[MRG] Merge pull request #690 from dfir-iris/issue_678_api_v2_cases_put

Issue 678 api v2 cases put

Author: whikernel

source/app/blueprints/graphql/cases.py

@@ -103,7 +103,7 @@ def mutate(root, info, name, description, client_id, soc_id=None, classification
             request['case_soc_id'] = soc_id
         if classification_id:
             request['classification_id'] = classification_id
-        case, _ = cases_create(request)
+        case = cases_create(request)
         return CaseCreate(case=case)
 
 

source/app/blueprints/rest/manage/manage_cases_routes.py

@@ -249,8 +249,8 @@ def api_add_case():
     case_schema = CaseSchema()
 
     try:
-        case, msg = cases_create(request.get_json())
-        return response_success(msg, data=case_schema.dump(case))
+        case = cases_create(request.get_json())
+        return response_success('Case created', data=case_schema.dump(case))
     except BusinessProcessingError as e:
         return response_error(e.get_message(), data=e.get_data())
 
@@ -264,6 +264,7 @@ def api_list_case():
 
 
 @manage_cases_rest_blueprint.route('/manage/cases/update/<int:cur_id>', methods=['POST'])
+@endpoint_deprecated('PUT', '/api/v2/cases/<int:identifier>')
 @ac_api_requires(Permissions.standard_user)
 def update_case_info(cur_id):
     if not ac_fast_check_current_user_has_case_access(cur_id, [CaseAccessLevel.full_access]):

source/app/blueprints/rest/v2/__init__.py

@@ -10,14 +10,14 @@
 
 
 # Create root /api/v2 blueprint
-rest_v2_bp = Blueprint("rest_v2", __name__, url_prefix="/api/v2")
+rest_v2_blueprint = Blueprint("rest_v2", __name__, url_prefix="/api/v2")
 
 
 # Register child blueprints
-rest_v2_bp.register_blueprint(cases_blueprint)
-rest_v2_bp.register_blueprint(auth_blueprint)
-rest_v2_bp.register_blueprint(tasks_blueprint)
-rest_v2_bp.register_blueprint(iocs_blueprint)
-rest_v2_bp.register_blueprint(assets_blueprint)
-rest_v2_bp.register_blueprint(alerts_blueprint)
-rest_v2_bp.register_blueprint(dashboard_blueprint)
+rest_v2_blueprint.register_blueprint(cases_blueprint)
+rest_v2_blueprint.register_blueprint(auth_blueprint)
+rest_v2_blueprint.register_blueprint(tasks_blueprint)
+rest_v2_blueprint.register_blueprint(iocs_blueprint)
+rest_v2_blueprint.register_blueprint(assets_blueprint)
+rest_v2_blueprint.register_blueprint(alerts_blueprint)
+rest_v2_blueprint.register_blueprint(dashboard_blueprint)

source/app/blueprints/rest/v2/auth/__init__.py

@@ -26,13 +26,12 @@
 from app import db
 from app import oidc_client
 from app.blueprints.access_controls import is_authentication_ldap
-from app.blueprints.access_controls import is_authentication_oidc, \
-    not_authenticated_redirection_url
+from app.blueprints.access_controls import is_authentication_oidc
+from app.blueprints.access_controls import not_authenticated_redirection_url
 from app.blueprints.rest.endpoints import response_api_error
 from app.blueprints.rest.endpoints import response_api_success
 from app.business.auth import validate_ldap_login, validate_local_login
 from app.iris_engine.utils.tracker import track_activity
-from app.models.authorization import User
 from app.schema.marshables import UserSchema
 
 

source/app/blueprints/rest/v2/cases/__init__.py

@@ -34,6 +34,7 @@
 from app.business.cases import cases_create
 from app.business.cases import cases_delete
 from app.datamgmt.case.case_db import get_case
+from app.business.cases import cases_update
 from app.business.errors import BusinessProcessingError
 from app.datamgmt.manage.manage_cases_db import get_filtered_cases
 from app.schema.marshables import CaseSchemaForAPIV2
@@ -54,21 +55,21 @@
 
 
 # Routes
-@cases_blueprint.post('', strict_slashes=False)
+@cases_blueprint.post('')
 @ac_api_requires(Permissions.standard_user)
 def create_case():
     """
     Handles creating a new case.
     """
 
     try:
-        case, _ = cases_create(request.get_json())
+        case = cases_create(request.get_json())
         return response_api_created(CaseSchemaForAPIV2().dump(case))
     except BusinessProcessingError as e:
         return response_api_error(e.get_message(), e.get_data())
 
 
-@cases_blueprint.get('', strict_slashes=False)
+@cases_blueprint.get('')
 @ac_api_requires()
 def get_cases() -> Response:
     """
@@ -123,7 +124,6 @@ def get_cases() -> Response:
 
     cases = {
         'total': filtered_cases.total,
-        # TODO should maybe really uniform all return types of paginated list and replace field cases by field data
         'data': CaseSchemaForAPIV2().dump(filtered_cases.items, many=True),
         'last_page': filtered_cases.pages,
         'current_page': filtered_cases.page,
@@ -148,6 +148,19 @@ def case_routes_get(identifier):
     return response_api_success(CaseSchemaForAPIV2().dump(case))
 
 
+@cases_blueprint.put('/<int:identifier>')
+@ac_api_requires(Permissions.standard_user)
+def rest_v2_cases_update(identifier):
+    if not ac_fast_check_current_user_has_case_access(identifier, [CaseAccessLevel.full_access]):
+        return ac_api_return_access_denied(caseid=identifier)
+
+    try:
+        case, _ = cases_update(identifier, request.get_json())
+        return response_api_success(CaseSchemaForAPIV2().dump(case))
+    except BusinessProcessingError as e:
+        return response_api_error(e.get_message())
+
+
 @cases_blueprint.delete('/<int:identifier>')
 @ac_api_requires(Permissions.standard_user)
 def case_routes_delete(identifier):

source/app/blueprints/rest/v2/cases/assets.py

@@ -38,7 +38,7 @@
                                   url_prefix='/<int:case_id>/assets')
 
 
-@case_assets_blueprint.get('', strict_slashes=False)
+@case_assets_blueprint.get('')
 @ac_api_requires()
 def case_list_assets(case_id):
     """
@@ -65,7 +65,7 @@ def case_list_assets(case_id):
         return response_api_error(e.get_message())
 
 
-@case_assets_blueprint.post('', strict_slashes=False)
+@case_assets_blueprint.post('')
 @ac_api_requires()
 def add_asset(case_id):
     """

source/app/blueprints/rest/v2/cases/iocs.py

@@ -37,7 +37,7 @@
                                 url_prefix='/<int:case_id>/iocs')
 
 
-@case_iocs_blueprint.get('', strict_slashes=False)
+@case_iocs_blueprint.get('')
 @ac_api_requires()
 def get_case_iocs(case_id):
     """
@@ -92,7 +92,7 @@ def get_case_iocs(case_id):
     return response_api_success(data=iocs)
 
 
-@case_iocs_blueprint.post('', strict_slashes=False)
+@case_iocs_blueprint.post('')
 @ac_api_requires()
 def add_ioc_to_case(case_id):
     """

source/app/blueprints/rest/v2/cases/tasks.py

@@ -19,81 +19,87 @@
 from flask import Blueprint
 from flask import request
 
-from app.blueprints.rest.endpoints import response_api_error, response_api_not_found, response_api_deleted
+from app.blueprints.rest.endpoints import response_api_error
+from app.blueprints.rest.endpoints import response_api_not_found
+from app.blueprints.rest.endpoints import response_api_deleted
+from app.blueprints.rest.endpoints import response_api_success
 from app.blueprints.rest.endpoints import response_api_created
 from app.blueprints.access_controls import ac_api_return_access_denied
 from app.blueprints.access_controls import ac_api_requires
 from app.schema.marshables import CaseTaskSchema
-from app.business.errors import BusinessProcessingError, ObjectNotFoundError
-from app.business.tasks import tasks_create, tasks_get, tasks_delete
+from app.business.errors import BusinessProcessingError
+from app.business.errors import ObjectNotFoundError
+from app.business.tasks import tasks_create
+from app.business.tasks import tasks_get
+from app.business.tasks import tasks_delete
 from app.models.authorization import CaseAccessLevel
 from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
 
 case_tasks_blueprint = Blueprint('case_tasks',
                                  __name__,
-                                 url_prefix='/<int:case_id>/tasks')
+                                 url_prefix='/<int:case_identifier>/tasks')
 
-@case_tasks_blueprint.post('', strict_slashes=False)
+@case_tasks_blueprint.post('')
 @ac_api_requires()
-def add_case_task(case_id):
+def add_case_task(case_identifier):
     """
     Add a task to a case.
 
     Args:
-        case_id (int): The Case ID for this task
+        case_identifier (int): The Case ID for this task
     """
-    if not ac_fast_check_current_user_has_case_access(case_id, [CaseAccessLevel.full_access]):
-        return ac_api_return_access_denied(caseid=case_id)
+    if not ac_fast_check_current_user_has_case_access(case_identifier, [CaseAccessLevel.full_access]):
+        return ac_api_return_access_denied(caseid=case_identifier)
 
     task_schema = CaseTaskSchema()
     try:
-        _, case = tasks_create(case_id, request.get_json())
+        _, case = tasks_create(case_identifier, request.get_json())
         return response_api_created(task_schema.dump(case))
     except BusinessProcessingError as e:
         return response_api_error(e.get_message())
 
 
 @case_tasks_blueprint.get('/<int:identifier>')
 @ac_api_requires()
-def get_case_task(case_id, identifier):
+def get_case_task(case_identifier, identifier):
     """
     Handles getting a task from a case.
 
     Args:
-        case_id (int): The case ID
+        case_identifier (int): The case ID
         identifier (int): The task ID
     """
 
     try:
         task = tasks_get(identifier)
 
-        if task.task_case_id != case_id:
+        if task.task_case_id != case_identifier:
             raise ObjectNotFoundError()
 
         if not ac_fast_check_current_user_has_case_access(task.task_case_id, [CaseAccessLevel.read_only, CaseAccessLevel.full_access]):
             return ac_api_return_access_denied(caseid=task.task_case_id)
 
         task_schema = CaseTaskSchema()
-        return response_api_created(task_schema.dump(task))
+        return response_api_success(task_schema.dump(task))
     except ObjectNotFoundError:
         return response_api_not_found()
 
 
 @case_tasks_blueprint.delete('/<int:identifier>')
 @ac_api_requires()
-def delete_case_task(case_id, identifier):
+def delete_case_task(case_identifier, identifier):
     """
     Handle deleting a task from a case
 
     Args:
-        case_id (int): The case ID
+        case_identifier (int): The case ID
         identifier (int): The task ID    
     """
 
     try:
         task = tasks_get(identifier)
 
-        if task.task_case_id != case_id:
+        if task.task_case_id != case_identifier:
             raise ObjectNotFoundError()
 
         if not ac_fast_check_current_user_has_case_access(task.task_case_id, [CaseAccessLevel.full_access]):
@@ -107,4 +113,4 @@ def delete_case_task(case_id, identifier):
         return response_api_error(e.get_message())
 
 
-# TODO: Add task endpoint endpoint
+# TODO: Add task update endpoint

source/app/blueprints/rest/v2/tasks.py

@@ -19,7 +19,7 @@
 from flask import Blueprint
 
 from app.blueprints.rest.endpoints import response_api_not_found
-from app.blueprints.rest.endpoints import response_api_created
+from app.blueprints.rest.endpoints import response_api_success
 from app.blueprints.rest.endpoints import response_api_deleted
 from app.blueprints.rest.endpoints import response_api_error
 from app.blueprints.access_controls import ac_api_requires
@@ -49,8 +49,7 @@ def get_case_task(identifier):
             return ac_api_return_access_denied(caseid=task.task_case_id)
 
         task_schema = CaseTaskSchema()
-        # TODO should be response_api_success => add a test
-        return response_api_created(task_schema.dump(task))
+        return response_api_success(task_schema.dump(task))
     except ObjectNotFoundError:
         return response_api_not_found()
 

source/app/business/cases.py

@@ -78,9 +78,9 @@ def cases_exists(identifier):
     return case_db_exists(identifier)
 
 
-def cases_create(request_json):
+def cases_create(request_data):
     # TODO remove caseid doesn't seems to be useful for call_modules_hook => remove argument
-    request_data = call_modules_hook('on_preload_case_create', request_json, None)
+    request_data = call_modules_hook('on_preload_case_create', request_data, None)
 
     case = _load(request_data)
 
@@ -115,7 +115,7 @@ def cases_create(request_json):
     add_obj_history_entry(case, 'created')
     track_activity(f'new case "{case.name}" created', caseid=case.case_id, ctx_less=False)
 
-    return case, 'Case created'
+    return case
 
 
 def cases_delete(case_identifier):