[FR] REST API v2.1.0: GET /api/v2/cases/{identifier}/iocs

[Elise17]

This issue is about the implementation of the first iocs endpoint:

• GET /api/v2/cases/{identifier}/iocs

The tasks are the following:

• document the new API in the openapi documentation
• implement automatic tests+code
• deprecate the previous endpoint both in the code and in the documentation
• replace the previous endpoint with the new one in the web interface
• factorize the function code get_detailed_iocs for the new URL
• add get_ioc_link in iocs for POST and DELETE /api/v2/iocs

Create a test :

• create two cases
• create two iocs in each cases
• check in each cases that we get one ioc

This is the previous endpoint which should be deprecated:

• GET /case/ioc/list

In the web interface:

• GET /case/ioc/list in case.ioc.js

[c8y3]

Things that need to be completed:

• avoid returning the state
• one line per import
• inline build_filter_ioc_query (or make it private)
• create 2 cases with each one ioc, check the list returns only one ioc in each case
• factor get_filtered_iocs and get_detailed_iocs (previous endpoint implementation) => Won't do, too difficult and of little value since get_detailed_iocs will be dropped once the previous deprecated endpoint is removed.
• change url to GET /api/v2/cases/{identifier}/iocs
• check all uses of annotation ac_requires_case_access, check the accesses are verified against the right case identifier. Add test and fix if not.
• GET /api/v2/iocs/int:cur_id, DELETE /api/v2/iocs/int:cur_id should do the access control check to the case in code, rather than in annotation (there is no access to the case identifier from the request only)
• case_ioc_dbs.get_ioc: remove case_id parameter, no need for it
• case_ioc_dbs.delete_ioc: remove case_id parameter, no need for it
• business.iocs.iocs_update: remove case_identifier parameter, no need for it

[c8y3]

• Should check all permission rights declared on the /api/v2/ cases routes.
• Should check all permission rights declared on the /api/v2/ tasks routes.
• Should check all permission rights declared on the /api/v2/ iocs routes.
• Should check all permission rights declared on the /api/v2/ assets routes.

[c8y3]

Architecture hint and reflexion: for the IOC delete in the new API, since the case identifier is not present on the request, the case access permission check can only be done in the business level, after the ioc is retrieved.
This hints that, maybe, the permission checks (or at least the case accesses checks?) should all be done at this level...
Think about it...

Actually we should decide on which layer we want to do it, then it will have an impact on the business API.

[c8y3]

In the end, I removed all permission checks out of business and put them in the blueprint layer. This has an impact on the signature of some methods in the business layer. But the end-result seems quite acceptable. I added the information about this choice in the architecture.md file.

[c8y3]

Here are the things remaining to do to update the documentation:

• add tag beta for all new api endpoints
• extract all resources in external files
• check all new endpoints are documented
• document missing GET /api/v2/cases/{identifier}/iocs
• document missing GET /api/v2/cases
• check object return types are uniform across all cases endpoints
• check object return types are uniform across all iocs endpoints. Fields link and tlp are missing in POST and GET
• check object return types are uniform across all assets endpoints
• check object return types are uniform across all tasks endpoints