opensearch-project · jowg-amazon · Jun 13, 2024 · Jun 11, 2024 · Jun 11, 2024 · Jun 11, 2024
@@ -113,6 +113,7 @@
 import org.opensearch.securityanalytics.resthandler.RestValidateRulesAction;
 import org.opensearch.securityanalytics.settings.SecurityAnalyticsSettings;
 import org.opensearch.securityanalytics.threatIntel.action.PutTIFJobAction;
+import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SASearchTIFSourceConfigsAction;
@@ -124,6 +125,7 @@
 import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFJobRunner;
 import org.opensearch.securityanalytics.threatIntel.jobscheduler.TIFSourceConfigRunner;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfig;
+import org.opensearch.securityanalytics.threatIntel.resthandler.RestDeleteTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.model.monitor.SampleRemoteDocLevelMonitorRunner;
 import org.opensearch.securityanalytics.threatIntel.model.monitor.TransportRemoteDocLevelMonitorFanOutAction;
 import org.opensearch.securityanalytics.threatIntel.resthandler.RestGetTIFSourceConfigAction;
@@ -138,6 +140,7 @@
 import org.opensearch.securityanalytics.threatIntel.service.TIFJobParameterService;
 import org.opensearch.securityanalytics.threatIntel.service.TIFJobUpdateService;
 import org.opensearch.securityanalytics.threatIntel.service.ThreatIntelFeedDataService;
+import org.opensearch.securityanalytics.threatIntel.transport.TransportDeleteTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportGetTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.transport.TransportPutTIFJobAction;
@@ -330,6 +333,7 @@ public List<RestHandler> getRestHandlers(Settings settings,
                 new RestDeleteCustomLogTypeAction(),
                 new RestIndexTIFSourceConfigAction(),
                 new RestGetTIFSourceConfigAction(),
+                new RestDeleteTIFSourceConfigAction(),
                 new RestSearchTIFSourceConfigsAction(),
                 new RestIndexThreatIntelMonitorAction(),
                 new RestDeleteThreatIntelMonitorAction(),
@@ -474,7 +478,8 @@ public List<Setting<?>> getSettings() {
                 new ActionHandler<>(SearchThreatIntelMonitorAction.INSTANCE, TransportSearchThreatIntelMonitorAction.class),
                 new ActionHandler<>(SAIndexTIFSourceConfigAction.INSTANCE, TransportIndexTIFSourceConfigAction.class),
                 new ActionHandler<>(SAGetTIFSourceConfigAction.INSTANCE, TransportGetTIFSourceConfigAction.class),
-                new ActionHandler<>(SASearchTIFSourceConfigsAction.INSTANCE, TransportSearchTIFSourceConfigsAction.class)
+                new ActionHandler<>(SADeleteTIFSourceConfigAction.INSTANCE, TransportDeleteTIFSourceConfigAction.class),
+                new ActionHandler<>(SASearchTIFSourceConfigsAction.INSTANCE, TransportSearchTIFSourceConfigsAction.class),
                 new ActionHandler<>(SampleRemoteDocLevelMonitorRunner.REMOTE_DOC_LEVEL_MONITOR_ACTION_INSTANCE, TransportRemoteDocLevelMonitorFanOutAction.class)
         );
     }

@@ -0,0 +1,22 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.action.ActionType;
+
+import static org.opensearch.securityanalytics.threatIntel.sacommons.IndexTIFSourceConfigAction.DELETE_TIF_SOURCE_CONFIG_ACTION_NAME;
+
+/**
+ * Delete TIF Source Config Action
+ */
+public class SADeleteTIFSourceConfigAction extends ActionType<SADeleteTIFSourceConfigResponse> {
+
+    public static final SADeleteTIFSourceConfigAction INSTANCE = new SADeleteTIFSourceConfigAction();
+    public static final String NAME = DELETE_TIF_SOURCE_CONFIG_ACTION_NAME;
+    private SADeleteTIFSourceConfigAction() {
+        super(NAME, SADeleteTIFSourceConfigResponse::new);
+    }
+}
@@ -0,0 +1,52 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.ActionRequestValidationException;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+
+import java.io.IOException;
+import java.util.Locale;
+
+import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.securityanalytics.threatIntel.common.Constants.THREAT_INTEL_SOURCE_CONFIG_ID;
+
+/**
+ * Delete threat intel feed source config request
+ */
+public class SADeleteTIFSourceConfigRequest extends ActionRequest {
+    private final String id;
+    public SADeleteTIFSourceConfigRequest(String id) {
+        super();
+        this.id = id;
+    }
+
+    public SADeleteTIFSourceConfigRequest(StreamInput sin) throws IOException {
+        this(sin.readString()); // id
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(id);
+    }
+
+    public String getId() {
+        return id;
+    }
+
+
+    @Override
+    public ActionRequestValidationException validate() {
+        ActionRequestValidationException validationException = null;
+        if (id == null || id.isEmpty()) {
+            validationException = addValidationError(String.format(Locale.getDefault(), "%s is missing", THREAT_INTEL_SOURCE_CONFIG_ID), validationException);
+        }
+        return validationException;
+    }
+
+}
@@ -0,0 +1,58 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.opensearch.securityanalytics.threatIntel.action;
+
+import org.opensearch.core.action.ActionResponse;
+import org.opensearch.core.common.io.stream.StreamInput;
+import org.opensearch.core.common.io.stream.StreamOutput;
+import org.opensearch.core.rest.RestStatus;
+import org.opensearch.core.xcontent.ToXContentObject;
+import org.opensearch.core.xcontent.XContentBuilder;
+import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfigDto;
+
+import java.io.IOException;
+
+import static org.opensearch.securityanalytics.util.RestHandlerUtils._ID;
+import static org.opensearch.securityanalytics.util.RestHandlerUtils._VERSION;
+
+public class SADeleteTIFSourceConfigResponse extends ActionResponse implements ToXContentObject {
+    private final String id;
+    private final RestStatus status;
+
+    public SADeleteTIFSourceConfigResponse(String id, RestStatus status) {
+        super();
+        this.id = id;
+        this.status = status;
+    }
+
+    public SADeleteTIFSourceConfigResponse(StreamInput sin) throws IOException {
+        this(
+                sin.readString(), // id
+                sin.readEnum(RestStatus.class) // status
+        );
+    }
+
+    @Override
+    public void writeTo(StreamOutput out) throws IOException {
+        out.writeString(id);
+    }
+
+    @Override
+    public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+        builder.startObject()
+                .field(_ID, id);
+        return builder.endObject();
+    }
+
+    public String getId() {
+        return id;
+    }
+
+
+    public RestStatus getStatus() {
+        return status;
+    }
+
+}
@@ -14,14 +14,14 @@
 import java.util.Locale;
 
 import static org.opensearch.action.ValidateActions.addValidationError;
+import static org.opensearch.securityanalytics.threatIntel.common.Constants.THREAT_INTEL_SOURCE_CONFIG_ID;
 
 /**
  * Get threat intel feed source config request
  */
 public class SAGetTIFSourceConfigRequest extends ActionRequest {
     private final String id;
     private final Long version;
-    public static final String TIF_SOURCE_CONFIG_ID = "tif_source_config_id";
 
     public SAGetTIFSourceConfigRequest(String id, Long version) {
         super();
@@ -53,7 +53,7 @@ public Long getVersion() {
     public ActionRequestValidationException validate() {
         ActionRequestValidationException validationException = null;
         if (id == null || id.isEmpty()) {
-            validationException = addValidationError(String.format(Locale.getDefault(), "%s is missing", TIF_SOURCE_CONFIG_ID), validationException);
+            validationException = addValidationError(String.format(Locale.getDefault(), "%s is missing", THREAT_INTEL_SOURCE_CONFIG_ID), validationException);
         }
         return validationException;
     }

@@ -10,4 +10,6 @@
 public class Constants {
     public static final String USER_AGENT_KEY = "User-Agent";
     public static final String USER_AGENT_VALUE = String.format(Locale.ROOT, "OpenSearch/%s vanilla", Version.CURRENT.toString());
+    public static final String THREAT_INTEL_SOURCE_CONFIG_ID = "threat_intel_source_config_id";
+
 }
@@ -0,0 +1,50 @@
+package org.opensearch.securityanalytics.threatIntel.resthandler;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.client.node.NodeClient;
+import org.opensearch.rest.BaseRestHandler;
+import org.opensearch.rest.RestRequest;
+import org.opensearch.rest.action.RestToXContentListener;
+import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
+import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigAction;
+import org.opensearch.securityanalytics.threatIntel.action.SADeleteTIFSourceConfigRequest;
+import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfigDto;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Locale;
+
+import static org.opensearch.securityanalytics.threatIntel.common.Constants.THREAT_INTEL_SOURCE_CONFIG_ID;
+
+public class RestDeleteTIFSourceConfigAction extends BaseRestHandler {
+
+    private static final Logger log = LogManager.getLogger(RestDeleteTIFSourceConfigAction.class);
+
+    @Override
+    public String getName() {
+        return "delete_tif_config_action";
+    }
+
+    @Override
+    public List<Route> routes() {
+        return List.of(new Route(RestRequest.Method.DELETE, String.format(Locale.getDefault(), "%s/{%s}", SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, THREAT_INTEL_SOURCE_CONFIG_ID)));
+    }
+
+    @Override
+    protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
+        String saTifSourceConfigId = request.param(THREAT_INTEL_SOURCE_CONFIG_ID, SATIFSourceConfigDto.NO_ID);
+
+        if (saTifSourceConfigId == null || saTifSourceConfigId.isBlank()) {
+            throw new IllegalArgumentException("missing id");
+        }
+
+        SADeleteTIFSourceConfigRequest req = new SADeleteTIFSourceConfigRequest(saTifSourceConfigId);
+
+        return channel -> client.execute(
+                SADeleteTIFSourceConfigAction.INSTANCE,
+                req,
+                new RestToXContentListener<>(channel)
+        );
+    }
+}
@@ -17,6 +17,7 @@
 import java.util.Locale;
 
 import static org.opensearch.rest.RestRequest.Method.GET;
+import static org.opensearch.securityanalytics.threatIntel.common.Constants.THREAT_INTEL_SOURCE_CONFIG_ID;
 
 public class RestGetTIFSourceConfigAction extends BaseRestHandler {
 
@@ -29,12 +30,12 @@ public String getName() {
 
     @Override
     public List<Route> routes() {
-        return List.of(new Route(GET, String.format(Locale.getDefault(), "%s/{%s}", SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, SAGetTIFSourceConfigRequest.TIF_SOURCE_CONFIG_ID)));
+        return List.of(new Route(GET, String.format(Locale.getDefault(), "%s/{%s}", SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, THREAT_INTEL_SOURCE_CONFIG_ID)));
     }
 
     @Override
     protected RestChannelConsumer prepareRequest(RestRequest request, NodeClient client) throws IOException {
-        String SaTifSourceConfigId = request.param(SAGetTIFSourceConfigRequest.TIF_SOURCE_CONFIG_ID, SATIFSourceConfigDto.NO_ID);
+        String SaTifSourceConfigId = request.param(THREAT_INTEL_SOURCE_CONFIG_ID, SATIFSourceConfigDto.NO_ID);
 
         if (SaTifSourceConfigId == null || SaTifSourceConfigId.isEmpty()) {
             throw new IllegalArgumentException("missing id");

@@ -6,7 +6,6 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
-import org.opensearch.action.support.WriteRequest;
 import org.opensearch.client.node.NodeClient;
 import org.opensearch.core.rest.RestStatus;
 import org.opensearch.core.xcontent.ToXContent;
@@ -19,18 +18,17 @@
 import org.opensearch.rest.RestResponse;
 import org.opensearch.rest.action.RestResponseListener;
 import org.opensearch.securityanalytics.SecurityAnalyticsPlugin;
-import org.opensearch.securityanalytics.threatIntel.action.SAGetTIFSourceConfigRequest;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigAction;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigRequest;
 import org.opensearch.securityanalytics.threatIntel.action.SAIndexTIFSourceConfigResponse;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfigDto;
-import org.opensearch.securityanalytics.util.RestHandlerUtils;
 
 import java.io.IOException;
-import java.time.Instant;
 import java.util.List;
 import java.util.Locale;
 
+import static org.opensearch.securityanalytics.threatIntel.common.Constants.THREAT_INTEL_SOURCE_CONFIG_ID;
+
 public class RestIndexTIFSourceConfigAction extends BaseRestHandler {
     private static final Logger log = LogManager.getLogger(RestIndexTIFSourceConfigAction.class);
     @Override
@@ -42,7 +40,7 @@ public List<Route> routes() {
         return List.of(
                 new Route(RestRequest.Method.POST, SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI),
                 new Route(RestRequest.Method.PUT, String.format(Locale.getDefault(), "%s/{%s}",
-                        SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, SAGetTIFSourceConfigRequest.TIF_SOURCE_CONFIG_ID))
+                        SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, THREAT_INTEL_SOURCE_CONFIG_ID))
         );
     }
 

@@ -8,5 +8,6 @@
 public class IndexTIFSourceConfigAction {
     public static final String INDEX_TIF_SOURCE_CONFIG_ACTION_NAME = "cluster:admin/security_analytics/tifSource/write";
     public static final String GET_TIF_SOURCE_CONFIG_ACTION_NAME = "cluster:admin/security_analytics/tifSource/get";
+    public static final String DELETE_TIF_SOURCE_CONFIG_ACTION_NAME = "cluster:admin/security_analytics/tifSource/delete";
     public static final String SEARCH_TIF_SOURCE_CONFIGS_ACTION_NAME = "cluster:admin/security_analytics/tifSource/search";
 }
@@ -2,6 +2,7 @@
 
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
 import org.opensearch.ResourceNotFoundException;
 import org.opensearch.action.delete.DeleteResponse;
 import org.opensearch.action.index.IndexResponse;
@@ -16,6 +17,7 @@
 import org.opensearch.securityanalytics.threatIntel.model.IocStoreConfig;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfig;
 import org.opensearch.securityanalytics.threatIntel.model.SATIFSourceConfigDto;
+import org.opensearch.securityanalytics.util.SecurityAnalyticsException;
 
 import java.time.Instant;
 
@@ -162,16 +164,33 @@ public void deleteTIFSourceConfig(
             final String SaTifSourceConfigId,
             final ActionListener<DeleteResponse> listener
     ) {
+        // TODO: Delete all IOCs associated with source config
         SaTifSourceConfigService.getTIFSourceConfig(SaTifSourceConfigId, ActionListener.wrap(
                 SaTifSourceConfig -> {
                     if (SaTifSourceConfig == null) {
                         throw new ResourceNotFoundException("No threat intel source config exists [{}]", SaTifSourceConfigId);
                     }
+
+                    // Check if all threat intel monitors are deleted
+                    SaTifSourceConfigService.checkAndEnsureThreatIntelMonitorsDeleted(ActionListener.wrap(
+                            isDeleted -> {
+                                if (isDeleted == false) {
+                                    throw SecurityAnalyticsException.wrap(new OpenSearchException("All threat intel monitors need to be deleted before deleting last threat intel source config"));
+                                } else {
+                                    log.debug("All threat intel monitors are deleted or multiple threat intel source configs exist, can delete threat intel source config [{}]", SaTifSourceConfigId);
+                                }
+                            }, e-> {
+                                log.error("Failed to check if all threat intel monitors are deleted or if multiple threat intel source configs exist");
+                                listener.onFailure(e);
+                            }
+                    ));
+
                     TIFJobState previousState = SaTifSourceConfig.getState();
                     SaTifSourceConfig.setState(TIFJobState.DELETING);
                     SaTifSourceConfigService.deleteTIFSourceConfig(SaTifSourceConfig, ActionListener.wrap(
                             deleteResponse -> {
-                                log.debug("Successfully deleted threat intel source config");
+                                log.debug("Successfully deleted threat intel source config [{}]", SaTifSourceConfig.getId());
+                                listener.onResponse(deleteResponse);
                             }, e -> {
                                 log.error("Failed to delete threat intel source config [{}]", SaTifSourceConfigId);
                                 if (previousState.equals(SaTifSourceConfig.getState()) == false) {