synapse 2.169.0__py311-none-any.whl → 2.171.0__py311-none-any.whl

synapse/lib/snap.py

@@ -183,6 +183,15 @@ class ProtoNode:
 
         return s_common.novalu
 
+    async def hasData(self, name):
+        if name in self.nodedata:
+            return True
+
+        if self.node is not None:
+            return await self.node.hasData(name)
+
+        return False
+
     async def setData(self, name, valu):
 
         if await self.getData(name) == valu:
@@ -287,6 +296,15 @@ class ProtoNode:
         if self.node is not None:
             return self.node.getTagProp(tag, name)
 
+    def hasTagProp(self, tag, name):
+        if (tag, name) in self.tagprops:
+            return True
+
+        if self.node is not None:
+            return self.node.hasTagProp(tag, name)
+
+        return False
+
     async def setTagProp(self, tag, name, valu):
 
         tagnode = await self.addTag(tag)
@@ -322,7 +340,7 @@ class ProtoNode:
         if self.node is not None:
             return self.node.get(name)
 
-    async def _set(self, prop, valu, norminfo=None):
+    async def _set(self, prop, valu, norminfo=None, ignore_ro=False):
 
         if prop.locked:
             mesg = f'Prop {prop.full} is locked due to deprecation.'
@@ -360,7 +378,7 @@ class ProtoNode:
         if curv == valu:
             return False
 
-        if prop.info.get('ro') and curv is not None:
+        if not ignore_ro and prop.info.get('ro') and curv is not None:
             mesg = f'Property is read only: {prop.full}.'
             await self.ctx.snap._raiseOnStrict(s_exc.ReadOnlyProp, mesg)
             return False
@@ -372,12 +390,12 @@ class ProtoNode:
 
         return valu, norminfo
 
-    async def set(self, name, valu, norminfo=None):
+    async def set(self, name, valu, norminfo=None, ignore_ro=False):
         prop = self.form.props.get(name)
         if prop is None:
             return False
 
-        retn = await self._set(prop, valu, norminfo=norminfo)
+        retn = await self._set(prop, valu, norminfo=norminfo, ignore_ro=ignore_ro)
         if retn is False:
             return False
 

synapse/lib/storm.py

@@ -2351,7 +2351,7 @@ class Runtime(s_base.Base):
                 if view is None:
                     raise s_exc.NoSuchView(mesg=f'No such view iden={viewiden}', iden=viewiden)
 
-                self.user.confirm(('view', 'read'), gateiden=viewiden)
+                self.confirm(('view', 'read'), gateiden=viewiden)
                 snap = await view.snap(self.user)
 
         return snap

synapse/lib/stormlib/cortex.py

@@ -980,7 +980,7 @@ class HttpReq(s_stormtypes.StormType):
         try:
             return json.loads(self.rnfo.get('body'))
         except (UnicodeDecodeError, json.JSONDecodeError) as e:
-            raise s_exc.StormRuntimeError(mesg='Failed to decode request body as JSON: {e}') from None
+            raise s_exc.StormRuntimeError(mesg=f'Failed to decode request body as JSON: {e}') from None
 
     @s_stormtypes.stormfunc(readonly=True)
     async def _methSendCode(self, code):

synapse/lib/stormlib/model.py

@@ -5,6 +5,19 @@ import synapse.lib.node as s_node
 import synapse.lib.cache as s_cache
 import synapse.lib.stormtypes as s_stormtypes
 
+import synapse.models.infotech as s_infotech
+
+RISK_HASVULN_VULNPROPS = (
+    'hardware',
+    'host',
+    'item',
+    'org',
+    'person',
+    'place',
+    'software',
+    'spec',
+)
+
 stormcmds = [
     {
         'name': 'model.edge.set',
@@ -311,7 +324,7 @@ class LibModel(s_stormtypes.Lib):
                       {'name': 'name', 'type': 'str', 'desc': 'The name of the tag prop to retrieve.', },
                   ),
                   'returns': {'type': ['model:tagprop', 'null'],
-                              'desc': 'The ``model:tagprop`` instance if the tag prop if present or null.',
+                              'desc': 'The ``model:tagprop`` instance of the tag prop if present or null.',
                               }}},
     )
 
@@ -694,8 +707,58 @@ class LibModelDeprecated(s_stormtypes.Lib):
         gatekeys = ((self.runt.user.iden, ('model', 'deprecated', 'lock'), None),)
         await self.runt.dyncall('cortex', todo, gatekeys=gatekeys)
 
+class MigrationEditorMixin:
+    '''
+    Mixin helpers for migrating data within an editor context.
+    '''
+
+    async def copyData(self, src, proto, overwrite=False):
+
+        async for name in src.iterDataKeys():
+            if overwrite or not await proto.hasData(name):
+                self.runt.layerConfirm(('node', 'data', 'set', name))
+                valu = await src.getData(name)
+                await proto.setData(name, valu)
+
+    async def copyEdges(self, editor, src, proto):
+
+        verbs = set()
+
+        async for (verb, n2iden) in src.iterEdgesN1():
+
+            if verb not in verbs:
+                self.runt.layerConfirm(('node', 'edge', 'add', verb))
+                verbs.add(verb)
+
+            if await self.runt.snap.getNodeByBuid(s_common.uhex(n2iden)) is not None:
+                await proto.addEdge(verb, n2iden)
+
+        dstiden = proto.iden()
+
+        async for (verb, n1iden) in src.iterEdgesN2():
+
+            if verb not in verbs:
+                self.runt.layerConfirm(('node', 'edge', 'add', verb))
+                verbs.add(verb)
+
+            n1proto = await editor.getNodeByBuid(s_common.uhex(n1iden))
+            if n1proto is not None:
+                await n1proto.addEdge(verb, dstiden)
+
+    async def copyTags(self, src, proto, overwrite=False):
+
+        for name, valu in src.tags.items():
+            self.runt.layerConfirm(('node', 'tag', 'add', *name.split('.')))
+            await proto.addTag(name, valu=valu)
+
+        for tagname, tagprops in src.tagprops.items():
+            for propname, valu in tagprops.items():
+                if overwrite or not proto.hasTagProp(tagname, propname):
+                    await proto.setTagProp(tagname, propname, valu) # use tag perms
+
+
 @s_stormtypes.registry.registerLib
-class LibModelMigration(s_stormtypes.Lib):
+class LibModelMigration(s_stormtypes.Lib, MigrationEditorMixin):
     '''
     A Storm library containing migration tools.
     '''
@@ -745,14 +808,8 @@ class LibModelMigration(s_stormtypes.Lib):
         overwrite = await s_stormtypes.tobool(overwrite)
 
         async with self.runt.snap.getEditor() as editor:
-
             proto = editor.loadNode(dst)
-
-            async for name in src.iterDataKeys():
-                if overwrite or not await dst.hasData(name):
-                    self.runt.layerConfirm(('node', 'data', 'set', name))
-                    valu = await src.getData(name)
-                    await proto.setData(name, valu)
+            await self.copyData(src, proto, overwrite=overwrite)
 
     async def _methCopyEdges(self, src, dst):
 
@@ -764,30 +821,8 @@ class LibModelMigration(s_stormtypes.Lib):
         snap = self.runt.snap
 
         async with snap.getEditor() as editor:
-
             proto = editor.loadNode(dst)
-            verbs = set()
-
-            async for (verb, n2iden) in src.iterEdgesN1():
-
-                if verb not in verbs:
-                    self.runt.layerConfirm(('node', 'edge', 'add', verb))
-                    verbs.add(verb)
-
-                if await snap.getNodeByBuid(s_common.uhex(n2iden)) is not None:
-                    await proto.addEdge(verb, n2iden)
-
-            dstiden = s_common.ehex(dst.buid)
-
-            async for (verb, n1iden) in src.iterEdgesN2():
-
-                if verb not in verbs:
-                    self.runt.layerConfirm(('node', 'edge', 'add', verb))
-                    verbs.add(verb)
-
-                n1proto = await editor.getNodeByBuid(s_common.uhex(n1iden))
-                if n1proto is not None:
-                    await n1proto.addEdge(verb, dstiden)
+            await self.copyEdges(editor, src, proto)
 
     async def _methCopyTags(self, src, dst, overwrite=False):
 
@@ -801,14 +836,278 @@ class LibModelMigration(s_stormtypes.Lib):
         snap = self.runt.snap
 
         async with snap.getEditor() as editor:
-
             proto = editor.loadNode(dst)
+            await self.copyTags(src, proto, overwrite=overwrite)
+
+@s_stormtypes.registry.registerLib
+class LibModelMigrations(s_stormtypes.Lib, MigrationEditorMixin):
+    '''
+    A Storm library for selectively migrating nodes in the current view.
+    '''
+    _storm_locals = (
+        {'name': 'itSecCpe_2_170_0',
+         'desc': '''
+            Versions of Synapse prior to v2.169.0 did not correctly parse and
+            convert CPE strings from 2.2 -> 2.3 or 2.3 -> 2.2. This migration
+            attempts to re-normalize `it:sec:cpe` nodes that may be fixable.
+
+            NOTE: It is highly recommended to test the `it:sec:cpe` migrations
+            in a fork first and confirm the migration was successful without any
+            issues. Then run the migration in view deporder to migrate the
+            entire cortex. E.g.::
+
+                for $view in $lib.view.list(deporder=$lib.true) {
+                    view.exec $view.iden {
+                        for $n in $lib.layer.get().liftByProp(it:sec:cpe) {
+                            $lib.model.migration.s.itSecCpe_2_170_0($n)
+                        }
+                    }
+                }
+
+            Upon completion of the migration, nodedata will contain a
+            `migration.s.itSecCpe_2_170_0` dict with information about the
+            migration status. This dict may contain the following:
+
+                - `status`: (required str) "success" or "failed"
+                - `reason`: (optional str) if "status" is "failed", this key will
+                  explain why the migration failed.
+                - `valu`: (optional str) if this key is present, it will contain
+                  an updated CPE2.3 string since the primary property cannot be
+                  changed.
+                - `updated`: (optional list[str]) A list of properties that were
+                  updated by the migration.
+
+            Failed or incorrect migrations may be helped by updating the :v2_2
+            property to be a valid CPE2.2 string and then re-running the
+            migration with `force=$lib.true`. If the primary property (CPE2.3)
+            is valid but incorrect, users may update the :v2_2 property and then
+            run the migration with `prefer_v22=$lib.true` to make the migration
+            use the `:v2_2` string instead of the primary property for the
+            migration process.
+         ''',
+         'type': {'type': 'function', '_funcname': '_itSecCpe_2_170_0',
+                  'args': (
+                      {'name': 'n', 'type': 'node', 'desc': 'The it:sec:cpe node to migrate.'},
+                      {'name': 'prefer_v22', 'type': 'bool', 'default': False,
+                       'desc': '''
+                        Try to renormalize using the :v2_2 prop instead of the
+                        primary property. This can be especially useful when the
+                        primary property is a valid but incorrect CPE string.
+                        '''},
+                      {'name': 'force', 'type': 'bool', 'default': False,
+                       'desc': 'Perform fixups even if the primary property and :v2_2 are valid.'},
+                  ),
+                  'returns': {'type': 'boolean', 'desc': 'Boolean indicating if the migration was successful.'}}},
+        {'name': 'riskHasVulnToVulnerable', 'desc': '''
+            Create a risk:vulnerable node from the provided risk:hasvuln node.
+
+            Edits will be made to the risk:vulnerable node in the current write layer.
+
+            If multiple vulnerable properties are set on the risk:hasvuln node
+            multiple risk:vulnerable nodes will be created (each with a unique guid).
+            Otherwise, a single risk:vulnerable node will be created with the same guid
+            as the provided risk:hasvuln node. Extended properties will not be migrated.
+
+            Tags, tag properties, edges, and node data will be copied
+            to the risk:vulnerable node. However, existing tag properties and
+            node data will not be overwritten.
+        ''',
+        'type': {'type': 'function', '_funcname': '_riskHasVulnToVulnerable',
+                 'args': (
+                      {'name': 'n', 'type': 'node', 'desc': 'The risk:hasvuln node to migrate.'},
+                      {'name': 'nodata', 'type': 'bool', 'default': False,
+                       'desc': 'Do not copy nodedata to the risk:vulnerable node.'},
+                 ),
+                 'returns': {'type': 'list', 'desc': 'A list of idens for the risk:vulnerable nodes.'}}},
+    )
+    _storm_lib_path = ('model', 'migration', 's')
+
+    def getObjLocals(self):
+        return {
+            'itSecCpe_2_170_0': self._itSecCpe_2_170_0,
+            'riskHasVulnToVulnerable': self._riskHasVulnToVulnerable,
+        }
+
+    async def _itSecCpe_2_170_0(self, n, prefer_v22=False, force=False):
+
+        if not isinstance(n, s_node.Node):
+            raise s_exc.BadArg(mesg='$lib.model.migration.s.itSecCpe_2_170_0() argument must be a node.')
+
+        if n.form.name != 'it:sec:cpe':
+            raise s_exc.BadArg(f'itSecCpeFix only accepts it:sec:cpe nodes, not {n.form.name}')
+
+        prefer_v22 = await s_stormtypes.tobool(prefer_v22)
+        force = await s_stormtypes.tobool(force)
+
+        layr = self.runt.snap.wlyr
+        # We only need to check :v2_2 since that's the only property that's
+        # writable. Everthing else is readonly. And we can do it here once
+        # instead of in the loop below which will cause a perf hit.
+        self.runt.confirmPropSet(n.form.prop('v2_2'), layriden=layr.iden)
+
+        curv = n.repr()
+        reprvalu = f'it:sec:cpe={curv}'
+
+        nodedata = await n.getData('migration.s.itSecCpe_2_170_0', {})
+        if nodedata.get('status') == 'success' and not force:
+            if self.runt.debug:
+                mesg = f'DEBUG: itSecCpe_2_170_0({reprvalu}): Node already migrated.'
+                await self.runt.printf(mesg)
+            return True
+
+        modl = self.runt.model.type('it:sec:cpe')
+
+        valu23 = None
+        valu22 = None
+        invalid = ''
+
+        # Check the primary property for validity.
+        cpe23 = s_infotech.cpe23_regex.match(curv)
+        if cpe23 is not None and cpe23.group() == curv:
+            valu23 = curv
+
+        # Check the v2_2 property for validity.
+        v2_2 = n.props.get('v2_2')
+        if v2_2 is not None:
+            rgx = s_infotech.cpe22_regex.match(v2_2)
+            if rgx is not None and rgx.group() == v2_2:
+                valu22 = v2_2
+
+        async with self.runt.snap.getNodeEditor(n) as proto:
+
+            # If both values are populated, this node is valid
+            if valu23 is not None and valu22 is not None and not force:
+                if self.runt.debug:
+                    mesg = f'DEBUG: itSecCpe_2_170_0({reprvalu}): Node is valid, no migration necessary.'
+                    await self.runt.printf(mesg)
+
+                await proto.setData('migration.s.itSecCpe_2_170_0', {
+                    'status': 'success',
+                })
+
+                return True
+
+            if valu23 is None and valu22 is None:
+                reason = 'Unable to migrate due to invalid data. Primary property and :v2_2 are both invalid.'
+                # Invalid 2.3 string and no/invalid v2_2 prop. Nothing
+                # we can do here so log, mark, and go around.
+                mesg = f'itSecCpe_2_170_0({reprvalu}): {reason}'
+                await self.runt.warn(mesg)
+
+                await proto.setData('migration.s.itSecCpe_2_170_0', {
+                    'status': 'failed',
+                    'reason': reason,
+                })
+
+                return False
+
+            if prefer_v22:
+                valu = valu22 or valu23
+            else:
+                valu = valu23 or valu22
+
+            # Re-normalize the data from the 2.3 or 2.2 string, whichever was valid.
+            norm, info = modl.norm(valu)
+            subs = info.get('subs')
+
+            edits = []
+            nodedata = {'status': 'success'}
+
+            if norm != curv:
+                # The re-normed value is not the same as the current value.
+                # Since we can't change the primary property, store the
+                # updated value in nodedata.
+                if self.runt.debug:
+                    mesg = f'DEBUG: itSecCpe_2_170_0({reprvalu}): Stored updated primary property value to nodedata: {curv} -> {norm}.'
+                    await self.runt.printf(mesg)
+
+                nodedata['valu'] = norm
+
+            # Iterate over the existing properties
+            for propname, propcurv in n.props.items():
+                subscurv = subs.get(propname)
+                if subscurv is None:
+                    continue
+
+                if propname == 'v2_2' and isinstance(subscurv, list):
+                    subscurv = s_infotech.zipCpe22(subscurv)
+
+                # Values are the same, go around
+                if propcurv == subscurv:
+                    continue
+
+                nodedata.setdefault('updated', [])
+                nodedata['updated'].append(propname)
+
+                # Update the existing property with the re-normalized property value.
+                await proto.set(propname, subscurv, ignore_ro=True)
+
+            await proto.setData('migration.s.itSecCpe_2_170_0', nodedata)
+
+            if self.runt.debug:
+                if nodedata.get('updated'):
+                    mesg = f'DEBUG: itSecCpe_2_170_0({reprvalu}): Updated properties: {", ".join(nodedata["updated"])}.'
+                    await self.runt.printf(mesg)
+                else:
+                    mesg = f'DEBUG: itSecCpe_2_170_0({reprvalu}): No property updates required.'
+                    await self.runt.printf(mesg)
+
+            return True
+
+    async def _riskHasVulnToVulnerable(self, n, nodata=False):
+
+        nodata = await s_stormtypes.tobool(nodata)
+
+        if not isinstance(n, s_node.Node):
+            raise s_exc.BadArg(mesg='$lib.model.migration.s.riskHasVulnToVulnerable() argument must be a node.')
+
+        if n.form.name != 'risk:hasvuln':
+            mesg = f'$lib.model.migration.s.riskHasVulnToVulnerable() only accepts risk:hasvuln nodes, not {n.form.name}'
+            raise s_exc.BadArg(mesg=mesg)
+
+        retidens = []
+
+        if not (vuln := n.get('vuln')):
+            return retidens
+
+        props = {
+            'vuln': vuln,
+        }
+
+        links = {prop: valu for prop in RISK_HASVULN_VULNPROPS if (valu := n.get(prop)) is not None}
+
+        match len(links):
+            case 0:
+                return retidens
+            case 1:
+                guid = n.ndef[1]
+            case _:
+                guid = None
+
+        riskvuln = self.runt.model.form('risk:vulnerable')
+
+        self.runt.layerConfirm(riskvuln.addperm)
+        self.runt.confirmPropSet(riskvuln.props['vuln'])
+        self.runt.confirmPropSet(riskvuln.props['node'])
+
+        if (seen := n.get('.seen')):
+            self.runt.confirmPropSet(riskvuln.props['.seen'])
+            props['.seen'] = seen
+
+        async with self.runt.snap.getEditor() as editor:
+
+            for prop, valu in links.items():
+
+                pguid = guid if guid is not None else s_common.guid((guid, prop))
+                pprops = props | {'node': (n.form.props[prop].type.name, valu)}
+
+                proto = await editor.addNode('risk:vulnerable', pguid, props=pprops)
+                retidens.append(proto.iden())
+
+                await self.copyTags(n, proto, overwrite=False)
+                await self.copyEdges(editor, n, proto)
 
-            for name, valu in src.tags.items():
-                self.runt.layerConfirm(('node', 'tag', 'add', *name.split('.')))
-                await proto.addTag(name, valu=valu)
+                if not nodata:
+                    await self.copyData(n, proto, overwrite=False)
 
-            for tagname, tagprops in src.tagprops.items():
-                for propname, valu in tagprops.items():
-                    if overwrite or not dst.hasTagProp(tagname, propname):
-                        await proto.setTagProp(tagname, propname, valu) # use tag perms
+        return retidens

synapse/lib/stormtypes.py

@@ -6721,6 +6721,20 @@ class Layer(Prim):
             ''',
          'type': {'type': 'function', '_funcname': 'getStorNodes',
                   'returns': {'name': 'Yields', 'type': 'list', 'desc': 'Tuple of buid, sode values.', }}},
+        {'name': 'getStorNodesByForm', 'desc': '''
+            Get buid, sode tuples representing the data stored in the layer for a given form.
+
+            Notes:
+                The storage nodes represent **only** the data stored in the layer
+                and may not represent whole nodes. If the only data stored in the layer for
+                a given buid is an N2 edge reference, a storage node will not be returned.
+            ''',
+         'type': {'type': 'function', '_funcname': 'getStorNodesByForm',
+                  'args': (
+                      {'name': 'form', 'type': 'str',
+                       'desc': 'The name of the form to get storage nodes for.'},
+                   ),
+                  'returns': {'name': 'Yields', 'type': 'list', 'desc': 'Tuple of buid, sode values.', }}},
         {'name': 'getMirrorStatus', 'desc': '''
             Return a dictionary of the mirror synchronization status for the layer.
             ''',
@@ -6902,6 +6916,7 @@ class Layer(Prim):
             'getFormCounts': self._methGetFormcount,
             'getStorNode': self.getStorNode,
             'getStorNodes': self.getStorNodes,
+            'getStorNodesByForm': self.getStorNodesByForm,
             'getEdgesByN1': self.getEdgesByN1,
             'getEdgesByN2': self.getEdgesByN2,
             'getMirrorStatus': self.getMirrorStatus,
@@ -7198,6 +7213,19 @@ class Layer(Prim):
         async for item in layr.getStorNodes():
             yield item
 
+    @stormfunc(readonly=True)
+    async def getStorNodesByForm(self, form):
+        form = await tostr(form)
+        if self.runt.snap.core.model.form(form) is None:
+            raise s_exc.NoSuchForm.init(form)
+
+        layriden = self.valu.get('iden')
+        await self.runt.reqUserCanReadLayer(layriden)
+        layr = self.runt.snap.core.getLayer(layriden)
+
+        async for item in layr.getStorNodesByForm(form):
+            yield item
+
     @stormfunc(readonly=True)
     async def getEdges(self):
         layriden = self.valu.get('iden')
@@ -7452,6 +7480,12 @@ class View(Prim):
                       {'name': 'name', 'type': 'str', 'desc': 'The name of the new view.', 'default': None, },
                   ),
                   'returns': {'type': 'view', 'desc': 'The ``view`` object for the new View.', }}},
+        {'name': 'insertParentFork', 'desc': 'Insert a new View between a forked View and its parent.',
+         'type': {'type': 'function', '_funcname': '_methViewInsertParentFork',
+                  'args': (
+                      {'name': 'name', 'type': 'str', 'desc': 'The name of the new View.', 'default': None},
+                  ),
+                  'returns': {'type': 'view', 'desc': 'The ``view`` object for the new View.', }}},
         {'name': 'pack', 'desc': 'Get the View definition.',
          'type': {'type': 'function', '_funcname': '_methViewPack',
                   'returns': {'type': 'dict', 'desc': 'Dictionary containing the View definition.', }}},
@@ -7653,7 +7687,6 @@ class View(Prim):
         return {
             'set': self._methViewSet,
             'get': self._methViewGet,
-            'fork': self._methViewFork,
             'pack': self._methViewPack,
             'repr': self._methViewRepr,
             'merge': self._methViewMerge,
@@ -7668,6 +7701,9 @@ class View(Prim):
             'getTagPropCount': self._methGetTagPropCount,
             'getPropArrayCount': self._methGetPropArrayCount,
 
+            'fork': self._methViewFork,
+            'insertParentFork': self._methViewInsertParentFork,
+
             'getMerges': self.getMerges,
             'delMergeVote': self.delMergeVote,
             'setMergeVote': self.setMergeVote,
@@ -7919,6 +7955,27 @@ class View(Prim):
 
         return View(self.runt, newv, path=self.path)
 
+    async def _methViewInsertParentFork(self, name=None):
+        useriden = self.runt.user.iden
+        viewiden = self.valu.get('iden')
+
+        name = await tostr(name, noneok=True)
+
+        self.runt.reqAdmin(gateiden=viewiden)
+
+        view = self.runt.snap.core.reqView(viewiden)
+        if not view.isafork():
+            mesg = f'View ({viewiden}) is not a fork, cannot insert a new fork between it and parent.'
+            raise s_exc.BadState(mesg=mesg)
+
+        self.runt.confirm(('view', 'add'))
+        self.runt.confirm(('view', 'read'), gateiden=view.parent.iden)
+        self.runt.confirm(('view', 'fork'), gateiden=view.parent.iden)
+
+        newv = await view.insertParentFork(useriden, name=name)
+
+        return View(self.runt, newv, path=self.path)
+
     async def _methViewMerge(self, force=False):
         '''
         Merge a forked view back into its parent.

synapse/lib/types.py

@@ -1408,6 +1408,31 @@ class Ndef(Type):
         self.setNormFunc(list, self._normPyTuple)
         self.setNormFunc(tuple, self._normPyTuple)
 
+        self.formfilter = None
+
+        self.forms = self.opts.get('forms')
+        self.ifaces = self.opts.get('interfaces')
+
+        if self.forms or self.ifaces:
+            if self.forms is not None:
+                forms = set(self.forms)
+
+            if self.ifaces is not None:
+                ifaces = set(self.ifaces)
+
+            def filtfunc(form):
+                if self.forms is not None and form.name in forms:
+                    return False
+
+                if self.ifaces is not None:
+                    for iface in form.ifaces.keys():
+                        if iface in ifaces:
+                            return False
+
+                return True
+
+            self.formfilter = filtfunc
+
     def _normStormNode(self, valu):
         return self._normPyTuple(valu.ndef)
 
@@ -1421,6 +1446,16 @@ class Ndef(Type):
         if form is None:
             raise s_exc.NoSuchForm.init(formname)
 
+        if self.formfilter is not None and self.formfilter(form):
+            mesg = f'Ndef of form {formname} is not allowed as a value for {self.name} with form filter'
+            if self.forms is not None:
+                mesg += f' forms={self.forms}'
+
+            if self.ifaces is not None:
+                mesg += f' interfaces={self.ifaces}'
+
+            raise s_exc.BadTypeValu(valu=formname, name=self.name, mesg=mesg, forms=self.forms, interfaces=self.ifaces)
+
         formnorm, forminfo = form.type.norm(formvalu)
         norm = (form.name, formnorm)
 
@@ -1727,7 +1762,7 @@ class Str(Type):
 
     def _normPyFloat(self, valu):
         deci = s_common.hugectx.create_decimal(str(valu))
-        return format(deci, 'f'), {}
+        return self._normPyStr(format(deci, 'f'))
 
     def _normPyStr(self, valu):
 

synapse/lib/version.py

@@ -223,6 +223,6 @@ def reqVersion(valu, reqver,
 ##############################################################################
 # The following are touched during the release process by bumpversion.
 # Do not modify these directly.
-version = (2, 169, 0)
+version = (2, 171, 0)
 verstring = '.'.join([str(x) for x in version])
-commit = '41421efcf40bb7655af3f90cb7d6d335247fc726'
+commit = 'c89839928860a36f70377a8cefd09aaa4b12595a'