MVP saf-cli Lambda Function

.github/draft-release.yml → .github/workflows/draft-release.yml

@@ -1,11 +1,9 @@
 name: Draft Release
-
 on:
  push:
- # branches to consider in the event; optional, defaults to all
- branches:
- - main
-
+ branches: [ main ]
+ pull_request:
+ branches: [ main ]
 jobs:
  update_draft_release:
  runs-on: ubuntu-latest

.npmignore

@@ -0,0 +1 @@
+tests/*

LICENSE.md

@@ -1,17 +1,15 @@
+Licensed under the apache-2.0 license, except as noted below.
 
-Licensed under the apache-2.0 license, except as noted below. 
-
-Redistribution and use in source and binary forms, with or without modification, 
+Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
 
-* Redistributions of source code must retain the above copyright/ digital rights 
-legend, this list of conditions and the following Notice.
-
-* Redistributions in binary form must reproduce the above copyright copyright/digital 
-rights legend, this list of conditions and the following Notice in the documentation 
-and/or other materials provided with the distribution.
+- Redistributions of source code must retain the above copyright/ digital rights
+ legend, this list of conditions and the following Notice.
 
-* Neither the name of The MITRE Corporation nor the names of its contributors may be 
-used to endorse or promote products derived from this software without specific prior 
-written permission.
+- Redistributions in binary form must reproduce the above copyright copyright/digital
+ rights legend, this list of conditions and the following Notice in the documentation
+ and/or other materials provided with the distribution.
 
+- Neither the name of The MITRE Corporation nor the names of its contributors may be
+ used to endorse or promote products derived from this software without specific prior
+ written permission.

README.md

@@ -1,2 +1,80 @@
 # saf-lambda-function
 
+AWS Lambda Function for the [SAF CLI](https://github.com/mitre/saf-lambda-function)
+
+This is based on [saf_action](https://github.com/mitre/saf)
+
+## Input and Output Arguments
+
+### Input
+
+#### `command_string` (Required)
+
+Command string to be executed by SAF CLI. The action will run `saf <command_string>`.
+
+Example:
+
+- `convert:asff2hdf -i asff-findings.json -o output-file-name.json`
+- More examples can be found at [SAF CLI Usage](https://github.com/mitre/saf#usage)
+- NOTE: This action does not support `view:heimdall`.
+
+### Output
+
+As determined by input command.
+
+## Secrets
+
+This action does not use any GitHub secrets at this time.
+
+## Example
+
+Below is an example action.
+
+```
+on: [push]
+jobs:
+ saf_hdf_conversion:
+ runs-on: ubuntu-latest
+ name: SAF CLI Convert ASFF to HDF
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ - name: Convert ASFF
+ uses: mitre/saf_action@v1
+ with:
+ command_string: 'convert:asff2hdf -i asff_sample.json -o asff_sample_hdf.json'
+ - name: Artifacts
+ uses: actions/upload-artifact@v1
+ if: success()
+ with:
+ name: asff
+ path: asff_sample_hdf.json
+```
+
+## Contributing, Issues and Support
+
+### Contributing
+
+Please feel free to look through our issues, make a fork and submit PRs and improvements. We love hearing from our end-users and the community and will be happy to engage with you on suggestions, updates, fixes or new capabilities.
+
+### Issues and Support
+
+Please feel free to contact us by **opening an issue** on the issue board, or, at [saf@mitre.org](mailto:saf@mitre.org) should you have any suggestions, questions or issues.
+
+### NOTICE
+
+© 2022 The MITRE Corporation.
+
+Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
+
+### NOTICE
+
+MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
+
+### NOTICE
+
+This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
+
+No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
+
+For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.

app.js

@@ -0,0 +1,166 @@
+// const axios = require('axios')
+// const url = 'http://checkip.amazonaws.com/';
+const aws = require('aws-sdk');
+const s3 = new aws.S3({ apiVersion: '2006-03-01' });
+//const core = require('@actions/core'); specific to github actions
+const saf = require('@mitre/saf');
+const fs = require('fs');
+const path = require("path");
+//const winston = require('winston');
+//const logging = require('utils/logging');
+const winston = require('winston');
+const { createLogger, format, transports } = winston;
+let response;
+
+/**
+ *
+ * Event doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#api-gateway-simple-proxy-for-lambda-input-format
+ * @param {Object} event - API Gateway Lambda Proxy Input Format
+ *
+ * Context doc: https://docs.aws.amazon.com/lambda/latest/dg/nodejs-prog-model-context.html
+ * @param {Object} context
+ *
+ * Return doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html
+ * @returns {Object} object - API Gateway Lambda Proxy Output Format
+ *
+ */
+
+exports.lambdaHandler = async (event, context) => {
+
+ const logger = createLogger({
+ level: process.env.LOG_LEVEL || 'debug',
+ format: format.combine(
+ format.timestamp(),
+ format.simple()
+ ),
+ transports: [
+ new transports.Console({
+ format: format.combine(
+ format.timestamp({
+ format: 'YYYY-MM-DDTHH:mm:ss.SSSZ',
+ }),
+ format.printf(
+ info => `${[info.timestamp]}\t${context.awsRequestId}\t${logger.level.toUpperCase()}\t${info.message}`,
+ )
+ )
+ })
+ ]
+ })
+
+ logger.log({
+ level: 'debug',
+ message: 'Logging Level set to : ' + logger.level.toUpperCase()
+ });
+
+ // TODO: Decide is we want to catch undefined saf-cli command groupings
+ // https://stackoverflow.com/questions/15201939/jquery-javascript-check-string-for-multiple-substringsa
+ // TODO: Removed hardcoded data and move to lambda paramaters
+ const HEC_TOKEN = "473b3297-1d88-4740-96ff-e6048e51b785";
+ const SPLUNK_SERVER = "splk1.efficacy.online";
+ const CLI_COMMAND = "convert"
+ const CLI_FUNCTION = "hdf2splunk"
+
+ // TODO: Add the rest of the parameters
+ /*
+ - -t HEC_TOKEN
+ - -i HDF_FILE
+ - SPLUNK_PORT(defults to 8089)
+ - SPLUNK_INDEX(defauls to HEC default )
+ - INSECURE(ignore_ssl)
+ - PROTOCOL(defults to https)
+ - DEBUG - for logging in lambda logging
+ */
+
+ // TODO: Remove in final release
+ logger.debug("Loading Function");
+ logger.debug("Received context:" + JSON.stringify(context));
+
+ // Get the object from the event and show its content type
+ const bucket = event.Records[0].s3.bucket.name;
+
+ const key = decodeURIComponent(
+ event.Records[0].s3.object.key.replace(/\+/g, " ")
+ );
+
+ // READ PARAMS
+ const params = {
+ Bucket: bucket,
+ Key: key,
+ };
+
+ try {
+ // const ret = await axios(url);
+
+ logger.info("Read from bucket: " + params.Bucket);
+ logger.info("Reading File: " + params.Key);
+
+ let { ContentType, Body } = await s3.getObject(params).promise();
+
+ logger.debug("Received File ContentType - " + ContentType);
+
+ let HDF_FILE = path.resolve('/tmp/', params.Key.toString());
+
+ Body = Body.toString();
+
+ const command_string = [CLI_COMMAND+':'+CLI_FUNCTION, '-i', HDF_FILE, '-H', SPLUNK_SERVER, '-t', HEC_TOKEN ];
+
+ await fs.writeFileSync(HDF_FILE, Body)
+
+ logger.info("Wrote file into runtime environment: " + HDF_FILE);
+
+ //const data = fs.readFileSync(HDF_FILE, "utf8" );
+
+ logger.debug("Finished reading object type: " + JSON.stringify(ContentType));
+
+ // TODO: Remove the hardcoded saf-cli command
+ // TODO: Remove the ||
+ /* TODO: Add the rest of the possible options to the command_string builder
+ - SPLUNK_PORT (defults to 8089)
+ - SPLUNK_INDEX (defauls to HEC default)
+ - INSECURE (ignore_ssl)
+ - PROTOCOL (defults to https)
+ - DEBUG - for logging in lambda logging
+ */
+
+ if (!command_string) {
+ throw new Error("SAF CLI Command String argument is required. See http://saf-cli.mitre.org for more details.");
+ }
+
+ if (CLI_COMMAND.trim() === "view" && CLI_FUNCTION.trim() === "heimdall") {
+ throw new Error(
+ "You cannot use the 'saf view:heimdall' command in this environment."
+ );
+ }
+
+ logger.debug("command_string: " + command_string.join(' '));
+
+ // Normal logging - perhpas we add a 'silent' to just have an ACK at the end
+ logger.info("Pushing HDF Data: " + HDF_FILE + " to server: " + SPLUNK_SERVER)
+
+ let saf_cli_response = await saf.run(command_string);
+
+ response = {
+ 'statusCode': 200,
+ 'body': JSON.stringify({
+ message: saf_cli_response
+ })
+ }
+ } catch (err) {
+ logger.info(err);
+ return err;
+ }
+
+ return response
+};
+
+
+exports.handler = async function(event, context) {
+ console.log("ENVIRONMENT VARIABLES\n" + JSON.stringify(process.env, null, 2))
+ console.info("EVENT\n" + JSON.stringify(event, null, 2))
+ console.warn("Event not processed.")
+ return context.logStreamName
+}
+
+
+
+