threatgrid · ereteog · Apr 29, 2025 · Apr 29, 2025 · Apr 30, 2025 · May 5, 2025
@@ -413,7 +413,7 @@
 (defn node-filters [field entity-types]
   (->> entity-types
        (map name)
-       (map #(format "%s:*%s*" field %))
+       (map #(format "%s:%s" field %))
        (clojure.string/join " OR ")
        (format "(%s)")))
 
@@ -426,8 +426,8 @@
   (let [edge-filters (->> (map #(hash-map % id) (set related_to))
                           (apply merge))
         node-filters (cond->> []
-                       (seq source_type) (cons (node-filters "source_ref" source_type))
-                       (seq target_type) (cons (node-filters "target_ref" target_type))
+                       (seq source_type) (cons (node-filters "source_type" source_type))
+                       (seq target_type) (cons (node-filters "target_type" target_type))
                        :always (string/join " AND "))]
     (into {:one-of edge-filters}
           (when (seq node-filters)

@@ -3,6 +3,7 @@
    [clojure.string :as str]
    [ctia.domain.entities :refer [long-id->id short-id->long-id with-long-id]]
    [ctia.entity.relationship.schemas :as rs]
+   [ctia.entity.relationship.es-store :as es-store]
    [ctia.flows.crud :as flows]
    [ctia.http.middleware.auth :refer [require-capability!]]
    [ctia.http.routes.common :as routes.common]
@@ -11,30 +12,11 @@
    [ctia.schemas.core :refer [APIHandlerServices Reference TLP]]
    [ctia.schemas.sorting :as sorting]
    [ctia.store :refer [create-record read-record]]
-   [ctia.stores.es.mapping :as em]
-   [ctia.stores.es.store :refer [def-es-store]]
    [ring.swagger.json-schema :refer [describe]]
    [ring.util.http-response :refer [not-found bad-request bad-request!]]
    [schema-tools.core :as st]
-   [schema.core :as s]))
-
-(def relationship-mapping
-  {"relationship"
-   {:dynamic false
-    :properties
-    (merge
-     em/base-entity-mapping
-     em/describable-entity-mapping
-     em/sourcable-entity-mapping
-     em/stored-entity-mapping
-     {:relationship_type em/token
-      :source_ref        em/token
-      :target_ref        em/token})}})
-
-(def-es-store RelationshipStore
-  :relationship
-  rs/StoredRelationship
-  rs/PartialStoredRelationship)
+   [schema.core :as s]
+   [ctia.entity.event.schemas :as es]))
 
 (def relationship-fields
   (concat sorting/default-entity-sort-fields
@@ -254,8 +236,8 @@
    :stored-schema         rs/StoredRelationship
    :partial-stored-schema rs/PartialStoredRelationship
    :realize-fn            rs/realize-relationship
-   :es-store              ->RelationshipStore
-   :es-mapping            relationship-mapping
+   :es-store              es-store/->RelationshipStore
+   :es-mapping            es-store/relationship-mapping
    :services->routes      (routes.common/reloadable-function relationship-routes)
    :capabilities          capabilities
    :fields                relationship-fields

@@ -0,0 +1,72 @@
+(ns ctia.entity.relationship.es-store
+  (:require [ctia.entity.relationship.schemas :as rs]
+            [ctia.domain.entities :refer [long-id->id]]
+            [ctia.lib.pagination :refer [list-response-schema]]
+            [ctia.stores.es.mapping :as em]
+            [ctia.stores.es.store :refer [def-es-store StoreOpts]]
+            [schema-tools.core :as st]
+            [schema.core :as s]))
+
+(def relationship-mapping
+  {"relationship"
+   {:dynamic false
+    :properties
+    (merge
+     em/base-entity-mapping
+     em/describable-entity-mapping
+     em/sourcable-entity-mapping
+     em/stored-entity-mapping
+     {:relationship_type em/token
+      :source_ref        em/token
+      :target_ref        em/token
+      :source_type       em/token
+      :target_type       em/token})}})
+
+(s/defschema ESStoredRelationship
+  (st/merge rs/StoredRelationship
+            (st/optional-keys
+             {:source_type s/Str
+              :target_type s/Str})))
+
+(s/defschema ESPartialStoredRelationship
+  (st/merge rs/PartialStoredRelationship
+            (st/optional-keys
+             {:source_type s/Str
+              :target_type s/Str})))
+
+(def ESPartialStoredRelationshipList (list-response-schema ESPartialStoredRelationship))
+(def PartialStoredRelationshipList (list-response-schema rs/PartialStoredRelationship))
+
+(s/defn stored-relationship->es-stored-relationship
+  :- ESStoredRelationship
+  "adds source and target types to a relationship"
+  [{:keys [source_ref target_ref] :as r} :- rs/StoredRelationship]
+  (assoc r
+         :source_type (:type (long-id->id source_ref))
+         :target_type (:type (long-id->id target_ref))))
+
+(s/defn es-stored-relationship->stored-relationship
+  :- ESStoredRelationship
+  "dissoc source and target types to a relationship"
+  [{:keys [source_ref target_ref] :as r} :- ESStoredRelationship]
+  (dissoc r :source_type :target_type))
+
+(s/defn es-partial-stored-relationship->partial-stored-relationship
+  :- rs/PartialStoredRelationship
+  "dissoc source and target types to a relationship"
+  [r :- ESPartialStoredRelationship]
+  (dissoc r :source_type :target_type))
+
+(s/def store-opts :- StoreOpts
+  {:stored->es-stored (comp stored-relationship->es-stored-relationship :doc)
+   :es-stored->stored (comp es-stored-relationship->stored-relationship :doc)
+   :es-partial-stored->partial-stored (comp es-partial-stored-relationship->partial-stored-relationship :doc)
+   :es-stored-schema ESStoredRelationship
+   :es-partial-stored-schema ESPartialStoredRelationship})
+
+(def-es-store RelationshipStore
+  :relationship
+  rs/StoredRelationship
+  rs/PartialStoredRelationship
+  :store-opts store-opts
+  )
@@ -65,13 +65,6 @@
   [{:keys [observables] :as s} :- StoredSighting]
   (assoc s :observables_hash (map observable->observable-hash observables)))
 
-(s/defn partial-stored-sighting->es-partial-stored-sighting
-  :- ESPartialStoredSighting
-  "adds an observables hash to a partial-sighting"
-  [{:keys [observables] :as s} :- PartialStoredSighting]
-  (cond-> s
-    observables (assoc :observables_hash (map observable->observable-hash observables))))
-
 (s/defn es-stored-sighting->stored-sighting
   :- StoredSighting
   "remove the computed observables hash from a sighting"

@@ -8,7 +8,8 @@
    [ctia.properties :as p]
    [ctia.store-service :as store-svc]
    [ctia.entity.entities :as entities]
-   [ctia.entity.sighting.schemas :refer [StoredSighting]]
+   [ctia.entity.sighting.es-store :refer [ESStoredSighting]]
+   [ctia.entity.relationship.es-store :refer [ESStoredRelationship]]
    [ctia.stores.es.crud :refer [coerce-to-fn]]
    [ctia.store-service.schemas :refer [AllStoresFn]]
    [puppetlabs.trapperkeeper.app :as app]
@@ -23,8 +24,8 @@
   (assoc (into {}
                (map (fn [[_ {:keys [entity stored-schema]}]]
                       {entity stored-schema}) (entities/all-entities)))
-         :sighting (st/merge StoredSighting
-                             {(s/optional-key :observables_hash) s/Any})))
+         :relationship ESStoredRelationship
+         :sighting ESStoredSighting))
 
 (defn type->schema [entity-type]
   (if-let [schema (get all-types entity-type)]

@@ -39,22 +39,22 @@
            (:one-of (sut/relationships-filters "id" {:related_to [:source_ref :target_ref]})))))
 
   (testing "relationships-filters should properly add query filters"
-    (is (= "(source_ref:*malware*)"
+    (is (= "(source_type:malware)"
            (:query (sut/relationships-filters "id" {:source_type [:malware]}))))
-    (is (= "(target_ref:*sighting*)"
+    (is (= "(target_type:sighting)"
            (:query (sut/relationships-filters "id" {:target_type [:sighting]}))))
-    (is (= "(target_ref:*sighting*) AND (source_ref:*malware*)"
+    (is (= "(target_type:sighting) AND (source_type:malware)"
            (:query (sut/relationships-filters "id" {:source_type [:malware]
                                                     :target_type [:sighting]}))))
-    (is (= "(source_ref:*malware* OR source_ref:*vulnerability*)"
+    (is (= "(source_type:malware OR source_type:vulnerability)"
            (:query (sut/relationships-filters "id" {:source_type [:malware :vulnerability]}))))
 
-    (is (= "(target_ref:*sighting* OR target_ref:*incident*)"
+    (is (= "(target_type:sighting OR target_type:incident)"
            (:query (sut/relationships-filters "id" {:target_type [:sighting :incident]})))))
 
   (testing "relationships-filters should return proper fields and combine filters"
     (is (= {:one-of {:source_ref "id"}
-            :query "(source_ref:*malware*)"}
+            :query "(source_type:malware)"}
            (sut/relationships-filters "id" {:source_type [:malware]
                                             :related_to [:source_ref]})))))