaultSecrets(VaultConfigs):
     @s_stormtypes.stormfunc(readonly=False)
     async def setitem(self, name, valu):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT)
+        mesg = f'User requires edit permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT, mesg=mesg)
 
         name = await s_stormtypes.tostr(name)
 
@@ -686,7 +698,8 @@ class Vault(s_stormtypes.Prim):
 
     async def _storName(self, name):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT)
+        mesg = f'User requires edit permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT, mesg=mesg)
 
         name = await s_stormtypes.tostr(name)
 
@@ -703,7 +716,8 @@ class Vault(s_stormtypes.Prim):
     async def _storConfigs(self, configs):
         configs = await s_stormtypes.toprim(configs)
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT)
+        mesg = f'User requires edit permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT, mesg=mesg)
         return await self.runt.snap.core.replaceVaultConfigs(self.valu, configs)
 
     async def _gtorSecrets(self):
@@ -716,7 +730,8 @@ class Vault(s_stormtypes.Prim):
     async def _storSecrets(self, secrets):
         secrets = await s_stormtypes.toprim(secrets)
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT)
+        mesg = f'User requires edit permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_EDIT, mesg=mesg)
         return await self.runt.snap.core.replaceVaultSecrets(self.valu, secrets)
 
     async def _gtorPermissions(self):
@@ -725,7 +740,8 @@ class Vault(s_stormtypes.Prim):
 
     async def _methSetPerm(self, iden, level):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_ADMIN)
+        mesg = f'User requires admin permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_ADMIN, mesg=mesg)
 
         iden = await s_stormtypes.tostr(iden)
         level = await s_stormtypes.toint(level)
@@ -734,7 +750,8 @@ class Vault(s_stormtypes.Prim):
 
     async def _methDelete(self):
         vault = self.runt.snap.core.reqVault(self.valu)
-        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_ADMIN)
+        mesg = f'User requires admin permission on vault: {self.valu}.'
+        s_stormtypes.confirmEasyPerm(vault, s_cell.PERM_ADMIN, mesg=mesg)
 
         return await self.runt.snap.core.delVault(self.valu)