Merge pull request #170 from splunk/simple_api_features

Add simple API for a more

Author: pyth0n1c

contentctl/actions/validate.py

@@ -23,6 +23,7 @@ def execute(self, input_dto: validate) -> DirectorOutputDto:
         director_output_dto = DirectorOutputDto(AtomicTest.getAtomicTestsFromArtRepo(repo_path=input_dto.getAtomicRedTeamRepoPath(), 
                                                                                      enabled=input_dto.enrichments),
                                                 AttackEnrichment.getAttackEnrichment(input_dto),
+                                                CveEnrichment.getCveEnrichment(input_dto),
                                                 [],[],[],[],[],[],[],[],[])
 
 

contentctl/api.py

@@ -0,0 +1,137 @@
+from pathlib import Path
+from typing import Any, Union, Type
+from contentctl.input.yml_reader import YmlReader
+from contentctl.objects.config import test_common, test, test_servers
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.input.director import DirectorOutputDto
+
+def config_from_file(path:Path=Path("contentctl.yml"), config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A file will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        path (Path, optional): Relative or absolute path to a contentctl config file. 
+        Defaults to Path("contentctl.yml"), which is the default name and location (in the current directory)
+        of the configuration files which are automatically generated for contentctl.
+        config (dict[], optional): Dictionary of values to override values read from the YML
+        path passed as the first argument. Defaults to {}, an empty dict meaning that nothing
+        will be overwritten 
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+
+    try:
+        yml_dict = YmlReader.load_file(path, add_fields=False)
+        
+        
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from file '{path}': {str(e)}")
+    
+    # Apply settings that have been overridden from the ones in the file
+    try:
+        yml_dict.update(config)
+    except Exception as e:
+        raise Exception(f"Failed updating dictionary of values read from file '{path}'"
+                        f" with the dictionary of arguments passed: {str(e)}")
+
+    # The function below will throw its own descriptive exception if it fails
+    configObject = config_from_dict(yml_dict, configType=configType)
+
+    return configObject
+
+
+
+
+def config_from_dict(config: dict[str,Any]={}, 
+                   configType:Type[Union[test,test_servers]]=test)->test_common:
+    """
+    Fetch a configuration object that can be used for a number of different contentctl
+    operations including validate, build, inspect, test, and test_servers. A dict will 
+    be used as the basis for constructing the configuration.
+
+    Args:
+        config (dict[str,Any],Optional): If a dictionary is not explicitly passed, then
+        an empty dict will be used to create a configuration, if possible, from default
+        values.  Note that based on default values in the contentctl/objects/config.py
+        file, this may raise an exception.  If so, please set appropriate default values
+        in the file above or supply those values via this argument.
+        configType (Type[Union[test,test_servers]], optional): The Config Class to instantiate. 
+        This may be a test or test_servers object. Note that this is NOT an instance of the class. Defaults to test.
+    Returns:
+        test_common: Returns a complete contentctl test_common configuration. Note that this configuration
+        will have all applicable field for validate and build as well, but can also be used for easily
+        construction a test or test_servers object.  
+    """    
+    try:
+        test_object = configType.model_validate(config)
+    except Exception as e:
+        raise Exception(f"Failed to load contentctl configuration from dict:\n{str(e)}")
+    
+    return test_object
+
+
+def update_config(config:Union[test,test_servers], **key_value_updates:dict[str,Any])->test_common:
+    
+    """Update any relevant keys in a config file with the specified values.
+    Full validation will be performed after this update and descriptive errors
+    will be produced
+
+    Args:
+        config (test_common): A previously-constructed test_common object.  This can be 
+        build using the configFromDict or configFromFile functions.
+        key_value_updates (kwargs, optional): Additional keyword/argument pairs to update
+        arbitrary fields in the configuration.
+
+    Returns:
+        test_common: A validated object which has had the relevant fields updated.
+        Note that descriptive Exceptions will be generated if updated values are either
+        invalid (have the wrong type, or disallowed values) or you attempt to update
+        fields that do not exist
+    """
+    # Create a copy so we don't change the underlying model
+    config_copy = config.model_copy(deep=True)
+
+    # Force validation of assignment since doing so via arbitrary dict can be error prone
+    # Also, ensure that we do not try to add fields that are not part of the model
+    config_copy.model_config.update({'validate_assignment': True, 'extra': 'forbid'})
+
+    
+    
+    # Collect any errors that may occur
+    errors:list[Exception] = []
+    
+    # We need to do this one by one because the extra:forbid argument does not appear to 
+    # be respected at this time.
+    for key, value in key_value_updates.items():
+        try:
+            setattr(config_copy,key,value)
+        except Exception as e:
+            errors.append(e)
+    if len(errors) > 0:
+        errors_string = '\n'.join([str(e) for e in errors])
+        raise Exception(f"Error(s) updaitng configuration:\n{errors_string}")
+    
+    return config_copy
+    
+
+
+def content_to_dict(director:DirectorOutputDto)->dict[str,list[dict[str,Any]]]:
+    output_dict:dict[str,list[dict[str,Any]]] = {}
+    for contentType in ['detections','stories','baselines','investigations',
+                        'playbooks','macros','lookups','deployments','ssa_detections']:
+        
+        output_dict[contentType] = []
+        t:list[SecurityContentObject] = getattr(director,contentType)
+        
+        for item in t:
+            output_dict[contentType].append(item.model_dump())
+    return output_dict
+            

contentctl/contentctl.py

@@ -99,6 +99,11 @@ def deploy_acs_func(config:deploy_acs):
     raise Exception("deploy acs not yet implemented") 
 
 def test_common_func(config:test_common):
+    if type(config) == test:
+        #construct the container Infrastructure objects
+        config.getContainerInfrastructureObjects()
+        #otherwise, they have already been passed as servers
+
     director_output_dto = build_func(config)
     gitServer = GitService(director=director_output_dto,config=config)
     detections_to_test = gitServer.getContent()
@@ -206,10 +211,6 @@ def main():
             updated_config = deploy_acs.model_validate(config)
             deploy_acs_func(updated_config)
         elif type(config) == test or type(config) == test_servers:
-            if type(config) == test:
-                #construct the container Infrastructure objects
-                config.getContainerInfrastructureObjects()
-                #otherwise, they have already been passed as servers
             test_common_func(config)
         else:
             raise Exception(f"Unknown command line type '{type(config).__name__}'")

contentctl/enrichments/cve_enrichment.py

@@ -4,97 +4,62 @@
 import os
 import shelve
 import time
-from typing import Annotated
-from pydantic import BaseModel,Field,ConfigDict
-
+from typing import Annotated, Any, Union, TYPE_CHECKING
+from pydantic import BaseModel,Field, computed_field
 from decimal import Decimal
-CVESSEARCH_API_URL = 'https://cve.circl.lu'
-
-CVE_CACHE_FILENAME = "lookups/CVE_CACHE.db"
-
-NON_PERSISTENT_CACHE = {}
-
-
-''''''
-@functools.cache
-def cvesearch_helper(url:str, cve_id:str, force_cached_or_offline:bool=False, max_api_attempts:int=3, retry_sleep_seconds:int=5):
-    if max_api_attempts < 1:
-            raise(Exception(f"The minimum number of CVESearch API attempts is 1.  You have passed {max_api_attempts}"))
-
-    if force_cached_or_offline:
-        if not os.path.exists(CVE_CACHE_FILENAME):
-            print(f"Cache at {CVE_CACHE_FILENAME} not found - Creating it.")
-        cache = shelve.open(CVE_CACHE_FILENAME, flag='c', writeback=True)
-    else:
-        cache = NON_PERSISTENT_CACHE
-    if cve_id in cache:
-        result = cache[cve_id]
-        #print(f"hit cve_enrichment:  {time.time() - start:.2f}")
-    else:
-        api_attempts_remaining = max_api_attempts
-        result = None
-        while api_attempts_remaining > 0:
-            api_attempts_remaining -= 1
-            try:
-                cve = cvesearch_id_helper(url)
-                result = cve.id(cve_id)
-                break
-            except Exception as e:
-                if api_attempts_remaining > 0:
-                    print(f"The option 'force_cached_or_offline' was used, but {cve_id} not found in {CVE_CACHE_FILENAME} and unable to connect to {CVESSEARCH_API_URL}: {str(e)}")
-                    print(f"Retrying the CVESearch API up to {api_attempts_remaining} more times after a sleep of {retry_sleep_seconds} seconds...")
-                    time.sleep(retry_sleep_seconds)
-                else:
-                    raise(Exception(f"The option 'force_cached_or_offline' was used, but {cve_id} not found in {CVE_CACHE_FILENAME} and unable to connect to {CVESSEARCH_API_URL} after {max_api_attempts} attempts: {str(e)}"))
-            
-        if result is None:
-            raise(Exception(f'CveEnrichment for [ {cve_id} ] failed - CVE does not exist'))
-        cache[cve_id] = result
-        
-    if isinstance(cache, shelve.Shelf):
-        #close the cache if it was a shelf
-        cache.close()
+from requests.exceptions import ReadTimeout
 
-    return result
+if TYPE_CHECKING:
+    from contentctl.objects.config import validate
 
-@functools.cache
-def cvesearch_id_helper(url:str):
-    #The initial CVESearch call takes some time.
-    #We cache it to avoid making this call each time we need to do a lookup
-    cve = CVESearch(CVESSEARCH_API_URL)
-    return cve
 
 
+CVESSEARCH_API_URL = 'https://cve.circl.lu'
 
 
 class CveEnrichmentObj(BaseModel):
     id:Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"]
     cvss:Annotated[Decimal, Field(ge=.1, le=10, decimal_places=1)]
     summary:str
+    
+    @computed_field
+    @property
+    def url(self)->str:
+        BASE_NVD_URL = "https://nvd.nist.gov/vuln/detail/"
+        return f"{BASE_NVD_URL}{self.id}"
 
 
-    @staticmethod
-    def buildEnrichmentOnFailure(id:Annotated[str, "^CVE-[1|2][0-9]{3}-[0-9]+$"], errorMessage:str)->CveEnrichmentObj:
-        message = f"{errorMessage}. Default CVSS of 5.0 used"
-        print(message)
-        return CveEnrichmentObj(id=id, cvss=Decimal(5.0), summary=message)
+class CveEnrichment(BaseModel):
+    use_enrichment: bool = True
+    cve_api_obj: Union[CVESearch,None] = None
+    
 
-class CveEnrichment():
-    @classmethod
-    def enrich_cve(cls, cve_id: str, force_cached_or_offline: bool = False, treat_failures_as_warnings:bool=True) -> CveEnrichmentObj:
-        cve_enriched = dict()
-        try:
-            
-            result = cvesearch_helper(CVESSEARCH_API_URL, cve_id, force_cached_or_offline)
-            cve_enriched['id'] = cve_id
-            cve_enriched['cvss'] = result['cvss']
-            cve_enriched['summary'] = result['summary']
-        except Exception as e:
-            message = f"issue enriching {cve_id}, with error: {str(e)}"
-            if treat_failures_as_warnings: 
-                return CveEnrichmentObj.buildEnrichmentOnFailure(id = cve_id, errorMessage=f"WARNING, {message}")
-            else:
-                raise ValueError(f"ERROR, {message}")
+    class Config:
+        # Arbitrary_types are allowed to let us use the CVESearch Object
+        arbitrary_types_allowed = True
+        frozen = True
+        
+
+    @staticmethod
+    def getCveEnrichment(config:validate, timeout_seconds:int=10, force_disable_enrichment:bool=True)->CveEnrichment:
+        if force_disable_enrichment:
+            return CveEnrichment(use_enrichment=False, cve_api_obj=None)    
 
-        return CveEnrichmentObj.model_validate(cve_enriched)
+        if config.enrichments:
+            try:
+                cve_api_obj = CVESearch(CVESSEARCH_API_URL, timeout=timeout_seconds)
+                return CveEnrichment(use_enrichment=True, cve_api_obj=cve_api_obj)
+            except Exception as e:
+                raise Exception(f"Error setting CVE_SEARCH API to: {CVESSEARCH_API_URL}: {str(e)}")
 
+        return CveEnrichment(use_enrichment=False, cve_api_obj=None)
+
+
+    def enrich_cve(self, cve_id:str, raise_exception_on_failure:bool=True)->CveEnrichmentObj:
+
+        if not self.use_enrichment:
+            return CveEnrichmentObj(id=cve_id,cvss=Decimal(5.0),summary="SUMMARY NOT AVAILABLE! ONLY THE LINK WILL BE USED AT THIS TIME")
+        else:
+            print("WARNING - Dynamic enrichment not supported at this time.")
+            return CveEnrichmentObj(id=cve_id,cvss=Decimal(5.0),summary="SUMMARY NOT AVAILABLE! ONLY THE LINK WILL BE USED AT THIS TIME")
+        # Depending on needs, we may add dynamic enrichment functionality back to the tool

contentctl/input/director.py

@@ -35,6 +35,7 @@ class DirectorOutputDto:
      # is far quicker than attack_enrichment
      atomic_tests: Union[list[AtomicTest],None]
      attack_enrichment: AttackEnrichment
+     cve_enrichment: CveEnrichment
      detections: list[Detection]
      stories: list[Story]
      baselines: list[Baseline]
@@ -44,7 +45,7 @@ class DirectorOutputDto:
      lookups: list[Lookup]
      deployments: list[Deployment]
      ssa_detections: list[SSADetection]
-     #cve_enrichment: CveEnrichment
+     
 
      name_to_content_map: dict[str, SecurityContentObject] = field(default_factory=dict)
      uuid_to_content_map: dict[UUID, SecurityContentObject] = field(default_factory=dict)

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -26,7 +26,7 @@
 
 #from contentctl.objects.playbook import Playbook
 from contentctl.objects.enums import DataSource,ProvidingTechnology
-from contentctl.enrichments.cve_enrichment import CveEnrichment, CveEnrichmentObj
+from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 
 
 class Detection_Abstract(SecurityContentObject):
@@ -40,7 +40,6 @@ class Detection_Abstract(SecurityContentObject):
     search: Union[str, dict[str,Any]] = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    check_references: bool = False  
     #data_source: Optional[List[DataSource]] = None
 
     enabled_by_default: bool = False
@@ -144,17 +143,30 @@ def mappings(self)->dict[str, List[str]]:
     macros: list[Macro] = Field([],validate_default=True)
     lookups: list[Lookup] = Field([],validate_default=True)
 
-    @computed_field
-    @property
-    def cve_enrichment(self)->List[CveEnrichmentObj]:
-        raise Exception("CVE Enrichment Functionality not currently supported.  It will be re-added at a later time.")
-        enriched_cves = []
-        for cve_id in self.tags.cve:
-            print(f"\nEnriching {cve_id}\n")
-            enriched_cves.append(CveEnrichment.enrich_cve(cve_id))
+    cve_enrichment: list[CveEnrichmentObj] = Field([], validate_default=True)
+    
+    @model_validator(mode="after")
+    def cve_enrichment_func(self, info:ValidationInfo):
+        if len(self.cve_enrichment) > 0:
+            raise ValueError(f"Error, field 'cve_enrichment' should be empty and "
+                             f"dynamically populated at runtime. Instead, this field contained: {self.cve_enrichment}")
 
-        return enriched_cves
+        output_dto:Union[DirectorOutputDto,None]= info.context.get("output_dto",None)
+        if output_dto is None:
+            raise ValueError("Context not provided to detection model post validator")
+        
+        
+        enriched_cves:list[CveEnrichmentObj] = []
+
+        for cve_id in self.tags.cve:
+            try:
+                enriched_cves.append(output_dto.cve_enrichment.enrich_cve(cve_id, raise_exception_on_failure=False))
+            except Exception as e:
+                raise ValueError(f"{e}")
+        self.cve_enrichment = enriched_cves
+        return self
 
+
     splunk_app_enrichment: Optional[List[dict]] = None
 
     @computed_field