Skip to content

feat(platform): add BIOC support#33

Open
olli-kauppinen-wolt wants to merge 3 commits into
PaloAltoNetworks:mainfrom
olli-kauppinen-wolt:feat/platform-biocs
Open

feat(platform): add BIOC support#33
olli-kauppinen-wolt wants to merge 3 commits into
PaloAltoNetworks:mainfrom
olli-kauppinen-wolt:feat/platform-biocs

Conversation

@olli-kauppinen-wolt

Copy link
Copy Markdown

Summary

Adds first-class support for /public_api/v1/bioc/{insert,get,delete} to the platform module:

  • New BIOC and BIOCFilter types with the ten write-allowed fields plus four read-only fields the live API returns (creation_time, modification_time, source, number_of_issues). BIOC.Indicator is json.RawMessage to keep the SDK schema-agnostic over the polymorphic payload (JSON string when is_xql=true, structured filter AST otherwise).
  • New Client.InsertBIOCs (upsert via rule_id), Client.ListBIOCs, Client.DeleteBIOCs, and convenience helpers Client.FindBIOCByName / Client.FindBIOCByID. Unlike /indicators/insert, /bioc/insert returns HTTP 400 with the success-shape body on per-record validation failure — InsertBIOCs recovers the typed response so callers don't need to special-case that path.
  • New enums package additions: BIOCType (16 values), BIOCSeverity, and BIOCStatus (string-aliased) with canonical-set helpers. Includes SEV_050_CRITICAL, which the live API accepts even though the OpenAPI insert enum omits it.

BIOC names are not unique per tenant — FindBIOCByID is the only safe identity-based lookup; FindBIOCByName returns the first match and is reserved for ad-hoc CLI work.

Test plan

  • go test ./platform/... — 16 unit sub-tests covering the three endpoints, the structured errors[{index,status}] shape on both HTTP 200 and HTTP 400, the no-reply wrapper on success, the polymorphic indicator round-trip, and both FindBIOCBy* helpers.
  • go test -tags=acceptance -run TestAccBIOC ./platform/... — five lifecycle / structured-indicator / SEV_050_CRITICAL / idempotent-delete / non-unique-name tests against a live tenant; all green, tenant left clean.
  • go vet ./platform/... ./types/... ./enums/... clean.

Models the JSON shapes of /public_api/v1/bioc/{insert,get,delete}:

  * BIOC: ten writable fields accepted by /insert, plus four read-only
    fields surfaced by /get (creation_time, modification_time, source,
    number_of_issues). The Indicator field is json.RawMessage to support
    its polymorphic payload — a JSON string when is_xql=true, a JSON
    object (filter AST) otherwise.
  * BIOCFilter, ListBIOCsRequest, DeleteBIOCsRequest.
  * InsertBIOCsResponse with added_objects, updated_objects, and errors
    (the live API returns errors as objects with {index, status}, not
    strings as documented).
  * Listing and delete response wrappers.

Adds an enums package mirror with BIOCType, BIOCSeverity, and BIOCStatus
typed-string aliases plus canonical-set helpers. The severity set
includes SEV_050_CRITICAL, accepted by the live API despite being
absent from the documented enum.
Adds three endpoint constants and Client methods for /public_api/v1/
bioc/{insert,get,delete}:

  * InsertBIOCs is the upsert path — submit with no rule_id to create,
    or include rule_id to overwrite a matching record. Per-record
    failures surface in resp.Errors[{index, status}]. Unlike
    /indicators/insert, /bioc/insert returns HTTP 400 (not 200) on
    per-record validation failure but the body still uses the success
    shape; InsertBIOCs recovers the typed response from that body so
    callers can inspect resp.Errors without first handling an HTTP
    error.
  * ListBIOCs is the filter-bodied read.
  * DeleteBIOCs is the filter-bodied delete; returns the deleted
    rule_ids, and is idempotent (empty slice on no match, no error).
  * FindBIOCByID and FindBIOCByName are convenience helpers. BIOC names
    are not unique per tenant — FindBIOCByName returns the first match
    only and is unsafe for stateful flows; FindBIOCByID is the canonical
    single-record lookup. The rule_id filter field these helpers rely
    on is undocumented in the OpenAPI filter enum but accepted by the
    live API on EQ for both /bioc/get and /bioc/delete.

Success responses are top-level (no `reply` wrapper); failure responses
that aren't per-record validation errors come back with the usual
`reply.err_extra` wrapper.
  * biocs_test.go: 16 sub-tests covering Insert (create/update/HTTP 400
    with success-shape body recovery/HTTP 200 with errors/transport-
    level failures/top-level body/polymorphic indicator), List (read-
    only fields, empty result), Delete (returns ids, idempotent), and
    FindBIOCBy{ID,Name}.
  * biocs_acc_test.go: five //go:build acceptance tests against a live
    tenant — full lifecycle (create→read by id/name→in-place update→
    delete by rule_id), idempotent delete, structured-indicator round-
    trip, SEV_050_CRITICAL round-trip, and non-unique-name invariant.

Acceptance tests follow the existing env-var contract
(TEST_CORTEX_API_URL, TEST_CORTEX_API_KEY, TEST_CORTEX_API_KEY_ID) and
reuse setupAcceptanceTest from asset_group_acc_test.go.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant