On 2015-02-18 13:53:27 -0800, Julien Vehent [:ulfr] wrote:
MIG provides a search API endpoint documented at http://mig.mozilla.org/doc/api.rst.html#get-root-search
It is currently very limited in functionality. It can search for action, commands, agents and investigators, but it only supports searching on a subset of fields, and each search query results in a very inefficient JOIN of all database tables that is slow to process.
The search API needs a revamp. Here's a few requirements:
be flexible. The API should support searching inside of the json fields stores in postgres. I would like to avoid statically listing all supported JSON fields, but instead have the API try and fail with a meaningful error message when a given search field is not found.
example: searching for an agent using its IP address, which is stored in a JSON array inside of the agent.environment column
allow for complex queries. For example, list agents that ran an action of threat family "malware" launched by investigator named "julien vehent" over the last 20 days. If possible, I would like to do this without accepting raw SQL in API parameters, without statically defining all possible search parameters in the code and with decent performances.
control the data returned. Right now, a lot of unnecessary data is returned by the search API, because it has no way to define which fields the requester wants.
So, in fact, we really want SQL flexibility, but in API queries, and without the risk of taking raw sql as input.
Migrated from https://bugzilla.mozilla.org/show_bug.cgi?id=1134390 Assigned to: Julien Vehent [:ulfr]
On 2015-02-18 13:53:27 -0800, Julien Vehent [:ulfr] wrote: