Skip to content

Commit

Permalink
PAPP-34458: get blacklist and get whitelist working
Browse files Browse the repository at this point in the history
  • Loading branch information
@tapishj-splunk
tapishj-splunk committed Aug 6, 2024
1 parent 285ee67 commit aae9e0c
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 32 deletions.
52 changes: 41 additions & 11 deletions zscaler.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3018,14 +3018,21 @@
]
},
{
"data_path": "action_result.data.*.whitelistUrls",
"data_path": "action_result.data.*.whitelistUrl",
"data_type": "string"
},
{
"data_path": "action_result.message",
"data_path": "action_result.summary.total_whitelist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"test Total url categories: 97"
"Whitelist retrieved"
]
},
{
Expand All @@ -3050,7 +3057,7 @@
"versions": "EQ(*)"
},
{
"action": "get blakclist",
"action": "get blacklist",
"identifier": "get_blacklist",
"description": "get urls on the deny list",
"type": "investigate",
Expand All @@ -3060,13 +3067,10 @@
"description": "Filter results be url or ip",
"data_type": "string",
"primary": true,
"contains": [
"value_list": [
"url",
"ip"
],
"example_values": [
"127.0.0.1"
],
"order": 0
},
"query": {
Expand All @@ -3089,14 +3093,40 @@
]
},
{
"data_path": "action_result.data.*.whitelistUrls",
"data_path": "action_result.parameter.query",
"data_type": "string",
"column_name": "Query",
"example_values": [
"8...8"
],
"column_order": 1
},
{
"data_path": "action_result.parameter.filter",
"data_type": "string",
"column_name": "Filter",
"value_list": [
"url",
"ip"
],
"column_order": 0
},
{
"data_path": "action_result.data.*.blacklistUrl",
"data_type": "string"
},
{
"data_path": "action_result.message",
"data_path": "action_result.summary.message",
"data_type": "string",
"example_values": [
"test Total url categories: 97"
"Blacklist retrieved"
]
},
{
"data_path": "action_result.summary.total_blacklist_items",
"data_type": "numeric",
"example_values": [
10
]
},
{
Expand Down
53 changes: 32 additions & 21 deletions zscaler_connector.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@
import json
import re
import time
import ipaddress

import phantom.app as phantom
import phantom.rules as phantom_rules
import requests
from bs4 import BeautifulSoup
from phantom.action_result import ActionResult
from phantom.base_connector import BaseConnector
import socket
from zscaler_consts import *


Expand Down Expand Up @@ -998,14 +998,26 @@ def _handle_get_whitelist(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._make_rest_call_helper('/api/v1/settings', action_result)
ret_val, response = self._get_allowlist(action_result)
if phantom.is_fail(ret_val):
return action_result.get_status()
return RetVal(ret_val, None)

self.debug_print(response)
whitelist = response.get('whitelistUrls', [])
for allowed in whitelist:
action_result.add_data(allowed)
summary = action_result.update_summary({})
summary['total_whitelist_items'] = action_result.get_data_size()
summary['message'] = "Whitelist retrieved"

return action_result.set_status(phantom.APP_SUCCESS)

def _is_ip_address(self, address):
try:
ipaddress.ip_address(address)
return True
except ValueError:
return False

def _handle_get_blacklist(self, param):
"""
This action is used to get the blacklist in zscalar
Expand All @@ -1014,29 +1026,28 @@ def _handle_get_blacklist(self, param):
self.save_progress("In action handler for: {0}".format(self.get_action_identifier()))
action_result = self.add_action_result(ActionResult(dict(param)))

ret_val, response = self._make_rest_call_helper('/api/v1/settings/advanced', action_result)
ret_val, response = self._get_blocklist(action_result)
if phantom.is_fail(ret_val):
return action_result.get_status()
return RetVal(ret_val, None)

filter = param.get("filter")
query = param.get("query")

self.debug_print(response)
if not filter and not query:
return action_result.set_status(phantom.APP_SUCCESS)

parsed_data = []

self.debug_print(response)
for entry in response:
self.debug_print(entry)
url = entry.get(url, "")
ip = socket.socket.gethostbyname(url)
if url == filter or ip == filter:
parsed_data.append(entry)
elif query and (re.fullmatch(query, url) or re.fullmatch(query, ip)):
parsed_data.append(entry)
summary = action_result.update_summary({})
summary['message'] = "Blacklist retrieved"

blocklist = response.get('blacklistUrls', [])
for blocked in blocklist:
is_ip = self._is_ip_address(blocked)
if filter == "ip" and not is_ip:
continue
if filter == "url" and is_ip:
continue
if query and not re.fullmatch(query, blocked):
continue
action_result.add_data(blocked)

summary['total_blacklist_items'] = action_result.get_data_size()
return action_result.set_status(phantom.APP_SUCCESS)

def handle_action(self, param):
Expand Down

0 comments on commit aae9e0c

Please sign in to comment.