Merge develop to main

.github/workflows/api-tests-bruno.yml

@@ -0,0 +1,29 @@
+# This workflow runs the API tests for the bruno application on the latest version of Ubuntu
+
+name: API Tests - Bruno
+
+on:
+  workflow_dispatch:
+permissions:
+  contents: read
+  actions: read
+  checks: write
+jobs:
+  run_bruno_api_test:
+    name: API Tests by Bruno
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies and run tests
+        run: |
+          cd bruno
+          npm install
+          npm run test
+
+      - name: Publish Test Report
+        uses: dorny/test-reporter@v1
+        if: success() || failure()          # run this step even if previous step failed
+        with:
+          name: Bruno API Tests             # Name of the check run which will be created
+          path: bruno/report.xml                  # Path to test results
+          reporter: java-junit              # Format of test results

.github/workflows/publish.yml

@@ -1,7 +1,11 @@
-name: publish
+name: Build and Publish Docker Image
+
 on:
   push:
-    branches: [main, develop]
+    branches:
+      - develop
+  release:
+    types: [published]
 
 jobs:
   publish:
@@ -11,13 +15,23 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v3
 
-      - name: Build the Docker image
+      - name: Extract tag name
+        if: github.event_name == 'release'
+        run: echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+
+      - name: Validate tag
+        if: github.event_name == 'release'
+        run: |
+          if ! [[ "${{ env.TAG }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$ ]]; then
+            echo "Invalid tag format. The tag must follow the semantic versioning format: X.Y.Z or X.Y.Z-prerelease"
+            exit 1
+          fi
+
+      - name: Build and publish Docker image
         run: |
           echo $GITHUB_TOKEN | docker login ghcr.io -u mitre-attack --password-stdin
-          docker build . --tag ghcr.io/mitre-attack/attack-workbench-taxii-server:$TAG
-          docker push ghcr.io/mitre-attack/attack-workbench-taxii-server:$TAG
+          docker build . --tag ghcr.io/mitre-attack/attack-workbench-taxii-server:${TAG:-latest}
+          docker push ghcr.io/mitre-attack/attack-workbench-taxii-server:${TAG:-latest}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAG: ${{ github.ref == 'refs/head/main' && 'latest' || 'develop' }}
-
-
+          TAG: ${{ env.TAG }}

.gitignore

@@ -17,6 +17,7 @@
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 
 # User-specific stuff
+.idea
 .idea/**/workspace.xml
 .idea/**/tasks.xml
 .idea/**/usage.statistics.xml

README.md

@@ -10,8 +10,6 @@ The following resources provide supporting documentation about the TAXII protoco
 - [Introduction to TAXII](https://oasis-open.github.io/cti-documentation/taxii/intro.html)
 - [TAXII 2.1 Specification](https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html)
 - [OASIS Open TAXII Resources](https://oasis-open.github.io/cti-documentation/resources.html#taxii-21-specification)
-<!-- TODO: this will need to change when the official TAXII 2.1 server is hosted and docs are migrated to attack-workbench-data -->
-<!-- [accessing ATT&CK data via TAXII](https://github.com/mitre/cti/blob/master/USAGE.md#access-from-the-attck-taxii-server) -->
 
 The ATT&CK Workbench application requires additional components for full operation. 
 The [ATT&CK Workbench Frontend](https://github.com/center-for-threat-informed-defense/attack-workbench-frontend) 
@@ -55,7 +53,8 @@ The application uses Swagger UI module to dynamically document the available RES
 be accessed at the path: `/api-docs`.
 
 The [docs](/docs/README.md) folder contains additional documentation about using the TAXII Server:
-- [USAGE](/docs/USAGE.md): Includes advanced details and instructions for setting up the TAXII Server.
+- [SETUP](/docs/SETUP.md): Includes advanced details and instructions for setting up the TAXII Server.
+- [USAGE](/docs/USAGE.md): User Guide on how to query/use the TAXII 2.1 REST API.
 - [CONTRIBUTING](/docs/CONTRIBUTING.md): information about how to contribute to this project.
 
 ## Install and run
@@ -121,11 +120,9 @@ npm install
 ##### Step 3. Configure the system
 
 The app is configured using environment variables loaded from a dotenv file. A template is provided for your convenience. 
-See the [USAGE](./docs/USAGE.md#environment-variables) document for a list of supported environment variables and usage 
-descriptions. 
+See the [SETUP](./docs/SETUP.md#environment-variables) document for a list of supported environment variables and usage descriptions. 
 
-Store the dotenv file in the root `config/` directory, and ensure that the `TAXII_ENV` environment variable reflects the 
-dotenv file name. `TAXII_ENV` determines the name of the environment variable which gets loaded by the server. For example:
+Store the dotenv file in the root `config/` directory, and ensure that the `TAXII_ENV` environment variable reflects the dotenv file name. `TAXII_ENV` determines the name of the environment variable which gets loaded by the server. For example:
 - If `TAXII_ENV` is equal to `dev`, then the server attempts to load `config/dev.env`.
 - If `TAXII_ENV` is equal to `prod`, then the server attempts to load `config/prod.env`.
 

bruno/Get A Collection.bru

@@ -0,0 +1,55 @@
+meta {
+  name: Get A Collection
+  type: http
+  seq: 4
+}
+
+get {
+  url: {{host}}/api/v21/collections/{{collectionId}}
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: application/taxii+json;version=2.1
+}
+
+vars:pre-request {
+  collectionId: x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858
+  ~collectionId: x-mitre-collection--1f5f1533-f617-4ca8-9ab4-6a02367fa019
+}
+
+tests {
+  test("Verify response status code", function() {
+    expect(res.getStatus()).to.equal(200);
+  });
+
+  test("Verify response content type", function() {
+    const contentType = res.getHeader('content-type');
+    expect(contentType).to.include('application/stix+json');
+    expect(contentType).to.include('version=2.1');
+  });
+
+  test("Verify response body", function() {
+    const collection = res.getBody();
+
+    expect(collection).to.have.property('id').that.is.a('string').and.is.not.empty;
+
+    expect(collection).to.have.property('title').that.is.a('string').and.is.not.empty;
+
+    if (collection.hasOwnProperty('description')) {
+      expect(collection.description).to.be.a('string');
+    }
+
+    expect(collection).to.have.property('canRead').that.is.a('boolean');
+
+    expect(collection).to.have.property('canWrite').that.is.a('boolean');
+
+    if (collection.hasOwnProperty('mediaTypes')) {
+      expect(collection.mediaTypes).to.be.an('array').and.not.be.empty;
+      collection.mediaTypes.forEach(mediaType => {
+        expect(mediaType).to.be.a('string').and.include('application/taxii+json');
+      });
+    }
+  });
+}

bruno/Get API Root Information.bru

@@ -0,0 +1,36 @@
+meta {
+  name: Get API Root Information
+  type: http
+  seq: 2
+}
+
+get {
+  url: {{host}}/api/v21/
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: application/taxii+json;version=2.1
+}
+
+tests {
+  test("Verify response status code", function() {
+    expect(res.getStatus()).to.equal(200);
+  });
+
+  test("Verify response content type", function() {
+    const contentType = res.getHeader('content-type');
+    expect(contentType).to.include('application/stix+json');
+    expect(contentType).to.include('version=2.1');
+  });
+
+  test("Verify response body", function() {
+    const data = res.getBody();
+    expect(data).to.have.property('title').that.is.a('string').and.is.not.empty;
+    expect(data).to.have.property('description').that.is.a('string').and.is.not.empty;
+    expect(data).to.have.property('version').that.is.a('string').and.startsWith('application/taxii+json');
+    expect(data).to.have.property('maxContentLength').that.is.a('string');
+    expect(parseInt(data.maxContentLength)).to.be.a('number').and.not.NaN;
+  });
+}

bruno/Get An Object.bru

@@ -0,0 +1,73 @@
+meta {
+  name: Get An Object
+  type: http
+  seq: 6
+}
+
+get {
+  url: {{host}}/api/v21/collections/{{collectionId}}/objects/{{objectId}}
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: application/taxii+json;version=2.1
+}
+
+vars:pre-request {
+  collectionId: x-mitre-collection--dac0d2d7-8653-445c-9bff-82f934c1e858
+  objectId: intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c
+}
+
+tests {
+  const { validateObject } = require('./util/object-validation');
+
+  test("Verify response status code", function() {
+    expect(res.getStatus()).to.equal(200);
+  });
+
+  test("Verify response content type", function() {
+    const contentType = res.getHeader('content-type');
+    expect(contentType).to.include('application/stix+json');
+    expect(contentType).to.include('version=2.1');
+  });
+
+  test("Verify returned object ID matches requested object ID", function() {
+    const requestedObjectId = 'intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c';
+    const data = res.getBody();
+    expect(data.objects).to.be.an('array');
+    if (data.objects.length > 0) {
+      data.objects.forEach(obj => {
+        expect(obj.id).to.equal(requestedObjectId);
+      });
+    }
+  });
+
+  test("Verify object properties", function() {
+    const data = res.getBody();
+    const failedObjects = [];
+
+    expect(data.objects).to.be.an('array');
+
+    data.objects.forEach((obj, index) => {
+      try {
+        validateObject(obj);
+      } catch (err) {
+        failedObjects.push({
+          index: index,
+          object: obj,
+          error: err.message
+        });
+      }
+    });
+
+    if (failedObjects.length > 0) {
+      const failureMessage = `${failedObjects.length} object(s) failed validation:\n\n` +
+        failedObjects.map(failedObj => {
+          return `Index: ${failedObj.index}\nObject: ${JSON.stringify(failedObj.object)}\nError: ${failedObj.error}\n`;
+        }).join('\n');
+
+      throw new Error(failureMessage);
+    }
+  });
+}

bruno/Get Collections.bru

@@ -0,0 +1,61 @@
+meta {
+  name: Get Collections
+  type: http
+  seq: 3
+}
+
+get {
+  url: {{host}}/api/v21/collections/
+  body: none
+  auth: none
+}
+
+headers {
+  Accept: application/taxii+json;version=2.1
+}
+
+tests {
+  test("Verify response status code", function() {
+      expect(res.getStatus()).to.equal(200);
+  });
+
+  test("Verify response content type", function() {
+    const contentType = res.getHeader('content-type');
+    expect(contentType).to.include('application/stix+json');
+    expect(contentType).to.include('version=2.1');
+  });
+
+  test("Verify response body", function() {
+      const data = res.getBody();
+
+      if (data.hasOwnProperty('collections')) {
+          expect(data.collections).to.be.an('array');
+
+          data.collections.forEach(collection => {
+
+              expect(collection).to.have.property('id').that.is.a('string');
+
+              expect(collection).to.have.property('title').that.is.a('string').and.is.not.empty;
+
+              if (collection.hasOwnProperty('description')) {
+                  expect(collection.description).to.be.a('string');
+              }
+
+              if (collection.hasOwnProperty('alias')) {
+                  expect(collection.alias).to.be.a('string');
+              }
+
+              expect(collection).to.have.property('canRead').that.is.a('boolean');
+
+              expect(collection).to.have.property('canWrite').that.is.a('boolean');
+
+              if (collection.hasOwnProperty('mediaTypes')) {
+                  expect(collection.mediaTypes).to.be.an('array').and.not.be.empty;
+                  collection.mediaTypes.forEach(mediaType => {
+                      expect(mediaType).to.be.a('string').and.include('application/taxii+json');
+                  });
+              }
+          });
+      }
+  });
+}