Beispiel #1
0
// Transform a mig-console style search query into a set of parameters to send to the API
//
// This function is similar to the function in mig-console, however we do not include
// parameters that are not relevant to agents.
func parseSearchQuery(querystring string) (p migdbsearch.Parameters, err error) {
	defer func() {
		if e := recover(); e != nil {
			err = fmt.Errorf("parseSearchQuery() -> %v", e)
		}
	}()

	p = migdbsearch.NewParameters()
	p.Type = "agent"

	orders := strings.Split(querystring, " ")
	if len(orders) == 0 {
		panic("no criteria specified")
	}

	for _, order := range orders {
		if order == "and" {
			continue
		}
		params := strings.Split(order, "=")
		if len(params) != 2 {
			panic(fmt.Sprintf("Invalid `key=value` in search parameter '%s'", order))
		}
		key := params[0]
		value := params[1]
		// if the string contains % characters, used in postgres's pattern matching,
		// escape them properly
		switch key {
		case "after":
			p.After, err = time.Parse(time.RFC3339, value)
			if err != nil {
				panic("after date not in RFC3339 format, ex: 2015-09-23T14:14:16Z")
			}
		case "agentid":
			p.AgentID = value
		case "agentname":
			p.AgentName = value
		case "agentversion":
			p.AgentVersion = value
		case "before":
			p.Before, err = time.Parse(time.RFC3339, value)
			if err != nil {
				panic("before date not in RFC3339 format, ex: 2015-09-23T14:14:16Z")
			}
		case "limit":
			p.Limit, err = strconv.ParseFloat(value, 64)
			if err != nil {
				panic("invalid limit parameter")
			}
		case "status":
			p.Status = value
		case "name":
			p.AgentName = value
		default:
			panic(fmt.Sprintf("Unknown search key '%s'", key))
		}
	}
	return
}
Beispiel #2
0
// parseSearchQuery transforms a search string into an API query
func parseSearchQuery(orders []string) (p migdbsearch.Parameters, err error) {
	defer func() {
		if e := recover(); e != nil {
			err = fmt.Errorf("parseSearchQuery() -> %v", e)
		}
	}()
	p = migdbsearch.NewParameters()
	p.Type = orders[1]
	if len(orders) < 4 {
		panic("Invalid search syntax. try `search help`.")
	}
	if orders[2] != "where" {
		panic(fmt.Sprintf("Expected keyword 'where' after search type. Got '%s'", orders[2]))
	}
	for _, order := range orders[3:len(orders)] {
		if order == "and" {
			continue
		}
		params := strings.Split(order, "=")
		if len(params) != 2 {
			panic(fmt.Sprintf("Invalid `key=value` in search parameter '%s'", order))
		}
		key := params[0]
		value := params[1]
		// if the string contains % characters, used in postgres's pattern matching,
		// escape them properly
		switch key {
		case "actionname":
			p.ActionName = value
		case "actionid":
			p.ActionID = value
		case "after":
			p.After, err = time.Parse(time.RFC3339, value)
			if err != nil {
				panic("after date not in RFC3339 format, ex: 2015-09-23T14:14:16Z")
			}
		case "agentid":
			p.AgentID = value
		case "agentname":
			p.AgentName = value
		case "agentversion":
			p.AgentVersion = value
		case "before":
			p.Before, err = time.Parse(time.RFC3339, value)
			if err != nil {
				panic("before date not in RFC3339 format, ex: 2015-09-23T14:14:16Z")
			}
		case "commandid":
			p.CommandID = value
		case "investigatorid":
			p.InvestigatorID = value
		case "investigatorname":
			p.InvestigatorName = value
		case "limit":
			p.Limit, err = strconv.ParseFloat(value, 64)
			if err != nil {
				panic("invalid limit parameter")
			}
		case "status":
			p.Status = value
		case "name":
			switch p.Type {
			case "action", "command":
				p.ActionName = value
			case "agent":
				p.AgentName = value
			case "investigator":
				p.InvestigatorName = value
			}
		default:
			panic(fmt.Sprintf("Unknown search key '%s'", key))
		}
	}
	return
}
Beispiel #3
0
// parseSearchParameters transforms a query string into search parameters in the migdb format
func parseSearchParameters(qp url.Values) (p migdbsearch.Parameters, filterFound bool, err error) {
	defer func() {
		if e := recover(); e != nil {
			err = fmt.Errorf("parseSearchParameters()-> %v", e)
		}
	}()
	p = migdbsearch.NewParameters()
	for queryParams, _ := range qp {
		switch queryParams {
		case "actionname":
			p.ActionName = qp["actionname"][0]
		case "actionid":
			p.ActionID = qp["actionid"][0]
		case "after":
			p.After, err = time.Parse(time.RFC3339, qp["after"][0])
			if err != nil {
				panic("after date not in RFC3339 format")
			}
		case "agentid":
			p.AgentID = qp["agentid"][0]
		case "agentname":
			p.AgentName = qp["agentname"][0]
		case "agentversion":
			p.AgentVersion = qp["agentversion"][0]
		case "before":
			p.Before, err = time.Parse(time.RFC3339, qp["before"][0])
			if err != nil {
				panic("before date not in RFC3339 format")
			}
		case "commandid":
			p.CommandID = qp["commandid"][0]
		case "foundanything":
			if truere.MatchString(qp["foundanything"][0]) {
				p.FoundAnything = true
			} else if falsere.MatchString(qp["foundanything"][0]) {
				p.FoundAnything = false
			} else {
				panic("foundanything parameter must be true or false")
			}
			filterFound = true
		case "investigatorid":
			p.InvestigatorID = qp["investigatorid"][0]
		case "investigatorname":
			p.InvestigatorName = qp["investigatorname"][0]
		case "limit":
			p.Limit, err = strconv.ParseFloat(qp["limit"][0], 64)
			if err != nil {
				panic("invalid limit parameter")
			}
		case "loadername":
			p.LoaderName = qp["loadername"][0]
		case "loaderid":
			p.LoaderID = qp["loaderid"][0]
		case "manifestname":
			p.ManifestName = qp["manifestname"][0]
		case "manifestid":
			p.ManifestID = qp["manifestid"][0]
		case "offset":
			p.Offset, err = strconv.ParseFloat(qp["offset"][0], 64)
			if err != nil {
				panic("invalid offset parameter")
			}
		case "report":
			switch qp["report"][0] {
			case "complianceitems":
				p.Report = qp["report"][0]
			case "geolocations":
				p.Report = qp["report"][0]
			default:
				panic("report not implemented")
			}
		case "status":
			p.Status = qp["status"][0]
		case "target":
			p.Target = qp["target"][0]
		case "threatfamily":
			p.ThreatFamily = qp["threatfamily"][0]
		case "type":
			p.Type = qp["type"][0]
		}
	}
	return
}