Merge branch 'develop' into fix_missing_kommas

Author: sebkuf

.github/workflows/unittests.yml

@@ -6,7 +6,6 @@
 name: "Unit tests"
 on:
   push:
-    branches: [develop, maintenance, master]
   pull_request:
     branches: [develop, maintenance]
     paths-ignore:

CHANGELOG.md

@@ -20,6 +20,7 @@ CHANGELOG
 - `intelmq.lib.harmonization`:
   - Changes signature and names of `DateTime` conversion functions for consistency, backwards compatible (PR#2329 by Filip Pokorný).
   - Ensure rejecting URLs with leading whitespaces after changes in CPython (fixes [#2377](https://github.com/certtools/intelmq/issues/2377))
+- `intelmq.lib.bot.Bot`: Allow setting the parameters via parameter on bot initialization.
 
 ### Development
 - CI: pin the Codespell version to omit troubles caused by its new releases (PR #2379).
@@ -52,13 +53,16 @@ CHANGELOG
 - `intelmq.bots.experts.cymru_whois`:
   - Ignore AS names with unexpected unicode characters (PR#2352, fixes #2132)
   - Avoid extraneous search domain-based queries on NXDOMAIN result (PR#2352)
+- `intelmq.bots.experts.sieve`:
+  - Added :before and :after keywords (PR#2374)
 
 #### Outputs
 - `intelmq.bots.outputs.cif3.output`: Added (PR#2244 by Michael Davis).
 - `intelmq.bots.outputs.sql.output`: New parameter `fail_on_errors` (PR#2362 by Sebastian Wagner).
 - `intelmq.bots.outputs.smtp_batch.output`: Added a bot to gathering the events and sending them by e-mails at a stroke as CSV files (PR#2253 by Edvard Rejthar)
 
 ### Documentation
+- API: update API installation to be aligned with the rewritten API, and clarify some missing steps.
 
 ### Tests
 - New decorator `skip_installation` and environment variable `INTELMQ_TEST_INSTALLATION` to skip tests requiring an IntelMQ installation on the test host by default (PR#2370 by Sebastian Wagner, fixes #2369)
@@ -69,6 +73,8 @@ CHANGELOG
 - `intelmqsetup`:
   - SECURITY: fixed a low-risk bug causing the tool to change owner of `/` if run with the `INTELMQ_PATHS_NO_OPT` environment variable set. This affects only the PIP package as the DEB/RPM packages don't contain this tool. (PR#2355 by Kamil Mańkowski, fixes #2354)
 - `contrib.eventdb.separate-raws-table.sql`: Added the missing commas to complete the sql syntax. (PR#2386, fixes #2125 by Sebastian Kufner)
+- `intelmq_psql_initdb`:
+  - Added parameter `-o` to set the output file destination. (by Sebastian Kufner)
 
 ### Known Errors
 - `intelmq.parsers.html_table` may not process invalid URLs in patched Python version due to changes in `urllib`. See #2382

debian/control

@@ -22,7 +22,8 @@ Build-Depends: debhelper (>= 4.1.16),
                python3-tz,
                quilt,
                rsync,
-               safe-rm
+               safe-rm,
+               python3-pytest-cov
 X-Python3-Version: >= 3.7
 Standards-Version: 3.9.6
 Homepage: https://github.com/certtools/intelmq/

docs/dev/library.rst

@@ -0,0 +1,74 @@
+..
+   SPDX-FileCopyrightText: 2023 Bundesamt für Sicherheit in der Informationstechnik (BSI)
+   SPDX-License-Identifier: AGPL-3.0-or-later
+
+##########################
+Running IntelMQ as Library
+##########################
+
+.. contents::
+
+************
+Introduction
+************
+
+The feature is specified in `IEP007 <https://github.com/certtools/ieps/tree/iep-007/007/>`_.
+
+**********
+Quickstart
+**********
+
+First, import the Python module and a helper. More about the ``BotLibSettings`` later.
+
+.. code-block:: python
+
+   from intelmq.lib.bot import BotLibSettings
+   from intelmq.bots.experts.domain_suffix.expert import DomainSuffixExpertBot
+
+Then we need to initialize the bot's instance.
+We pass two parameters:
+* ``bot_id``: The id of the bot
+* ``settings``: A Python dictionary of runtime configuration parameters, see :ref:`runtime-configuration`.
+  The bot first loads the runtime configuration file if it exists.
+  Then we update them with the ``BotLibSettings`` which are some accumulated settings disabling the logging to files and configure the pipeline so that we can send and receive messages directly to/from the bot.
+  Last by not least, the actual bot parameters, taking the highest priority.
+
+.. code-block:: python
+
+   domain_suffix = DomainSuffixExpertBot('domain-suffix',  # bot id
+                                         settings=BotLibSettings | {
+                                                  'field': 'fqdn',
+                                                  'suffix_file': '/usr/share/publicsuffix/public_suffix_list.dat'}
+
+As the bot is not fully initialized, we can process messages now.
+Inserting a message as dictionary:
+
+.. code-block:: python
+
+   queues = domain_suffix.process_message({'source.fqdn': 'www.example.com'})
+
+The return value is a dictionary of queues, e.g. the output queue and the error queue.
+More details below.
+
+The methods accepts multiple messages as positional argument:
+
+.. code-block:: python
+
+   domain_suffix.process_message({'source.fqdn': 'www.example.com'}, {'source.fqdn': 'www.example.net'})
+   domain_suffix.process_message(*[{'source.fqdn': 'www.example.com'}, {'source.fqdn': 'www.example.net'}])
+
+
+Select the output queue (as defined in `destination_queues`), first message, access the field 'source.domain_suffix':
+
+.. code-block:: python
+
+   >>> output['output'][0]['source.domain_suffix']
+   'com'
+
+*************
+Configuration
+*************
+
+Configuration files are not required to run IntelMQ as library.
+Contrary to IntelMQ normal behavior, if the files ``runtime.yaml`` and ``harmonization.conf`` do not exist, IntelMQ won't raise any errors.
+For the harmonization configuration, internal defaults are loaded.

docs/index.rst

@@ -74,6 +74,7 @@ Getting involved
    :maxdepth: 1
 
    dev/guide
+   dev/library
    dev/data-format
    dev/harmonization-fields
    dev/release-procedure

docs/user/bots.rst

@@ -2194,7 +2194,7 @@ Both parameters accept string values describing absolute or relative time:
 
 * absolute
 
- * basically anything parseable by datetime parser, eg. "2015-09-012T06:22:11+00:00"
+ * basically anything parseable by datetime parser, eg. "2015-09-12T06:22:11+00:00"
  * `time.source` taken from the event will be compared to this value to decide the filter behavior
 
 * relative
@@ -2204,7 +2204,7 @@ Both parameters accept string values describing absolute or relative time:
 
 *Examples of time filter definition*
 
-* ```"not_before" : "2015-09-012T06:22:11+00:00"``` events older than the specified time will be dropped
+* ```"not_before" : "2015-09-12T06:22:11+00:00"``` events older than the specified time will be dropped
 * ```"not_after" : "6 months"``` just events older than 6 months will be passed through the pipeline
 
 **Possible paths**
@@ -3003,6 +3003,12 @@ The following operators may be used to match events:
  * `:supersetof` tests if the list of values from the given key is a superset of the values specified as the argument. Example for matching hosts with at least the IoT and vulnerable tags:
    ``if extra.tags :supersetof ['iot', 'vulnerable'] { ... }``
 
+ * `:before` tests if the date value occurred before given time ago. The time might be absolute (basically anything parseable by pendulum parser, eg. “2015-09-12T06:22:11+00:00”) or relative (accepted string formatted like this “<integer> <epoch>”, where epoch could be any of following strings (could optionally end with trailing ‘s’): hour, day, week, month, year)
+   ``if time.observation :before '1 week' { ... }``
+
+ * `:after`  tests if the date value occurred after given time ago; see `:before`
+    ``if time.observation :after '2015-09-12' { ... }  # happened after midnight the 12th Sep``
+
  * Boolean values can be matched with `==` or `!=` followed by `true` or `false`. Example:
    ``if extra.has_known_vulns == true { ... }``