Merge pull request #7 from righel/allow-sightings-sync

fix: allow sightings sync

README.md

@@ -46,6 +46,14 @@ sequenceDiagram
     MISP A->>MISP Guard: [POST]/galaxies/pushCluster
     MISP Guard->>MISP B: [POST]/galaxies/pushCluster
     end
+
+    rect rgb(191, 223, 255)
+    MISP B->>+MISP Guard: [POST]/sightings/bulkSaveSightings/[UUID]
+    note right of MISP Guard: Outgoing Sightings are inspected and rejected with 403 if any block rule matches
+    MISP Guard->>-MISP A: [POST]/sightings/bulkSaveSightings/[UUID]
+    MISP A->>MISP Guard: [POST]/sightings/bulkSaveSightings/[UUID]
+    MISP Guard->>MISP B: [POST]/sightings/bulkSaveSightings/[UUID]
+    end
 ```
 
 ## PULL
@@ -69,13 +77,13 @@ sequenceDiagram
     MISP A->>MISP Guard: [GET]/events/view/[UUID]
     MISP Guard->>MISP B: [GET]/events/view/[UUID]
     MISP B->>+MISP Guard: [GET]/events/view/[UUID]
-    note right of MISP Guard: Outgoing Event is inspected and rejected with 403 if any block rule matches
+    note right of MISP Guard: Incoming Event is inspected and rejected with 403 if any block rule matches
     MISP Guard->>-MISP A: [GET]/events/view/[UUID]
 
     MISP A->>MISP Guard: [GET]/shadow_attributes/index
     MISP Guard->>MISP B: [GET]/shadow_attributes/index
     MISP B->>+MISP Guard: [GET]/shadow_attributes/index
-    note right of MISP Guard: Outgoing Shadow Attributes are inspected and rejected with 403 if any block rule matches
+    note right of MISP Guard: Incoming Shadow Attributes are inspected and rejected with 403 if any block rule matches
     MISP Guard->>-MISP A: [GET]/shadow_attributes/index
 
     MISP A->>+MISP Guard: [POST]/galaxy_clusters/restSearch
@@ -87,8 +95,14 @@ sequenceDiagram
     MISP A->>MISP Guard: [GET]/galaxy_clusters/view/[UUID]
     MISP Guard->>MISP B: [GET]/galaxy_clusters/view/[UUID]
     MISP B->>+MISP Guard: [GET]/galaxy_clusters/view/[UUID]
-    note right of MISP Guard: Outgoing Galaxy Cluster is inspected and rejected with 403 if any block rule matches
+    note right of MISP Guard: Incoming Galaxy Cluster is inspected and rejected with 403 if any block rule matches
     MISP Guard->>-MISP A: [GET]/galaxy_clusters/view/[UUID]
+
+    MISP A->>MISP Guard: [POST]/sightings/restSearch/event
+    MISP Guard->>MISP B: [POST]/sightings/restSearch/event
+    MISP B->>+MISP Guard: [POST]/sightings/restSearch/event
+    note right of MISP Guard: Incoming Sightings are inspected and rejected with 403 if any block rule matches
+    MISP Guard->>-MISP A: [POST]/sightings/restSearch/event
 ```
 
 
@@ -136,7 +150,7 @@ $ pip install -r requirements.txt
 1. Define your block rules in the `config.json` file.
 2. Start mitmproxy with the `mispguard` addon:
     ```
-    $ mitmdump -s mispguard.py -p 8888 --certs *=cert.pem --set config=config.json 
+    $ mitmdump -s mispguard.py -p 8888 --certs *=cert.pem --set config=config.json
     Loading script mispguard.py
     MispGuard initialized
     Proxy server listening at *:8888

src/mispguard.py

@@ -34,6 +34,7 @@ class MISPHTTPFlow(http.HTTPFlow):
     is_event_index: bool = False
     is_pull: bool = False
     is_push: bool = False
+    is_sighting: bool = False
     is_galaxy: bool = False
 
 
@@ -118,7 +119,19 @@ def __init__(self):
                 "methods": [
                     "GET"
                 ]
-            }
+            },
+            {
+                "regex": r"^\/sightings\/restSearch\/event$",
+                "methods": [
+                    "POST"
+                ]
+            },
+            {
+                "regex": r"^\/sightings\/bulkSaveSightings\/[\w\-]{36}$",
+                "methods": [
+                    "POST"
+                ]
+            },
         ]
 
     def configure(self, updated):
@@ -243,6 +256,10 @@ def enrich_flow(self, flow: http.HTTPFlow) -> MISPHTTPFlow:
             flow.is_pull = True
             flow.is_galaxy = True
 
+        if "/sightings/restSearch/event" in flow.request.path:
+            flow.is_pull = True
+            flow.is_sighting = True
+
         return flow
 
     def process_request(self, flow: MISPHTTPFlow) -> None:
@@ -281,6 +298,15 @@ def process_request(self, flow: MISPHTTPFlow) -> None:
                 raise ForbiddenException(
                     "{'minimal': 1, 'published': 1} is required for /galaxy_clusters/restSearch requests")
 
+        if flow.is_push and flow.is_sighting:
+            try:
+                sightings = flow.request.json()
+            except Exception as ex:
+                return self.forbidden(flow, str(ex))
+
+            rules = self.get_rules(flow)
+            return self.process_sightings(rules, sightings, flow)
+
     def process_response(self, flow: MISPHTTPFlow) -> None:
         logger.debug("processing response")
         if flow.is_pull and flow.is_event and flow.request.method == "HEAD":
@@ -320,6 +346,15 @@ def process_response(self, flow: MISPHTTPFlow) -> None:
             rules = self.get_rules(flow)
             return self.process_galaxy_cluster(rules, galaxy_cluster, flow)
 
+        if flow.is_pull and flow.is_sighting:
+            try:
+                sightings = flow.response.json()
+            except Exception as ex:
+                return self.forbidden(flow, str(ex))
+
+            rules = self.get_rules(flow)
+            return self.process_sightings(rules, sightings, flow)
+
     def get_rules(self, flow: MISPHTTPFlow) -> list:
         logger.debug("getting misp-guard instance rules")
         rules = {}
@@ -366,6 +401,15 @@ def process_galaxy_cluster(self, rules: dict, galaxy_cluster: dict, flow: MISPHT
         except ForbiddenException as ex:
             return self.forbidden(flow, str(ex))
 
+    def process_sightings(self, rules: dict, sightings: dict, flow: MISPHTTPFlow) -> None:
+        logger.debug("processing sighting")
+
+        try:
+            # no rules for sightings yet
+            return None
+        except ForbiddenException as ex:
+            return self.forbidden(flow, str(ex))
+
     def check_event_level_rules(self, rules: dict, flow: MISPHTTPFlow, event: dict) -> None:
         logger.debug("checking event level rules")
 

src/test/fixtures/empty.json

@@ -0,0 +1 @@
+{}

src/test/test_pull_scenarios.json

@@ -460,7 +460,7 @@
         ]
     },
     {
-        "name": "pull_galaxy_blocked_distribution_evel",
+        "name": "pull_galaxy_non-blocked_distribution_level",
         "host": "instance1-comp4.com",
         "port": 443,
         "url": "/galaxy_clusters/view/8faab056-4212-4e80-8b54-b7eadec6b739",
@@ -472,5 +472,19 @@
         "fixture_file": "./test/fixtures/test_galaxy_cluster_non-blocked_distribution.json",
         "expected_status_code": 200,
         "expected_logs": []
+    },
+    {
+        "name": "pull_sightings_non-blocked",
+        "host": "instance1-comp4.com",
+        "port": 443,
+        "url": "/sightings/restSearch/event",
+        "method": "POST",
+        "client": {
+            "ip": "10.0.0.1",
+            "port": 22
+        },
+        "fixture_file": "./test/fixtures/empty.json",
+        "expected_status_code": 200,
+        "expected_logs": []
     }
 ]

src/test/test_push_scenarios.json

@@ -724,5 +724,19 @@
         "fixture_file": "./test/fixtures/test_galaxy_clusters_non-blocked_distribution.json",
         "expected_status_code": 200,
         "expected_logs": []
+    },
+    {
+        "name": "push_sightings_non-blocked",
+        "host": "instance1-comp4.com",
+        "port": 443,
+        "url": "/sightings/bulkSaveSightings/5e168365-4391-44bd-851a-b48a14c30d77",
+        "method": "POST",
+        "client": {
+            "ip": "10.0.0.1",
+            "port": 22
+        },
+        "fixture_file": "./test/fixtures/empty.json",
+        "expected_status_code": 200,
+        "expected_logs": []
     }
 ]