[client] Fix updating created_by_ref of observable, introduce delete methods

Samuel Hassine · Samuel Hassine · commit 425f140541b9 · 2020-03-03T10:07:03.000+01:00
diff --git a/examples/import_stix2_file.py b/examples/import_stix2_file.py
@@ -3,8 +3,8 @@
 from pycti import OpenCTIApiClient
 
 # Variables
-api_url = "https://demo.opencti.io"
-api_token = "2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2"
+api_url = "http://localhost:4000"
+api_token = "0b23f787-d013-41a8-8078-97bee84cc99d"
 
 # OpenCTI initialization
 opencti_api_client = OpenCTIApiClient(api_url, api_token)
diff --git a/pycti/entities/opencti_report.py b/pycti/entities/opencti_report.py
@@ -439,7 +439,7 @@ def add_stix_entity(self, **kwargs):
             if report is None:
                 custom_attributes = """
                     id
-                    objectRefs {
+                    objectRefs(first: 10000) {
                         edges {
                             node {
                                 id
@@ -448,7 +448,7 @@ def add_stix_entity(self, **kwargs):
                             }
                         }
                     }
-                    relationRefs {
+                    relationRefs(first: 10000) {
                         edges {
                             node {
                                 id
diff --git a/pycti/entities/opencti_stix_observable.py b/pycti/entities/opencti_stix_observable.py
@@ -374,5 +374,128 @@ def update_field(self, **kwargs):
                 result["data"]["stixObservableEdit"]["fieldPatch"]
             )
         else:
-            self.opencti.log("error", "Missing parameters: id and key and value")
+            self.opencti.log("error", "[opencti_stix_observable_update_field] Missing parameters: id and key and value")
             return None
+
+    """
+        Delete a Stix-Observable
+
+        :param id: the Stix-Observable id
+        :return void
+    """
+
+    def delete(self, **kwargs):
+        id = kwargs.get("id", None)
+        if id is not None:
+            self.opencti.log("info", "Deleting Stix-Observable {" + id + "}.")
+            query = """
+                 mutation StixObservableEdit($id: ID!) {
+                     stixObservableEdit(id: $id) {
+                         delete
+                     }
+                 }
+             """
+            self.opencti.query(query, {"id": id})
+        else:
+            self.opencti.log(
+                "error", "[opencti_stix_observable_delete] Missing parameters: id"
+            )
+            return None
+
+    """
+        Update the Identity author of a Stix-Observable object (created_by_ref)
+
+        :param id: the id of the Stix-Observable
+        :param identity_id: the id of the Identity
+        :return Boolean
+    """
+
+    def update_created_by_ref(self, **kwargs):
+        id = kwargs.get("id", None)
+        stix_entity = kwargs.get("entity", None)
+        identity_id = kwargs.get("identity_id", None)
+        if id is not None and identity_id is not None:
+            if stix_entity is None:
+                custom_attributes = """
+                    id
+                    createdByRef {
+                        node {
+                            id
+                            entity_type
+                            stix_id_key
+                            stix_label
+                            name
+                            alias
+                            description
+                            created
+                            modified
+                            ... on Organization {
+                                organization_class
+                            }
+                        }
+                        relation {
+                            id
+                        }
+                    }    
+                """
+                stix_entity = self.read(id=id, customAttributes=custom_attributes)
+            if stix_entity is None:
+                self.opencti.log(
+                    "error", "Cannot update created_by_ref, entity not found"
+                )
+                return False
+            current_identity_id = None
+            current_relation_id = None
+            if stix_entity["createdByRef"] is not None:
+                current_identity_id = stix_entity["createdByRef"]["id"]
+                current_relation_id = stix_entity["createdByRef"]["remote_relation_id"]
+            # Current identity is the same
+            if current_identity_id == identity_id:
+                return True
+            else:
+                self.opencti.log(
+                    "info",
+                    "Updating author of Stix-Entity {"
+                    + id
+                    + "} with Identity {"
+                    + identity_id
+                    + "}",
+                )
+                # Current identity is different, delete the old relation
+                if current_relation_id is not None:
+                    query = """
+                        mutation StixObservableEdit($id: ID!, $relationId: ID!) {
+                            stixObservableEdit(id: $id) {
+                                relationDelete(relationId: $relationId) {
+                                    id
+                                }
+                            }
+                        }
+                    """
+                    self.opencti.query(
+                        query, {"id": id, "relationId": current_relation_id}
+                    )
+                # Add the new relation
+                query = """
+                   mutation StixObservableEdit($id: ID!, $input: RelationAddInput) {
+                       stixObservableEdit(id: $id) {
+                            relationAdd(input: $input) {
+                                id
+                            }
+                       }
+                   }
+                """
+                variables = {
+                    "id": id,
+                    "input": {
+                        "fromRole": "so",
+                        "toId": identity_id,
+                        "toRole": "creator",
+                        "through": "created_by_ref",
+                    },
+                }
+                self.opencti.query(query, variables)
+
+        else:
+            self.opencti.log("error", "Missing parameters: id and identity_id")
+            return False
diff --git a/pycti/utils/opencti_stix2.py b/pycti/utils/opencti_stix2.py
@@ -445,30 +445,6 @@ def import_object(self, stix_object, update=False, types=None):
                 else [],
             }
 
-            # Update created by ref
-            if (
-                created_by_ref_id is not None
-                and "observableRefs" in stix_object_result
-                and stix_object_result["observableRefs"] is not None
-                and len(stix_object_result["observableRefs"]) > 0
-            ):
-                for observable_ref in stix_object_result["observableRefs"]:
-                    self.opencti.stix_entity.update_created_by_ref(
-                        id=observable_ref["id"], identity_id=created_by_ref_id
-                    )
-
-            # Add marking definitions
-            for marking_definition_id in marking_definitions_ids:
-                if (
-                    "observableRefs" in stix_object_result
-                    and stix_object_result["observableRefs"] is not None
-                    and len(stix_object_result["observableRefs"]) > 0
-                ):
-                    for observable_ref in stix_object_result["observableRefs"]:
-                        self.opencti.stix_entity.add_marking_definition(
-                            id=observable_ref["id"],
-                            marking_definition_id=marking_definition_id,
-                        )
             # Add tags
             for tag_id in tags_ids:
                 self.opencti.stix_entity.add_tag(
@@ -1290,7 +1266,6 @@ def prepare_export(
                     if entity_relation_ref["stix_id_key"] not in object_refs:
                         object_refs.append(entity_relation_ref["stix_id_key"])
             stix_object["object_refs"] = object_refs
-        result.append(stix_object)
 
         uuids = []
         for x in result:
@@ -1309,6 +1284,12 @@ def prepare_export(
                 observables_stix_ids = (
                     observables_stix_ids + observable_object_data["stixIds"]
                 )
+                if stix_object['type'] == 'report':
+                    if 'object_refs' in stix_object:
+                        stix_object['object_refs'].append(observable_object_data['observedData']['id'])
+                    else:
+                        stix_object['object_refs'] = [observable_object_data['observedData']['id']]
+        result.append(stix_object)
 
         if mode == "simple":
             return result
@@ -1406,9 +1387,10 @@ def prepare_export(
             final_result = []
             for entity in result:
                 if entity["type"] == "report":
-                    entity["object_refs"] = [
-                        k for k in entity["object_refs"] if k in uuids
-                    ]
+                    if 'object_refs' in entity:
+                        entity["object_refs"] = [
+                            k for k in entity["object_refs"] if k in uuids
+                        ]
                     final_result.append(entity)
                 else:
                     final_result.append(entity)

Original file line number	Diff line number	Diff line change
`@@ -439,7 +439,7 @@ def add_stix_entity(self, **kwargs):`
`439`	`439`	`if report is None:`
`440`	`440`	`custom_attributes = """`
`441`	`441`	`id`
`442`		`- objectRefs {`
	`442`	`+ objectRefs(first: 10000) {`
`443`	`443`	`edges {`
`444`	`444`	`node {`
`445`	`445`	`id`
`@@ -448,7 +448,7 @@ def add_stix_entity(self, **kwargs):`
`448`	`448`	`}`
`449`	`449`	`}`
`450`	`450`	`}`
`451`		`- relationRefs {`
	`451`	`+ relationRefs(first: 10000) {`
`452`	`452`	`edges {`
`453`	`453`	`node {`
`454`	`454`	`id`