separated sources as modules for local and TAXII collections

Cyb3rWard0g · Cyb3rWard0g · commit 22a621381128 · 2025-12-19T01:49:30.000-05:00
diff --git a/src/attackcti/sources/__init__.py b/src/attackcti/sources/__init__.py
@@ -0,0 +1,15 @@
+"""Source (transport) implementations for attackcti."""
+
+from .attack_source import MitreAttackSource
+from .local_loader import load_local_sources, load_stix_store
+from .resolver import load_sources
+from .taxii_loader import create_taxii_sources, load_taxii_sources
+
+__all__ = [
+    "create_taxii_sources",
+    "load_local_sources",
+    "MitreAttackSource",
+    "load_sources",
+    "load_stix_store",
+    "load_taxii_sources",
+]
diff --git a/src/attackcti/sources/attack_source.py b/src/attackcti/sources/attack_source.py
@@ -0,0 +1,75 @@
+"""Wrapper that encapsulates loaded ATT&CK data sources."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any
+
+from stix2 import CompositeDataSource
+
+from .resolver import load_sources
+
+
+@dataclass
+class MitreAttackSource:
+    """Container for ATT&CK STIX sources.
+
+    Attributes
+    ----------
+    enterprise
+        Domain-scoped source for Enterprise ATT&CK (or None if not loaded).
+    mobile
+        Domain-scoped source for Mobile ATT&CK (or None if not loaded).
+    ics
+        Domain-scoped source for ICS ATT&CK (or None if not loaded).
+    composite
+        `CompositeDataSource` containing all loaded domain sources.
+    versions
+        Mapping of domain -> spec version (or None).
+    mode
+        One of local, taxii, mixed, empty.
+    spec_version
+        Unified spec version if all domains match, else None.
+    """
+
+    enterprise: Any | None
+    mobile: Any | None
+    ics: Any | None
+    composite: CompositeDataSource
+    versions: dict[str, str | None]
+    mode: str
+    spec_version: str | None
+
+    @classmethod
+    def load(
+        cls,
+        *,
+        enterprise: str | None = None,
+        mobile: str | None = None,
+        ics: str | None = None,
+        connect_taxii: bool = True,
+        proxies: dict | None = None,
+        verify: bool = True,
+        collection_url: str | None = None,
+    ) -> "MitreAttackSource":
+        """Load ATT&CK sources and return a container."""
+        (ent, mob, ics_src), versions, mode, spec_version = load_sources(
+            enterprise=enterprise,
+            mobile=mobile,
+            ics=ics,
+            connect_taxii=connect_taxii,
+            proxies=proxies,
+            verify=verify,
+            collection_url=collection_url,
+        )
+        composite = CompositeDataSource()
+        composite.add_data_sources([ds for ds in (ent, mob, ics_src) if ds is not None])
+        return cls(
+            enterprise=ent,
+            mobile=mob,
+            ics=ics_src,
+            composite=composite,
+            versions=versions,
+            mode=mode,
+            spec_version=spec_version,
+        )
diff --git a/src/attackcti/sources/local_loader.py b/src/attackcti/sources/local_loader.py
@@ -0,0 +1,64 @@
+"""Local STIX bundle source helpers.
+
+This module centralizes loading local STIX JSON bundles (files or directories)
+into STIX2 data sources via `attackcti.utils.storage.STIXStore`.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import Any
+
+from ..utils.storage import STIXStore
+
+
+def load_stix_store(path: str | None) -> tuple[Any | None, str | None]:
+    """Load a STIX store from a directory or JSON file path.
+
+    Args:
+        path: Path to a directory of JSON files or a single STIX JSON file. If
+            `None` or not found on disk, returns `(None, None)`.
+
+    Returns
+    -------
+    tuple
+        A `(source, spec_version)` tuple. If `path` is missing, returns
+        `(None, None)`.
+    """
+    if path and os.path.exists(path):
+        store = STIXStore(path)
+        return store.get_store(), store.spec_version
+    return None, None
+
+
+def load_local_sources(
+    *,
+    enterprise: str | None = None,
+    mobile: str | None = None,
+    ics: str | None = None,
+) -> tuple[tuple[Any | None, Any | None, Any | None], dict[str, str | None]]:
+    """Load local sources for enterprise, mobile, and ICS.
+
+    Args:
+        enterprise: Path to the local enterprise bundle (dir or JSON file).
+        mobile: Path to the local mobile bundle (dir or JSON file).
+    
+    Returns
+    -------
+    tuple
+        `((enterprise_source, mobile_source, ics_source), versions)` where
+        `versions` maps `enterprise|mobile|ics` to detected spec versions (or
+        `None` when unavailable).
+        `versions` maps `enterprise|mobile|ics` to detected spec versions (or
+        `None` when unavailable).
+    """
+    enterprise_source, enterprise_ver = load_stix_store(enterprise)
+    mobile_source, mobile_ver = load_stix_store(mobile)
+    ics_source, ics_ver = load_stix_store(ics)
+
+    versions = {
+        "enterprise": enterprise_ver,
+        "mobile": mobile_ver,
+        "ics": ics_ver,
+    }
+    return (enterprise_source, mobile_source, ics_source), versions
diff --git a/src/attackcti/sources/resolver.py b/src/attackcti/sources/resolver.py
@@ -0,0 +1,103 @@
+"""Source selection helpers.
+
+This module contains the policy for combining multiple source types (local STIX
+bundles and TAXII) into the final set of domain sources used by the client.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from .local_loader import load_local_sources
+from .taxii_loader import load_taxii_sources
+
+
+def load_sources(
+    *,
+    enterprise: str | None = None,
+    mobile: str | None = None,
+    ics: str | None = None,
+    connect_taxii: bool = True,
+    proxies: dict | None = None,
+    verify: bool = True,
+    collection_url: str | None = None,
+) -> tuple[tuple[Any | None, Any | None, Any | None], dict[str, str | None], str, str | None]:
+    """Load sources using a local-first policy with optional TAXII fallback.
+
+    Policy:
+      - If local sources exist, use them.
+      - If some local domains are missing and `connect_taxii=True`, fill missing domains from TAXII.
+      - If no local sources exist:
+          - If `connect_taxii=True`, load all domains from TAXII.
+          - If `connect_taxii=False`:
+              - Raise if the caller provided local paths (they were invalid).
+              - Otherwise return an empty configuration.
+
+    Args:
+        enterprise: Path to the local enterprise bundle (dir or JSON file).
+        mobile: Path to the local mobile bundle (dir or JSON file).
+        ics: Path to the local ICS bundle (dir or JSON file).
+        connect_taxii: If `True`, allow TAXII fallback/fill behavior.
+        proxies: Requests proxy configuration for TAXII.
+        verify: Whether to verify TLS certificates for TAXII.
+        collection_url: Base TAXII collections URL (ending in `/collections/`).
+
+    Returns
+    -------
+    tuple
+        A tuple `(sources, versions, mode, spec_version)` where:
+        - `sources` is `(enterprise_source, mobile_source, ics_source)`
+        - `versions` maps `enterprise|mobile|ics` to spec versions (or `None`)
+        - `mode` is one of `local`, `taxii`, `mixed`, `empty`
+        - `spec_version` is the unified spec version if known, else `None`
+
+    Raises
+    ------
+        ValueError: If local paths were provided but none were loadable and
+            `connect_taxii=False`.
+    """
+    local_paths_provided = any((enterprise, mobile, ics))
+
+    (enterprise_source, mobile_source, ics_source), versions = load_local_sources(
+        enterprise=enterprise,
+        mobile=mobile,
+        ics=ics,
+    )
+
+    any_local = any((enterprise_source, mobile_source, ics_source))
+    if not any_local:
+        if not connect_taxii:
+            if local_paths_provided:
+                raise ValueError("No valid local data sources found.")
+            return (None, None, None), {"enterprise": None, "mobile": None, "ics": None}, "empty", None
+
+        (enterprise_source, mobile_source, ics_source), versions = load_taxii_sources(
+            proxies=proxies,
+            verify=verify,
+            collection_url=collection_url,
+        )
+        return (enterprise_source, mobile_source, ics_source), versions, "taxii", "2.1"
+
+    missing_any = any(ds is None for ds in (enterprise_source, mobile_source, ics_source))
+    if missing_any and connect_taxii:
+        (taxii_enterprise, taxii_mobile, taxii_ics), taxii_versions = load_taxii_sources(
+            proxies=proxies,
+            verify=verify,
+            collection_url=collection_url,
+        )
+        if enterprise_source is None:
+            enterprise_source = taxii_enterprise
+            versions["enterprise"] = taxii_versions["enterprise"]
+        if mobile_source is None:
+            mobile_source = taxii_mobile
+            versions["mobile"] = taxii_versions["mobile"]
+        if ics_source is None:
+            ics_source = taxii_ics
+            versions["ics"] = taxii_versions["ics"]
+        mode = "mixed"
+    else:
+        mode = "local"
+
+    non_null_versions = {v for v in versions.values() if v is not None}
+    spec_version = non_null_versions.pop() if len(non_null_versions) == 1 else None
+    return (enterprise_source, mobile_source, ics_source), versions, mode, spec_version
diff --git a/src/attackcti/sources/taxii_loader.py b/src/attackcti/sources/taxii_loader.py
@@ -0,0 +1,117 @@
+"""MITRE ATT&CK TAXII source helpers.
+
+This module builds TAXII 2.1 collection sources for the MITRE ATT&CK datasets.
+"""
+
+from __future__ import annotations
+
+from stix2 import TAXIICollectionSource
+from taxii2client.v21 import Collection
+
+from ..constants import (
+    ATTACK_TAXII_COLLECTIONS_URL,
+    ENTERPRISE_ATTACK_COLLECTION_ID,
+    ICS_ATTACK_COLLECTION_ID,
+    MOBILE_ATTACK_COLLECTION_ID,
+)
+
+
+def _normalize_collections_url(collections_url: str) -> str:
+    """Normalize a TAXII collections base URL.
+
+    Args:
+        collections_url: Base URL for TAXII collections (typically ends with
+            /collections/).
+
+    Returns
+    -------
+        Normalized URL with a trailing /.
+
+    Raises
+    ------
+    ValueError: If collections_url is empty after trimming whitespace.
+    """
+    collections_url = collections_url.strip()
+    if not collections_url:
+        raise ValueError("collection_url must be a non-empty string")
+    if not collections_url.endswith("/"):
+        collections_url += "/"
+    return collections_url
+
+
+def create_taxii_sources(
+    *,
+    proxies: dict | None = None,
+    verify: bool = True,
+    collection_url: str | None = None,
+) -> tuple[TAXIICollectionSource, TAXIICollectionSource, TAXIICollectionSource]:
+    """Create TAXII sources for enterprise, mobile, and ICS ATT&CK.
+
+    Args:
+        proxies: Requests proxy configuration passed to taxii2client (and
+            ultimately requests).
+        verify: Whether to verify TLS certificates.
+        collection_url: Base collections URL (ending in /collections/). If
+            omitted, uses :data:`attackcti.constants.ATTACK_TAXII_COLLECTIONS_URL`.
+
+    Returns
+    -------
+        A tuple of sources for (enterprise, mobile, ics).
+
+    Raises
+    ------
+    ValueError
+        If collection_url is provided but empty.
+    """
+    collections_url = _normalize_collections_url(collection_url or ATTACK_TAXII_COLLECTIONS_URL)
+
+    enterprise_url = f"{collections_url}{ENTERPRISE_ATTACK_COLLECTION_ID}/"
+    mobile_url = f"{collections_url}{MOBILE_ATTACK_COLLECTION_ID}/"
+    ics_url = f"{collections_url}{ICS_ATTACK_COLLECTION_ID}/"
+
+    enterprise_collection = Collection(enterprise_url, verify=verify, proxies=proxies)
+    mobile_collection = Collection(mobile_url, verify=verify, proxies=proxies)
+    ics_collection = Collection(ics_url, verify=verify, proxies=proxies)
+
+    return (
+        TAXIICollectionSource(enterprise_collection),
+        TAXIICollectionSource(mobile_collection),
+        TAXIICollectionSource(ics_collection),
+    )
+
+
+def load_taxii_sources(
+    *,
+    proxies: dict | None = None,
+    verify: bool = True,
+    collection_url: str | None = None,
+) -> tuple[tuple[TAXIICollectionSource, TAXIICollectionSource, TAXIICollectionSource], dict[str, str]]:
+    """Load TAXII sources for enterprise, mobile, and ICS.
+
+    Args:
+        proxies: Requests proxy configuration passed to taxii2client.
+        verify: Whether to verify TLS certificates.
+        collection_url: Base collections URL (ending in /collections/). If
+            omitted, uses :data:`attackcti.constants.ATTACK_TAXII_COLLECTIONS_URL`.
+    
+    Returns
+    -------
+        `((enterprise_source, mobile_source, ics_source), versions)` where
+        `versions` maps `enterprise|mobile|ics` to `"2.1"`.
+        `versions` maps `enterprise|mobile|ics` to `"2.1"`.
+
+    Raises
+    ------
+        ValueError: If collection_url is provided but empty.
+    """
+    sources = create_taxii_sources(
+        proxies=proxies,
+        verify=verify,
+        collection_url=collection_url,
+    )
+    versions = {
+        "enterprise": "2.1",
+        "mobile": "2.1",
+        "ics": "2.1",
+    }
+    return sources, versions
