File Coverage

blib/lib/XML/IODEF.pm

Criterion	Covered	Total	%
statement	13	15	86.6
branch			n/a
condition			n/a
subroutine	5	5	100.0
pod			n/a
total	18	20	90.0

line	stmt	sub	time	code
1				package XML::IODEF;
2
3				# syntax cerbere
4	1	1	19908	use 5.006;
	1		3
	1		29
5	1	1	5	use strict;
	1		1
	1		27
6	1	1	4	use warnings;
	1		5
	1		30
7
8				# various includes
9	1	1	4	use Carp;
	1		2
	1		103
10	1	1	347	use XML::DOM;
	0
	0
11				use DateTime;
12				use XML::Simple;
13
14				# export, version, inheritance
15				require Exporter;
16
17				our @ISA = qw(Exporter);
18
19				our %EXPORT_TAGS = ( 'all' => [ qw() ] );
20
21				our @EXPORT_OK = ( @{ $EXPORT_TAGS{'all'} } );
22
23				our @EXPORT = qw(xml_encode
24				xml_decode
25				byte_to_string
26				extend_iodef
27				extend_dtd
28				set_doctype_name
29				set_doctype_sysid
30				set_doctype_pubid
31				);
32
33				our $VERSION = '0.11';
34
35				our $MAX_ITER = 20;
36
37
38
39				##----------------------------------------------------------------------------------------
40				##
41				## IODEF - An XML wrapper for building/parsing IODEF messages
42				##
43				## Erwan Lemonnier - Proact Defcom - 2002/05
44				## Adapted to IODEF by John Green - JANET-CERT - 2003/07
45				## Updated to RFC 5070 Release 2007 -- Wes Young 2010/01
46				##
47				## DESC:
48				##
49				## IODEF.pm is an interface for simply creating and parsing IODEF messages.
50				## It is compliant with IODEF v1.0, and hence provides calls for building Incident,
51				## ToolIncident, CorrelationIncident, OverflowIncident and Heartbeat IODEF messages.
52				##
53				## This interface has been designed for simplifying the task of translating a
54				## key-value based format to its iodef representation. A typical session involves
55				## the creation of a new IODEF message, the initialisation of some of it's fields
56				## and its conversion into an IODEF string, as illustrated below:
57				##
58				## use XML::IODEF;
59				##
60				## my $iodef = new XML::IODEF();
61				## $iodef->create_time();
62				## $iodef->add("IncidentAdditionalData", "myvalue", "mymeaning");
63				## $iodef->add("IncidentAdditionalData", byte_to_string($bytes), "binary-data", "byte");
64				## print $iodef->out();
65				##
66				## An interface to load and parse an IODEF message is also provided (with the
67				## 'to_hash' function), but is quite limited.
68				##
69				## This module is based on XML::DOM and contains a simplified version of the latest
70				## IODEF DTD. It is hence DTD aware and perform some validity checks on the IODEF
71				## message treated, in an attempt at easying the process of producing valid IODEF
72				## messages.
73				##
74				## This simplified internal DTD representation can easily be upgraded or extended to
75				## support new XML node. For information on how to extend IODEF with IODEF.pm, read
76				## the documentation in the source code.
77				##
78				##
79				## REM: to extract the api documentation, do 'cat IODEF.pm \| grep "##" \| sed -e "s/##//"'
80				##
81				##
82				## BSD LICENSE:
83				##
84				## All rights reserved.
85				##
86				## Redistribution and use in source and binary forms, with or without modification, are permitted
87				## provided that the following conditions are met:
88				##
89				## Redistributions of source code must retain the above copyright notice, this list
90				## of conditions and the following disclaimer.
91				## Redistributions in binary form must reproduce the above copyright notice, this list of
92				## conditions and the following disclaimer in the documentation and/or other materials
93				## provided with the distribution.
94				## Neither the name of the nor the names of its contributors may be used
95				## to endorse or promote products derived from this software without specific prior written
96				## permission.
97				##
98				## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
99				## AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
100				## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101				## ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
102				## LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
103				## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
104				## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
105				## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
106				## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
107				## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
108				## POSSIBILITY OF SUCH DAMAGE.
109				##
110				##----------------------------------------------------------------------------------------
111				##
112				## LIST OF FUNCTIONS
113				##
114				## new # create new IODEF message
115				## in # load new IODEF message from string/file
116				## out # write IODEF message to string/file
117				##
118				## to_hash # convert IODEF message to hash for easy parsing
119				## add # add a field to IODEF message
120				## get_type # return type of IODEF message
121				##
122				## create_time # initialize the CreateTime field with the current time
123				##
124				## EXPORTS:
125				##
126				## xml_encode # encode data (not binary) into an IODEF compliant string
127				## xml_decode # and the other way round
128				## byte_to_string # encode binary data into an IODEF compliant string
129				##
130				##
131				##
132
133
134
135
136				#
137				# IODEF DTD REPRESENTATION
138				# ------------------------
139				#
140				# The IODEF DTD, as all DTDs, can be represented as a class hierarchy in which
141				# each class corresponds to one node level. There can be 2 kind of relations between
142				# these node classes: inheritance (ex: a ToolIncident is an Incident) and composition
143				# (Incident contains Analyzer, Source, Target...).
144				#
145				# Below is a hash structure, called 'IODEF_DTD', which defines the whole IODEF DTD
146				# as in version xxx. Each key is the name of the root tag of an IODEF node, and its
147				# value is a structure representing the attributes, tags and subnodes allowed for
148				# this node, as well as the node's subclasses if there are some. If on attribute can
149				# take only a limited set of values, this is also specified. One class element (tag,
150				# attribute or node) may appear more than once, in which case it is specified.
151				#
152				# This IODEF DTD is then parsed by the 'load_xml_dtd' function when the IODEF.pm
153				# module is loaded, which in turn builds two internal and more convenient
154				# representations: $EXPAND_PATH & $CHECK_VALUE. These 2 hashes are used by the add()
155				# call, and faster to use than the DTD class construction.
156				#
157				# The main advantage of prefering a DTD representation of IODEF is its flexibility:
158				# if the IODEF rfc happens to change, the DTD hash is the only part of this module
159				# which will need an upgrade. Beside, it gets easy to extend IODEF by adding to the
160				# DTD some home-defined root class, and extend IODEF.pm. The extension module only
161				# needs to contain a DTD hash extending the one of IODEF, and call 'extend_iodef'.
162				# All other functions ('in', 'out', 'add', 'to_hash'...) are then inherited from IODEF.
163				#
164				# This code is actually build in a very generic way and could be used with whatever
165				# other XML format.
166				#
167				# DTD hash:
168				# ---------
169				#
170				# A DTD is represented as a hash where each key is the name of a node, and each value
171				# a hash encoding the corresponding DTD definition of this node.
172				# This hash describes the attributes, children and content type of this node,
173				# and can be deduced directly from the corresponding ELEMENT and ATTRIBUTE definitions
174				# in the DTD. Yet, some subtilities from the DTD, such as complex combinations
175				# of allowed children order and occurence, can not be represented in this model.
176				# That's why this DTD representation only is a pseudo-DTD, and will not be able
177				# to comply to some case of complex DTDs.
178				#
179				# A node has a name, which is its tag string. This name is the node's key in the DTD
180				# hash.
181				#
182				# A node may has children nodes. These children are listed in an anonymous array
183				# associated to the CHILDREN key. Each element of this children array is a string
184				# made of the name of the child node preceded by a one letter prefix representing
185				# the allowed occurencies of this child node. This prefix should be one of:
186				#
187				# prefix meaning
188				# ------ -------
189				#
190				# ? 0 or 1 occurences
191				# + 1 or more
192				# * 0 or more
193				# 1 exactly one
194				# # unknown (in practice, same as *)
195				#
196				# The order of the children names in the children array reflects the order of
197				# children nodes in the DTD. As a result, the XML::IODEF API allows only to
198				# create XML messages with one given order of children in each node. If the DTD
199				# allows other combinations, it can not be encoded in XML::IODEF, and you will
200				# have to choose one of the possible combinations when writting the pseudo-DTD.
201				# In some cases, this won't be possible. That's why this API can not yet be
202				# generalised to any generating any XML format.
203				#
204				# A node can also have attributes, which are represented as keys of the ATTRIBUTES
205				# hash. The value associated with each key is an array of the values allowed for this
206				# attributes, or an empty array if there are no restrictions on the value.
207				#
208				# Finally, a node can have a content, declared under the CONTENT key. That key can
209				# accept 3 values: ANY, PCDATA, EMPTY. In practice, all are treated as PCDATA internaly.
210				#
211				# ex: DTD entity definition
212				#
213				# "EntityName" = {
214				# ATTRIBUTES => { "attribute1" => [ list of values ],
215				# "attribute2" => [],
216				# ...
217				# },
218				# CHILDREN => [ "elem1", "elem2"... ],
219				# CONTENT => ANY \| PCDATA \| EMPTY
220				# }
221				#
222
223
224				#
225				# CONTENT:
226				# --------
227				#
228				# the official xml contents supported by this simplified DTD representation
229
230				use constant ANY => "ANY";
231				use constant PCDATA => "PCDATA";
232				use constant EMPTY => "EMPTY";
233
234
235
236				#
237				# IODEF_DTD:
238				# ----------
239				#
240				# A hash encoding all the xml entities defined in the IODEF DTD, as
241				# specified in the version $IODEF_VERSION of the IODEF draft.
242				#
243				# REM: this is a simplified DTD representation and does not reflect
244				# exactly the content of the IODEF DTD.
245				# In particular, this representation does not properly represent
246				# for each entity the allowed number and occurences of its children.
247
248				# version of the IODEF draft used for this DTD
249				my $IODEF_VERSION = "1.0";
250
251				my $IODEF_DTD = {
252
253				# each children of an entity should have a 1 letter code prefixed
254				# to its name, reflecting the occurences, as allowed by the DTD, and
255				# according to the list below:
256
257				"IODEF-Document" => {
258				ATTRIBUTES => {
259				"version" => ["1.0"],
260				"lang" => [],
261				"formatid" => [],
262				"xmlns:iodef" => [ "urn:ietf:params:xml:ns:iodef-1.0" ],
263				"xmlns:xsi" => [ "http://www.w3.org/2001/XMLSchema-instance" ],
264				"xsi:schemaLocation" => [ "urn:ietf:params:xmls:schema:iodef-1.0" ]
265				},
266				CHILDREN => [ "+Incident" ],
267				},
268
269				"Incident" => {
270				ATTRIBUTES => {
271				"purpose" => [ "traceback", "mitigation", "reporting", "other", "ext-value" ],
272				"ext-purpose" => [],
273				"lang" => [],
274				"restriction" => [ "public", "need-to-know", "private", "default" ]
275				},
276				CHILDREN => [ "1IncidentID", "?AlternativeID", "?RelatedActivity", "?DetectTime",
277				"?StartTime", "?EndTime", "1ReportTime", "*Description", "+Assessment",
278				"Method", "+Contact", "EventData", "?History", "*AdditionalData" ]
279				},
280
281				"IncidentID" => {
282				ATTRIBUTES => {
283				"name" => [],
284				"instance" => [],
285				"restriction" => [ "public", "need-to-know", "private", "default" ]
286				},
287				CONTENT => PCDATA
288				},
289
290				"AlternativeID" => {
291				ATTRIBUTES => {
292				"restriction" => [ "public", "need-to-know", "private", "default" ]
293				},
294				CHILDREN => ["+IncidentID"]
295				},
296
297				"RelatedActivity" => {
298				ATTRIBUTES => { "restriction" => [ "public", "need-to-know", "private", "default" ] },
299				CHILDREN => [ "IncidentID", "URL" ],
300				},
301
302				"AdditionalData" => {
303				ATTRIBUTES => {
304				"dtype" => ["boolean", "byte", "character", "date-time", "integer", "portlist",
305				"real", "string", "file", "frame", "packet", "ipv4-packet", "ipv6-packet",
306				"path", "url", "csv", "winreg", "xml", "ext-value"],
307				"ext-dtype" => [],
308				"meaning" => [],
309				"formatid" => [],
310				"restriction" => [ "public", "need-to-know", "private", "default" ],
311				},
312				CONTENT => ANY,
313				},
314
315				"Contact" => {
316				ATTRIBUTES => {
317				"role" => [ "creator", "admin", "tech", "irt", "cc", "ext-value" ],
318				"ext-role" => [],
319				"type" => [ "person", "organization", "ext-value" ],
320				"ext-type" => [],
321				"restriction" => [ "public", "need-to-know", "private", "default" ]
322				},
323				CHILDREN => [ "?ContactName", "Description", "RegistryHandle","?PostalAddress","*Email",
324				"Telephone", "?Fax", "?Timezone", "Contact", "*AdditionalData" ],
325				},
326
327				"RegistryHandle" => {
328				ATTRIBUTES => {
329				"registry" => [ "internic", "apnic", "arin", "lacnic", "ripe", "afrinic", "local", "ext-value" ],
330				"ext-registry" => [],
331				},
332				CONTENT => PCDATA,
333				},
334
335				"PostalAddress" => {
336				ATTRIBUTES => {
337				"meaning" => [],
338				"lang" => [],
339				},
340				CONTENT => PCDATA
341				},
342
343				"Email" => {
344				ATTRIBIUTES => {
345				"meaning" => [],
346				},
347				CONTENT => PCDATA
348				},
349
350				"Telephone" => {
351				ATTRIBUTES => {
352				"meaning" => [],
353				},
354				CONTENT => PCDATA
355				},
356
357				"Fax" => {
358				ATTRIBUTES => {
359				"meaning" => []
360				},
361				CONTENT => PCDATA
362				},
363
364				"StartTime" => {
365				CONTENT => PCDATA
366				},
367
368				"EndTime" => {
369				CONTENT => PCDATA
370				},
371
372				"DetectTime" => {
373				CONTENT => PCDATA
374				},
375
376				"ReportTime" => {
377				CONTENT => PCDATA
378				},
379
380				"DateTime" => {
381				CONTENT => PCDATA
382				},
383
384				"Method" => {
385				ATTRIBUTES => {
386				"restriction" => [ "public", "need-to-know", "private", "default" ]
387				},
388				CHILDREN => ["Reference", "Description", "*AdditionalData"],
389				},
390
391				"Reference" => {
392				CHILDREN => ["1ReferenceName", "URL", "Description"],
393				},
394
395				"Assessment" => {
396				ATTRIBUTES => {
397				"occurence" => ["actual", "potential"],
398				"restriction" => [ "public", "need-to-know", "private", "default" ]
399				},
400				CHILDREN => [ "Impact", "TimeImpact", "MonetaryImpact", "Counter", "?Confidence",
401				"*AdditionalData"]
402				},
403
404				"Impact" => {
405				ATTRIBUTES => {
406				"lang" => [],
407				"severity" => [ "low", "medium", "high" ],
408				"completion" => [ "failed", "succeeded" ],
409				"type" => [ "admin", "dos", "file", "info-leak", "misconfiguration",
410				"policy", "recon", "social-engineering", "user", "unknown",
411				"ext-value"],
412				"ext-type" => [],
413				},
414				CONTENT => PCDATA
415				},
416
417				"TimeImpact" => {
418				ATTRIBUTES => {
419				"severity" => [ "low", "medium", "high" ],
420				"metric" => [ "labor", "elapsed", "downtime", "ext-value" ],
421				"ext-metric" => [],
422				"duration" => [ "second", "minute", "hour", "day", "month", "quarter", "year", "ext-value" ],
423				"ext-duration" => []
424				},
425				CONTENT => PCDATA
426				},
427
428				"MonetaryImpact" => {
429				ATTRIBUTES => {
430				"severity" => [ "low", "medium", "high" ],
431				"currency" => []
432				},
433				CONTENT => PCDATA
434				},
435
436				"Confidence" => {
437				ATTRIBUTES => {
438				"rating" => [ "low", "medium", "high", "numeric" ],
439				},
440				CONTENT => PCDATA,
441				},
442
443				"History" => {
444				ATTRIBUTES => {
445				"restriction" => [ "public", "need-to-know", "private", "default" ]
446				},
447				CHILDREN => [ "+HistoryItem" ],
448				},
449
450				"HistoryItem" => {
451				ATTRIBUTES => {
452				"restriction" => [ "public", "need-to-know", "private", "default" ],
453				"action" => [ "nothing", "contact-source-site", "contact-target-site", "contact-sender", "investigate",
454				"block-host", "block-network", "block-port", "rate-limit-host", "rate-limit-network",
455				"rate-limit-port", "remediate-other", "status-triage", "status-new-info", "other",
456				"ext-value" ],
457				"ext-action" => []
458				},
459				CHILDREN => [ "1DateTime", "?IncidentID", "?Contact", "Description", "AdditionalData" ],
460				},
461
462				"EventData" => {
463				ATTRIBUTES => {
464				"restriction" => [ "public", "need-to-know", "private", "default" ],
465				},
466				CHILDREN => [ "Description", "?DetectTime", "?StartTime", "?EndTime", "Contact",
467				"?Assessment", "Method", "Flow", "*Expectation", "?Record",
468				"EventData", "AdditionalData"]
469				},
470
471				"Expectation" => {
472				ATTRIBUTES => {
473				"restriction" => [ "public", "need-to-know", "private", "default" ],
474				"severity" => [ "low", "medium", "high" ],
475				"action" => [ "nothing", "contact-source-site", "contact-target-site", "contact-sender", "investigate",
476				"block-host", "block-network", "block-port", "rate-limit-host", "rate-limit-network",
477				"rate-limit-port", "remediate-other", "status-triage", "status-new-info", "other",
478				"ext-value" ],
479				"ext-action" => []
480				},
481				CHILDREN => [ "*Description", "?StartTime", "?EndTime", "?Contact" ]
482				},
483
484				"Flow" => {
485				CHILDREN => [ "+System" ],
486				},
487
488				"System" => {
489				ATTRIBUTES => {
490				"restriction" => [ "public", "need-to-know", "private", "default" ],
491				"category" => [ "source", "target", "intermediate", "sensor" , "infrastructure",
492				"ext-value" ],
493				"ext-category" => [],
494				"interface" => [],
495				"spoofed" => [ "unknown", "yes", "no" ],
496				},
497				CHILDREN => [ "1Node", "Service", "OperatingSystem", "Description", "AdditionalData" ]
498				},
499
500				"Node" => {
501				CHILDREN => [ "NodeName", "Address", "?Location", "?DateTime", "*NodeRole",
502				"*Counter"]
503				},
504
505				"Counter" => {
506				ATTRIBUTES => {
507				"type" => [ "byte", "packet", "flow", "session", "alert",
508				"message", "event", "host", "site", "organization",
509				"ext-value" ],
510				"ext-type" => [],
511				"meaning" => [],
512				"duration" => [ "second", "minute", "hour", "day", "month", "quarter", "year", "ext-value" ],
513				"ext-duration" => [],
514				},
515				CONTENT => PCDATA
516				},
517
518				"Address" => {
519				ATTRIBUTES => {
520				"category" => [ "asn", "atm", "e-mail", "ipv4-addr", "ipv4-net",
521				"ipv4-net-mask", "ipv6-addr", "ipv6-net", "ipv6-net-mask", "mac",
522				"ext-value" ],
523				"ext-category" => [],
524				"vlan-name" => [],
525				"vlan-num" => [],
526				},
527				CONTENT => PCDATA
528				},
529
530				"NodeRole" => {
531				ATTRIBUTES => {
532				"category" => [ "client", "server-internal", "server-public", "www", "mail",
533				"messaging", "streaming", "voice", "file", "ftp",
534				"p2p", "name", "directory", "credential", "print",
535				"application", "database", "infra", "log", "ext-value"],
536				"ext-category" => [],
537				"lang" => [],
538				}
539				},
540
541				"Service" => {
542				ATTRIBUTES => {
543				"ip_protocol" => [],
544				},
545				CHILDREN => [ "?Port", "?Portlist", "?ProtoCode", "?ProtoType", "?ProtoFlags",
546				"?Application" ]
547				},
548
549				"Application" => {
550				ATTRIBUTES => {
551				"swid" => [],
552				"configid" => [],
553				"vendor" => [],
554				"family" => [],
555				"name" => [],
556				"version" => [],
557				"patch" => [],
558				},
559				CHILDREN => [ "?URL" ]
560				},
561
562				"OperatingSystem" => {
563				ATTRIBUTES => {
564				"swid" => [],
565				"configid" => [],
566				"vendor" => [],
567				"family" => [],
568				"name" => [],
569				"version" => [],
570				"patch" => [],
571				},
572				CHILDREN => [ "?URL" ]
573				},
574
575				"Record" => {
576				ATTRIBUTES => {
577				"restriction" => [ "public", "need-to-know", "private", "default" ],
578				},
579				CHILDREN => [ "+RecordData" ]
580				},
581
582				"RecordData" => {
583				ATTRIBUTES => {
584				"restriction" => [ "public", "need-to-know", "private", "default" ],
585				},
586				CHILDREN => [ "?DateTime", "Description", "?Application", "RecordPattern", "+RecordItem",
587				"*AdditionalData" ]
588				},
589
590				"RecordPattern" => {
591				ATTRIBUTES => {
592				"type" => [ "regex", "binary", "xpath", "ext-value" ],
593				"ext-type" => [],
594				"offset" => [],
595				"offsetunit" => [ "line", "binary", "ext-value" ],
596				"ext-offsetunit" => [],
597				"instance" => [],
598				},
599				CONTENT => PCDATA,
600				},
601
602				"RecordItem" => {
603				ATTRIBUTES => { "dtype" => ["boolean", "byte", "character", "date-time", "integer", "portlist",
604				"real", "string", "file", "frame", "packet", "ipv4-packet", "ipv6-packet",
605				"path", "url", "csv", "winreg", "xml", "ext-value"],
606				"ext-dtype" => [],
607				"meaning" => [],
608				"formatid" => [],
609				"restriction" => [ "public", "need-to-know", "private", "default" ],
610				},
611				CONTENT => ANY,
612				},
613
614				#
615				# Simple elements with no sub-elements and no attributes
616				#
617				"Description" => { CONTENT => PCDATA },
618				"URL" => { CONTENT => PCDATA },
619				"ContactName" => { CONTENT => PCDATA },
620				"Timezone" => { CONTENT => PCDATA },
621				"ReferenceName" => { CONTENT => PCDATA },
622				"NodeName" => { CONTENT => PCDATA },
623				"Location" => { CONTENT => PCDATA },
624				"Port" => { CONTENT => PCDATA },
625				"Portlist" => { CONTENT => PCDATA },
626				"ProtoCode" => { CONTENT => PCDATA },
627				"ProtoType" => { CONTENT => PCDATA },
628				"ProtoFlags" => { CONTENT => PCDATA },
629
630				};
631
632
633
634
635				##--------------------------------------------------------------------------------
636				##
637				##
638				## CLASS METHODS:
639				## --------------
640				##
641				##
642				##--------------------------------------------------------------------------------
643
644
645
646
647				##================================================================================
648				##
649				## XML PSEUDO DTD LOADER
650				##
651				##================================================================================
652				##
653				## Below is the generic code for loading a pseudo DTD representation of an XML
654				## DTD into structures optimised for internal usage.
655				##
656
657
658
659				# $EXPAND_PATH is a hash table linking an iodef tag path to the corresponding list
660				# of arguments needed to add a value at this path with the add() call.
661				# each key is a tagpath to a given IODEF field, as given to the 'add()' call.
662				# each corresponding value is an array containing the list of tags in the
663				# tagpath, preceded by 2 values. The first one is 'A' if the pointed field is
664				# an attribute, 'C' if it is a content, 'N' if it is just a node. Notice that
665				# a C path is a N path.
666				# ex:
667				# 'IncidentEventDatarestriction' => [ A, "Incident", "EventData", "restriction"],
668				# 'Incidentpurpose' => [ A, "Incident", "purpose"],
669				# 'IncidentDescription' => [ C, "Incident", "Description"],
670				# 'IncidentEventDataStartTime' => [ C, "Incident", "EventData", "StartTime"],
671				# 'IncidentContact => [ N, "Incident", "Contact"],
672
673				my $EXPAND_PATH = {};
674
675
676				# hash of the tagpaths for which the values can only take a limited set of values
677				# which can be checked with check_allowed. each key is a tagpath, each value is
678				# an array of the corresponding allowed values.
679				#
680				# ex:
681				# 'Incidentpurpose' => [ 'reporting', 'mitigation'... ],
682				#
683
684				my $CHECK_VALUE = {};
685
686
687				# DEPRECATED
688				# a counter used by create_ident's unique id generator
689				#
690
691				my $ID_COUNT = 0;
692
693
694				#
695				# Internal variables describing the DTD in use
696				# --------------------------------------------
697				#
698				# This variables are to be initiated by a serie
699				# of api calls, listed below.
700
701				my $DTD = undef;
702				my $ROOT = undef;
703
704
705				#
706				# xml declaration
707				#
708
709				my $XML_DECL_VER = "1.0";
710				my $XML_DECL_ENC = "UTF-8";
711
712
713				#
714				# IODEF DTD declaration
715				#
716
717				my $DOCTYPE_NAME = "IODEF-Document";
718				my $DOCTYPE_SYSID = "IODEF-Document.dtd";
719				my $DOCTYPE_PUBID = "-//IETF//DTD RFC 5070 IODEF v1.0//EN";
720
721
722
723				##----------------------------------------------------------------------------------------
724				##
725				## set_doctype_name()
726				## set_doctype_sysid()
727				## set_doctype_pubid()
728				##
729
730				sub set_doctype_name { $DOCTYPE_NAME = shift; }
731				sub set_doctype_sysid { $DOCTYPE_SYSID = shift; }
732				sub set_doctype_pubid { $DOCTYPE_PUBID = shift; }
733
734
735
736				##----------------------------------------------------------------------------------------
737				##
738				## extend_dtd($DTD_extension, "new_root_class")
739				##
740				## ARGS:
741				## $DTD_extension a DTD hash, as described in the source doc above.
742				## "new_root_class" the name of a new root class
743				##
744				## RETURN:
745				## This function can be used to extend IODEF by adding a new
746				## root class definition to the original IODEF DTD.
747				## $DTD_extension is a DTD hash, as defined above, providing definitions
748				## for all the new IODEF classes introduced by the extension, including
749				## the one for the new root class.
750				## "new_root_class" is the name of the root node of the IODEF extension.
751				## From now on, the usual IODEF calls ('in', 'add', 'to_hash'...) can be
752				## used to create/parse extended messages as well.
753				##
754				## To extend IODEF, use extend_dtd(, "IODEF-Message")
755				## To load a new DTD, extend_dtd(, "new root") + call set_doctype_*
756				##
757
758				sub extend_dtd {
759				my($dtd, $name) = @_;
760
761				$name = "IODEF-Document" if (!defined($name));
762
763				foreach my $k (keys(%{$dtd})) {
764				$IODEF_DTD->{$k} = $dtd->{$k};
765				}
766
767				load_xml_dtd($IODEF_DTD, $name);
768				}
769
770
771
772				##----------------------------------------------------------------------------------------
773				##
774				## load_xml_dtd(, )
775				##
776				## ARGS:
777				## a DTD hash
778				## the name (string) of the DTD's root class
779				##
780				## RETURN:
781				## This is the DTD parser used to load the IODEF DTD in the DTD
782				## engine at startup.
783				## This function parses the DTD entity list as defined
784				## through the hash and builds the xml class tree of
785				## the root node .
786				##
787				## EX:
788				## # load the IODEF DTD at startup
789				## load_xml_dtd($IODEF_DTD, "IODEF-Message");
790				##
791
792				sub load_xml_dtd {
793				my($dtd, $root) = @_;
794
795				defined($dtd)
796				\|\| croak "XML::IODEF - load_xml_dtd: received a null ref in place of DTD hash.";
797				defined($root)
798				\|\| croak "XML::IODEF - load_xml_dtd: received a null ref in place of DTD root name.";
799				exists($dtd->{$root})
800				\|\| croak "XML::IODEF - load_xml_dtd: the root entity \'$root\' is not defined in the DTD hash.";
801
802				my $err = check_xml_dtd($dtd, $root, 0);
803				croak "XML::IODEF - load_xml_dtd: $err errors in the pseudo DTD. dying."
804				if ($err > 0);
805
806				# everything fine, accept DTD
807				$DTD = $dtd;
808				$ROOT = $root;
809
810				fill_internal_hashes($DTD, "1".$ROOT,0);
811
812				return 0;
813				}
814
815
816
817				#----------------------------------------------------------------------------------------
818				#
819				# fill_internal_hashes(, [, @path])
820				#
821				# build the EXPAND_PATH and CHECK_VALUE hashes.
822				# it works recursively, and @path is the path of tags
823				# of where we currently are in the xml tree.
824				#
825
826				sub fill_internal_hashes {
827				my($dtd, $name, $depth, @path) = @_;
828				my($node, $k, $v, $type, $att, $kid, $vals);
829
830				$node = $dtd->{substr($name,1)};
831				$k = join '', map({substr $_, 1} @path, $name);
832
833				# add node too EXPAND_PATH, as a node or content
834				if (exists($node->{CONTENT})) {
835				$EXPAND_PATH->{$k} = ['C', @path, $name];
836				} else {
837				$EXPAND_PATH->{$k} = ['N', @path, $name];
838				}
839
840				# does it have attributes? if so, add them.
841				if (exists($node->{ATTRIBUTES})) {
842				foreach $att (keys %{$node->{ATTRIBUTES}}) {
843				$EXPAND_PATH->{$k.$att} = ['A', @path, $name, $att];
844
845				# fill CHECK_VALUE hash
846				$vals = $node->{ATTRIBUTES}->{$att};
847				$CHECK_VALUE->{$k.$att} = $vals
848				if ((scalar @{$vals}) > 0);
849				}
850				}
851
852				# does it have children elements? if so, add them.
853				if (exists($node->{CHILDREN}) && ( $depth < $MAX_ITER) ) {
854				foreach $kid (@{$node->{CHILDREN}}) {
855				fill_internal_hashes($dtd, $kid, $depth+1, @path, $name);
856				}
857				}
858
859				return 0;
860				}
861
862
863
864				#----------------------------------------------------------------------------------------
865				#
866				# check_xml_dtd(, )
867				#
868				# internal function, called by load_xml_dtd to validate the pseudo DTD's
869				# syntax. recursive function. log errors to stdout.
870				#
871				# return 0 if no error found, a positive number (error count) if errors found.
872				# If error found, the module should croak.
873				#
874
875				sub check_xml_dtd {
876				my($dtd, $name, $depth) = @_;
877				my($ent, $code, $child);
878				my $ret = 0;
879
880				# check if entity is defined in pseudo-dtd
881				if (!exists($dtd->{$name})) {
882				print "XML::IODEF - check_xml_dtd: entity \'$name\' is not defined in the pseudo DTD.\n";
883				return 1;
884				}
885
886				$ent = $dtd->{$name};
887
888				# check entity content code
889				if (exists($ent->{CONTENT})) {
890				$code = $ent->{CONTENT};
891				if ($code ne PCDATA && $code ne ANY && $code ne EMPTY) {
892				print "XML::IODEF - check_xml_dtd: entity \'$name\' does not have a valid content.\n";
893				$ret++;
894				}
895				}
896
897				# check each child of this entity
898				if (exists($ent->{CHILDREN}) && ($depth < $MAX_ITER)) {
899				$code = $ent->{CHILDREN};
900				foreach $child (@{$code}) {
901
902				# check that children starts with occurence code
903				if (index("?*+1#", substr($child,0,1)) == -1) {
904				print "XML::IODEF - check_xml_dtd: children \'$child\' of entity \'$name\' does not have a proper occurence code.\n";
905				$ret++;
906				} else {
907				# check children's validity
908				$ret += check_xml_dtd($dtd, substr($child,1), $depth+1);
909				}
910				}
911				}
912
913				return $ret;
914				}
915
916
917
918				##--------------------------------------------------------------------------------
919				##
920				## MODULE LOAD TIME INITIALISATION
921				##
922				##--------------------------------------------------------------------------------
923
924				# DTD engine initialization:
925				# load the IODEF root classes: Incident, and build the intermediary
926				# structures representing the DTD (EXPAND_PATH & CHECK_VALUE) used by API calls
927				# such as add().
928				load_xml_dtd($IODEF_DTD, "IODEF-Document");
929
930
931
932				# return true to package loader
933				1;
934
935
936
937
938
939				##--------------------------------------------------------------------------------
940				##
941				##
942				## OBJECT METHODS:
943				## ---------------
944				##
945				##
946				##--------------------------------------------------------------------------------
947
948
949
950				##----------------------------------------------------------------------------------------
951				##
952				## new IODEF()
953				##
954				## RETURN
955				## a new empty IODEF message, with initiated doctype and xml declaration
956				## as well as root element and IODEF version tag.
957				##
958				## DESC
959				## create a new empty iodef message
960				##
961				## EXAMPLES:
962				## $iodef = new XML::IODEF();
963				##
964
965				sub new {
966				my($iodef, $doc, $x);
967
968				$iodef = {};
969				bless($iodef, "XML::IODEF");
970
971				$doc = new XML::DOM::Document();
972
973				#$x = $doc->createDocumentType($DOCTYPE_NAME, $DOCTYPE_SYSID, $DOCTYPE_PUBID);
974				#$doc->setDoctype($x);
975
976				$x = $doc->createXMLDecl($XML_DECL_VER, $XML_DECL_ENC);
977				$doc->setXMLDecl($x);
978
979				$iodef->{"DOM"} = $doc;
980
981				$iodef->add("version", $IODEF_VERSION);
982				# $iodef->add("xmlns:iodef", "urn:ietf:params:xml:ns:iodef-1.0");
983				$iodef->add("xmlns:xsi","http://www.w3.org/2001/XMLSchema-instance");
984				$iodef->add("xsi:schemaLocation","urn:ietf:params:xmls:schema:iodef-1.0");
985
986				return $iodef;
987				}
988
989
990
991				##----------------------------------------------------------------------------------------
992				##
993				## in(, )
994				##
995				## ARGS:
996				## iodef object
997				## can be either a path to an IODEF file to load, or an IODEF string.
998				## if it is an empty string, a new empty IODEF message is created.
999				## RETURN:
1000				## a hash to the loaded IODEF message
1001				##
1002				## DESC:
1003				## loads an iodef message into an IODEF container (a hash with XML::Simple syntax)
1004				## the input can either be a string, a file or an empty string. if the parsed IODEF
1005				## message does not include an XML or DOCTYPE declaration, it will be added, assuming
1006				## IODEF v1.0 as the default.
1007				##
1008				## EXAMPLES:
1009				## my $iodef = (new XML::IODEF)->in("/home/user/iodef.xml");
1010				## $iodef = $iodef->in("");
1011				##
1012
1013				sub in {
1014				my($iodef, $arg) = @_;
1015				my($doc, $parser, $x);
1016
1017				# if no param, create empty XML::IODEF doc
1018				return new XML::IODEF if (!defined($iodef));
1019				return new XML::IODEF if (!defined($arg));
1020
1021				# parse IODEF string or file
1022				$parser = XML::DOM::Parser->new;
1023
1024				# is $arg an iodef string or a filepath? test if it starts with <
1025				$arg =~ / *(.)/;
1026				if ($1 eq "<") {
1027				$doc = $parser->parse($arg);
1028				} else {
1029				$doc = $parser->parsefile($arg);
1030				}
1031
1032				# check that the document has a DOCTYPE and an XML declaration
1033				#if (!defined($doc->getDoctype())) {
1034				#$x = $doc->createDocumentType($DOCTYPE_NAME, $DOCTYPE_SYSID, $DOCTYPE_PUBID);
1035				#$doc->setDoctype($x);
1036				#}
1037
1038				if (!defined($doc->getXMLDecl())) {
1039				$x = $doc->createXMLDecl($XML_DECL_VER, $XML_DECL_ENC);
1040				$doc->setXMLDecl($x);
1041				}
1042
1043				$iodef->{"DOM"} = $doc;
1044
1045				return $iodef;
1046				}
1047
1048
1049
1050				##----------------------------------------------------------------------------------------
1051				##
1052				## out()
1053				##
1054				## ARGS:
1055				## an XML::IODEF object
1056				##
1057				## RETURN:
1058				## a string containing the corresponding IODEF message
1059				##
1060				## EXAMPLES:
1061				## $string = $iodef->out();
1062				##
1063
1064				sub out {
1065				my $iodef = shift;
1066				return $iodef->{"DOM"}->toString;
1067				}
1068
1069
1070
1071				##----------------------------------------------------------------------------------------
1072				##
1073				## get_root()
1074				##
1075				## ARGS:
1076				## an XML::IODEF object
1077				##
1078				## RETURN:
1079				## a string representing the name of the root element of the IODEF message,
1080				## normally "IODEF-Document", or undef if no root element defined.
1081				##
1082				## EXAMPLES:
1083				## $iodef = new XML::IODEF();
1084				## $iodef->add("IncidentIncidentID", "#12345");
1085				## $root = $iodef->get_root(); # $type now contains the string "IODEF-Document"
1086				##
1087
1088				sub get_root {
1089				my $iodef = shift;
1090
1091				my $c = $iodef->{"DOM"}->getDocumentElement();
1092				return $c->getTagName()
1093				if (defined($c));
1094
1095				return undef;
1096				}
1097
1098
1099
1100				##----------------------------------------------------------------------------------------
1101				##
1102				## get_type()
1103				##
1104				## ARGS:
1105				## an XML::IODEF object
1106				##
1107				## RETURN:
1108				## a string representing the type of IODEF message ("Incident"...)
1109				## or undef if this message does not have a type yet.
1110				##
1111				## EXAMPLES:
1112				## $iodef = new XML::IODEF();
1113				## $iodef->add("IncidentIncidentID", "#12345");
1114				## $type = $iodef->get_type(); # $type now contains the string "Incident"
1115				##
1116
1117				sub get_type {
1118				my $iodef = shift;
1119
1120				my $c = $iodef->{"DOM"}->getDocumentElement();
1121				return undef
1122				if (!defined($c));
1123
1124				foreach my $n ($c->getChildNodes()) {
1125				return $n->getTagName()
1126				if ($n->getNodeType() == ELEMENT_NODE);
1127				}
1128
1129				return undef;
1130				}
1131
1132
1133
1134				##----------------------------------------------------------------------------------------
1135				##
1136				## contains(, )
1137				##
1138				## ARGS:
1139				## iodef: a hash representation of an IODEF message, as received from new or in
1140				## tagpath: a string obtained by concatenating the names of the nested tags, from the
1141				## Incident tag down to the closest tag to value.
1142				##
1143				## RETURN:
1144				## 1 if there is at least one value set to the particular tagpath.
1145				## 0 otherwise.
1146				##
1147
1148				sub contains {
1149				my($iodef, $path) = @_;
1150				my($type, @tagpath, $dom, $att, $n);
1151
1152				$path = $ROOT.$path;
1153				$dom = $iodef->{"DOM"}->getDocumentElement;
1154
1155				return 0 if (!defined $dom);
1156
1157				return 0 if (!exists($EXPAND_PATH->{$path}));
1158
1159				($type, @tagpath) = @{$EXPAND_PATH->{$path}};
1160
1161				$att = pop @tagpath
1162				if ($type eq 'A');
1163
1164				if ($type eq 'N' or $type eq 'C') {
1165				defined(find_node($dom, @tagpath)) ? return 1 : return 0;
1166
1167				} elsif ($type eq 'A') {
1168				$n = find_node($dom, @tagpath);
1169				return 0 if (!defined($n));
1170				($n->getAttribute($att) ne "") ? return 1 : return 0;
1171				}
1172
1173				croak "contains: internal error. found element of type $type.";
1174				}
1175
1176
1177
1178				#----------------------------------------------------------------------------------------
1179				#
1180				# find_node($node, @tagpath)
1181				#
1182				# return the last node in @tagpath if @tagpath exists in $dom,
1183				# return undef otherwise
1184				# @tagpath are the name of DOM::Elements inside $dom. no attribute.
1185				# tagpath starts at the root (IODEF-Message)
1186				# if the tagpath occurs multiple times, return the first occurence of it.
1187				#
1188
1189				sub find_node {
1190				my($node, @tagpath) = @_;
1191				my($name, $n, $m);
1192
1193				$name = substr(shift(@tagpath), 1);
1194
1195				if ($node->getTagName() eq $name) {
1196
1197				return $node
1198				if ((scalar @tagpath) == 0);
1199
1200				foreach $n ($node->getChildNodes()) {
1201				if ($n->getNodeType() == ELEMENT_NODE) {
1202				$m = find_node($n, @tagpath);
1203				if (defined($m)) {
1204				return $m;
1205				}
1206				}
1207				}
1208				}
1209
1210				return undef;
1211				}
1212
1213
1214
1215
1216				#----------------------------------------------------------------------------------------
1217				#
1218				# find_node_in_first_path($node, @tagpath)
1219				#
1220				# similar to find_node(), but look only through the first
1221				# occurence of the tagpath. the node may hence exists somewhere else.
1222				# return the last node in @tagpath if @tagpath exists in $dom,
1223				# return undef otherwise
1224				#
1225
1226				sub find_node_in_first_path {
1227				my($node, @tagpath) = @_;
1228				my($tag, $name, $n, $next);
1229
1230				$name = substr(shift @tagpath, 1);
1231
1232				return undef
1233				if ($node->getTagName() ne $name);
1234
1235				foreach $tag (@tagpath) {
1236				$name = substr($tag, 1);
1237
1238				# find a child with right name
1239				$next = undef;
1240				foreach $n ($node->getChildNodes()) {
1241				if ($n->getNodeType() == ELEMENT_NODE and $n->getTagName() eq $name) {
1242				$next = $n;
1243				last;
1244				}
1245				}
1246
1247				# next child not found
1248				return undef
1249				if (!defined($next));
1250
1251				$node = $next;
1252				}
1253
1254				return $node;
1255				}
1256
1257
1258				##----------------------------------------------------------------------------------------
1259				##
1260				## add(hash, tagpath, value)
1261				##
1262				## ARGS:
1263				## hash: a hash representation of an IODEF message, as received from new or in
1264				## tagpath: a string obtained by concatenating the names of the nested tags, from the
1265				## Incident tag down to the closest tag to value.
1266				## value: the value (content of a tag, or value of an attribute) of the last tag
1267				## given in tagpath
1268				##
1269				## RETURN:
1270				## 0 if the field was correctly added, and croak otherwise (if you did
1271				## something that goes against the DTD).
1272				##
1273				## DESC:
1274				## Each IODEF field of a given IODEF message can be created through a corresponding add()
1275				## call. These interfaces are designed for easily building a new IODEF message while
1276				## parsing a log file. The 'tagpath' is the same as returned by the 'to_hash' call.
1277				##
1278				## RESTRICTIONS:
1279				## You cannot change an attribute value with add(). An attempt to run add() on an attribute
1280				## that already exists will just be ignored. Contents cannot be changed either, but a new
1281				## tag can be created if you are adding an iodef content that can occur multiple time (ex:
1282				## UserIdname, AdditionalData...).
1283				##
1284				## SPECIAL CASE: AdditionalData
1285				## AdditionalData is a special tag requiring at least 2 add() calls to build a valid node. In
1286				## case of multiple AdditionalData delaration, take care of building AdditionalData nodes one
1287				## at a time, and always begin by adding the "AddtitionalData" field (ie the tag's content).
1288				## Otherwise, the iodef key insertion engine will get lost, and you'll get scrap.
1289				##
1290				## As a response to this issue, the 'add("IncidentAdditionalData", "value")' call accepts an
1291				## extended syntax compared with other calls:
1292				##
1293				## add("IncidentAdditionalData", );
1294				## => add the content to Incident/AdditionalData
1295				##
1296				## add("IncidentAdditionalData", , );
1297				## => same as: (type string is assumed by default)
1298				## add("IncidentAdditionalData", );
1299				## add("IncidentAdditionalDatameaning", );
1300				## add("IncidentAdditionalDatadtype", "string");
1301				##
1302				## add("IncidentAdditionalData", , , );
1303				## => same as:
1304				## add("IncidentAdditionalData", );
1305				## add("IncidentAdditionalDatameaning", );
1306				## add("IncidentAdditionalDatadtype", );
1307				##
1308				## The use of add("IncidentAdditionalData", , , ); is prefered to the simple
1309				## add call, since it creates the whole AdditionalData node at once. In the case of
1310				## multiple arguments add("IncidentAdditionalData"...), the returned value is 1 if the type key
1311				## was inserted, 0 otherwise.
1312				##
1313				##
1314				## EXAMPLES:
1315				##
1316				## my $iodef = new XML::IODEF();
1317				##
1318				## $iodef->add("IncidentIncidentID", "");
1319				##
1320				## $iodef->add($iodef, "Incidentrestriction", "");
1321				##
1322				## # AdditionalData case:
1323				## # DO:
1324				## $iodef->add("IncidentAdditionalData", "value"); # content add first
1325				## $iodef->add("IncidentAdditionalDatadtype", "string"); # ok
1326				## $iodef->add("IncidentAdditionalDatameaning", "meaning"); # ok
1327				##
1328				## $iodef->add("IncidentAdditionalData", "value2"); # content add first
1329				## $iodef->add("IncidentAdditionalDatadtype", "string"); # ok
1330				## $iodef->add("IncidentAdditionalDatameaning", "meaning2"); # ok
1331				##
1332				## # or BETTER:
1333				##
1334				## $iodef->add("IncidentAdditionalData", "value", "meaning", "string"); # VERY GOOD
1335				## $iodef->add("IncidentAdditionalData", "value2", "meaning2"); # VERY GOOD (string type is default)
1336				##
1337				##
1338				## # DO NOT DO:
1339				## $iodef->add("IncidentAdditionalData", "value"); # BAD!! content should be declared first
1340				## $iodef->add("IncidentAdditionalDatameaning", "meaning2"); # BAD!! content first!
1341				##
1342				## # DO NOT DO:
1343				## $iodef->add("IncidentAdditionalData", "value"); # BAD!!!!! mixing node declarations
1344				## $iodef->add("IncidentAdditionalData", "value2"); # BAD!!!!! for value & value2
1345				## $iodef->add("IncidentAdditionalDatadtype", "string"); # BAD!!!!!
1346				## $iodef->add("IncidentAdditionalDatadtype", "string"); # BAD!!!!!
1347
1348				## TODO -- test ext-value and ext-dtype
1349
1350				sub add {
1351				my ($tag, $root, $dom, $c);
1352				my ($iodef, $path, $value, @tail) = @_;
1353
1354				$path = $ROOT.$path;
1355				$dom = $iodef->{"DOM"};
1356				$root = $dom->getDocumentElement;
1357
1358				# create a root element if none exists
1359				if (!defined $root) {
1360				$root = $dom->createElement($ROOT);
1361				$dom->appendChild($root);
1362				}
1363
1364				# is this a known tagpath?
1365				if (!exists($EXPAND_PATH->{$path})) {
1366				croak "add: $path is not a known IODEF tag path (IODEF v$IODEF_VERSION).";
1367				}
1368
1369				# if it is an attribute or a content, did we get a value?
1370				$c = ${$EXPAND_PATH->{$path}}[0];
1371				croak "add: $path is an attribute or a content and requires a value (which you did not give)."
1372				if (($c eq 'A' or $c eq 'C') and !defined($value));
1373
1374				# check if value is valid
1375				if (exists($CHECK_VALUE->{$path})) {
1376				check_allowed($path, $value, @{$CHECK_VALUE->{$path}});
1377				}
1378
1379				# add key to path
1380				$tag = @{$EXPAND_PATH->{$path}}[3];
1381
1382				# check if it is AdditionalData
1383				## TODO: check for ext-value settings
1384				if (defined($tag) && substr($tag,1) eq "AdditionalData") {
1385
1386				if (scalar(@tail) == 0) {
1387				add_in_dom($dom, $root, $path, $value);
1388				} elsif (scalar(@tail) == 1) {
1389				add_in_dom($dom, $root, $path, $value);
1390				add_in_dom($dom, $root, $path."meaning", $tail[0]);
1391				add_in_dom($dom, $root, $path."dtype", "string");
1392				} elsif (scalar(@tail) == 2) {
1393				check_allowed($path."type", $tail[1], @{$CHECK_VALUE->{$path."dtype"}});
1394				add_in_dom($dom, $root, $path, $value);
1395				add_in_dom($dom, $root, $path."meaning", $tail[0]);
1396				add_in_dom($dom, $root, $path."dtype", $tail[1]);
1397				} else {
1398				croak "add: wrong number of arguments given to add(\"$path\")";
1399				}
1400				}
1401				else
1402				{
1403				add_in_dom($dom, $root, $path, $value);
1404				}
1405
1406				return 0;
1407				}
1408
1409
1410
1411				#----------------------------------------------------------------------------------------
1412				#
1413				# add_in_dom($root, $tagpath [, $value])
1414				#
1415				# if their is a value, add this value to the tagpath, otherwise add the
1416				# node pointed by tagpath. return the changed node.
1417				#
1418
1419				sub add_in_dom {
1420				my($dom, $root, $path, $val) = @_;
1421				my($type, @tagpath, $att, $node, $text, $n);
1422
1423				# find the tagpath corresponding to $path
1424				($type, @tagpath) = @{$EXPAND_PATH->{$path}};
1425
1426				if ($type eq 'N') {
1427				# we want to add a node
1428				$node = find_node_in_first_path($root, @tagpath);
1429
1430				if (defined $node) {
1431				return duplicate_node_path($dom, $root, @tagpath);
1432				} else {
1433				return create_node_path($dom, $root, @tagpath);
1434				}
1435
1436				} elsif ($type eq 'A') {
1437				# we want to add an attribute
1438				$att = pop @tagpath;
1439				$node = find_node_in_first_path($root, @tagpath);
1440
1441				if (!defined $node) {
1442				$node = create_node_path($dom, $root, @tagpath);
1443				} else {
1444				# if attribute already set, try to duplicate node
1445				if ($node->getAttribute($att) ne "") {
1446				$node = duplicate_node_path($dom, $root, @tagpath);
1447				}
1448				}
1449
1450				# add attribute
1451				$node->setAttribute($att, $val);
1452
1453				return $node;
1454
1455				} elsif ($type eq 'C') {
1456				# we want to add a content
1457				$node = find_node_in_first_path($root, @tagpath);
1458
1459				# if node does not exists, create it
1460				if (!defined $node) {
1461				$node = create_node_path($dom, $root, @tagpath);
1462				}
1463
1464
1465				# find this node's Text node
1466				foreach $n ($node->getChildNodes()) {
1467				if ($n->getNodeType() == TEXT_NODE) {
1468				# node already has text child. duplicate node
1469				$n = duplicate_node_path($dom, $root, @tagpath);
1470				$node = $n;
1471				last;
1472				}
1473				}
1474
1475				# found a node that does not have any text element. create text.
1476				$n = $dom->createTextNode($val);
1477				$node->appendChild($n);
1478
1479				return $node;
1480				}
1481
1482				croak "add_in_dom: internal error. found element of type $type.";
1483				}
1484
1485
1486
1487				#----------------------------------------------------------------------------------------
1488				#
1489				# create_node_path($root, @tagpath)
1490				#
1491				# create all nodes in @tagpath, and return the last node in tagpath.
1492				# all nodes in @tagpath are elements.
1493				# create_node assumes that $root is a non null element, which usually
1494				# implies that the iodef dom document should have a root.
1495				#
1496
1497				sub create_node_path {
1498				my($dom, $root, @tagpath) = @_;
1499				@tagpath = map({substr($_,1)} @tagpath);
1500				return create_node_internal($dom, $root, @tagpath);
1501				}
1502
1503				sub create_node_internal {
1504				my($dom, $node, @tagpath) = @_;
1505				my($name_node, $name_next, @child_order, $i, $pos, $next_child, $pos2, $name, $new, @a, $n);
1506
1507				$name_node = shift @tagpath;
1508				$name_next = shift @tagpath;
1509
1510				croak "create_node: got empty tagpath."
1511				if (!defined $name_node);
1512
1513				return undef
1514				if ($node->getTagName() ne $name_node);
1515
1516				return $node
1517				if (!defined $name_next);
1518
1519				# lookup children order for $name_node in DTD
1520				@child_order = @{$DTD->{$name_node}->{CHILDREN}};
1521				@child_order = map({substr $_, 1} @child_order);
1522
1523				# this expression finds the offset in @children of the last occurence of $name_next
1524				for($pos=0, $i=0; $i < scalar(@child_order); $i++) {
1525				$pos = $i if ($child_order[$i] eq $name_next);
1526				}
1527
1528				# go through all children, and insert new node before first following kid
1529				$next_child = undef;
1530
1531				foreach $n ($node->getChildNodes()) {
1532
1533				if ($n->getNodeType() == ELEMENT_NODE) {
1534				$name = $n->getTagName;
1535
1536				# if we found the node we searched, loop in it
1537				if ($name eq $name_next) {
1538				return create_node_internal($dom, $n, $name_next, @tagpath);
1539				}
1540
1541				# check if we found a node that should occur after the one to be inserted
1542				# if so, break the loop and create a new node before it
1543				for($pos2=0, $i=0; $i < scalar(@child_order); $i++) {
1544				if ($child_order[$i] eq $name) {
1545				$pos2 = $i;
1546				last;
1547				}
1548				}
1549
1550				if ($pos2 > $pos) {
1551				$next_child = $n;
1552				last;
1553				}
1554				}
1555				}
1556
1557				# create a new node and insert it at the right place
1558				$new = $dom->createElement($name_next);
1559				$node->insertBefore($new, $next_child);
1560
1561				return create_node_internal($dom, $new, $name_next, @tagpath);
1562				}
1563
1564
1565
1566				#----------------------------------------------------------------------------------------
1567				#
1568				# duplicate_node_path($dom, $root, @tagpath)
1569				#
1570				# duplicate the last node in @tagpath, ie
1571				# find the closest parent to that node that accepts multiple occurences
1572				# of node path, create a new instance of the node, and call create_node
1573				# to recreate all elements down to the node. return the duplicated node
1574				#
1575
1576				sub duplicate_node_path {
1577				my($dom, $root, @node_path) = @_;
1578				my($name, $node, $new, $next, $array, @tail, $i, $c, @array);
1579
1580				# find the closest parent of last node, having multiple occurences
1581				for ($i = (scalar @node_path) - 1; $i > 0; $i--) {
1582				last if ($node_path[$i] =~ /^[\+\#\*]/);
1583				}
1584
1585				croak "add - duplicate_node: could not duplicate node".(pop @node_path).". no duplicable parent."
1586				if ($i == 0);
1587
1588				# duplicate the node at $i-2 in @node_path
1589				@tail = splice(@node_path, $i+1);
1590				$name = pop @node_path;
1591
1592				# try to find the node to duplicate
1593				$node = find_node($root, @node_path, $name) \|\|
1594				croak "duplicate_node_path: did not find node to duplicate. impossible.";
1595
1596				# create new instance of 'name' and insert before $node
1597				$new = $dom->createElement(substr($name, 1));
1598				$node->getParentNode()->insertBefore($new, $node);
1599
1600				# build all node path in the original @node_path, and return the last
1601				return create_node_path($dom, $root, @node_path, $name, @tail);
1602				}
1603
1604
1605
1606				#----------------------------------------------------------------------------------------
1607				#
1608				# check_allowed(path, key, @list);
1609				#
1610				# check that key is one element of list.
1611				# returns 1 if it is, 0 if key is not in and
1612				# croak
1613				#
1614
1615				sub check_allowed {
1616				my($path, $key, $v, @vals);
1617				($path, $key, @vals)= @_;
1618
1619				foreach $v (@vals) {
1620				return 1 if ($v eq $key);
1621				}
1622
1623				croak "add: $key is not an allowed value for attribute $path (IODEF v$IODEF_VERSION).";
1624				return 0;
1625				}
1626
1627
1628
1629				##----------------------------------------------------------------------------------------
1630				##
1631				## set(hash, tagpath, value)
1632				##
1633				## ARGS:
1634				## hash: a hash representation of an IODEF message, as received from new or in
1635				## tagpath: a string obtained by concatenating the names of the nested tags, from the
1636				## Incident tag down to the closest tag to value.
1637				## value: the value (content of a tag, or value of an attribute) of the last tag
1638				## given in tagpath
1639				##
1640				## RETURN:
1641				## 0 if the field was correctly changed, croaks otherwise.
1642				##
1643				## DESC:
1644				## The set() call follows the first occurence of the node path described by
1645				## and attempts at changing the corresponding content or attribute value.
1646				## If the first occurence of does not lead to any existing node, set()
1647				## croaks. Check that the node or attribute exists with contains() first.
1648				## If you want to create an attribute value or a node content where there was none,
1649				## use add() instead.
1650				##
1651				## RESTRICTIONS:
1652				## set() only allows you to reach and change the attribute or content of the first
1653				## occurence of a given tagpath. If this tagpath occurs multiple time, you will
1654				## not be able to modify the other occurences. Yet this should be able for most
1655				## applications. Furthermore, set() cannot be used to create any new value/content.
1656				##
1657				## EXAMPLES:
1658				##
1659				## my $iodef = new XML::IODEF();
1660				##
1661				## $iodef->add("IncidentAdditionalData", "value"); # content add first
1662				## $iodef->add("IncidentAdditionalDatadtype", "string"); # ok
1663				## $iodef->add("IncidentAdditionalDatameaning", "meaning"); # ok
1664				##
1665				## # change AdditionalData's content value
1666				## $iodef->set("IncidentAdditionalData", "new value");
1667				##
1668
1669				sub set {
1670				my($iodef, $path, $value) = @_;
1671				my($root, $type, $att, @tagpath, $node, $n);
1672
1673				# did we get a path?
1674				croak "set: you did not give any path."
1675				if (!defined($path));
1676
1677				$path = $ROOT.$path;
1678				$root = $iodef->{"DOM"}->getDocumentElement;
1679
1680				# is this a known tagpath?
1681				croak "set: $path is not a known IODEF tag path (IODEF v$IODEF_VERSION)."
1682				if (!exists($EXPAND_PATH->{$path}));
1683
1684				# is it a content or attribute?
1685				($type, @tagpath) = @{$EXPAND_PATH->{$path}};
1686
1687				croak "set: $path does not lead to an attribute nor to an authorized node content."
1688				if ($type eq 'N');
1689
1690				# did we get a value?
1691				croak "set: you did not provide any value."
1692				if (!defined($value));
1693
1694				# check if value is valid
1695				if (exists($CHECK_VALUE->{$path})) {
1696				check_allowed($path, $value, @{$CHECK_VALUE->{$path}});
1697				}
1698
1699				$att = pop @tagpath
1700				if ($type eq 'A');
1701
1702				$node = find_node($root, @tagpath);
1703
1704				# if node does not exists, croaks
1705				croak "set: there is no node at path $path. use add() first."
1706				if (!defined($node));
1707
1708				# let's change the content or attribute
1709				if ($type eq 'A') {
1710
1711				# does the attribute exists?
1712				croak "set: the attribute at path $path has no value. use add() first."
1713				if ($node->getAttribute($att) eq "");
1714
1715				# set its value
1716				$node->setAttribute($att, $value);
1717				return 0;
1718
1719				} elsif ($type eq 'C') {
1720
1721				# does this node has a text node?
1722				foreach $n ($node->getChildNodes()) {
1723				if ($n->getNodeType() == TEXT_NODE) {
1724				$n->setData($value);
1725				return 0;
1726				}
1727				}
1728
1729				croak "set: the node at path $path has no content. use add() first.";
1730				}
1731
1732				# should never reach here
1733				croak "set: internal error.";
1734				}
1735
1736
1737
1738				##----------------------------------------------------------------------------------------
1739				##
1740				## get(hash, tagpath, value)
1741				##
1742				## ARGS:
1743				## hash: a hash representation of an IODEF message, as received from new or in
1744				## tagpath: a string obtained by concatenating the names of the nested tags, from the
1745				## Incident tag down to the closest tag to value.
1746				## value: the value (content of a tag, or value of an attribute) of the last tag
1747				## given in tagpath
1748				##
1749				## RETURN:
1750				## a string: the content of the node or value of the attribute, undef if there is
1751				## no such value, and croaks if error.
1752				##
1753				## DESC:
1754				## The get() call follows the first occurence of the node path described by
1755				## and attempts at retrieving the corresponding content or attribute value.
1756				## If the first occurence of does not lead to any existing node, get()
1757				## returns undef. But this does not mean that the value does not exists in an other
1758				## occurence of the pagpath.
1759				##
1760				## RESTRICTIONS:
1761				## get() only allows you to reach and retrieve the attribute or content of the first
1762				## occurence of a given tagpath. If this tagpath occurs multiple time, you will
1763				## not be able to retrieve the other occurences. Yet this should be able for most
1764				## applications.
1765				##
1766				## EXAMPLES:
1767				##
1768				## my $iodef = new XML::IODEF();
1769				##
1770				## $iodef->add("IncidentAdditionalData", "value"); # content add first
1771				## $iodef->add("IncidentAdditionalDatadtype", "string"); # ok
1772				## $iodef->add("IncidentAdditionalDatameaning", "meaning"); # ok
1773				##
1774				## # change AdditionalData's content value
1775				## $iodef->get("IncidentAdditionalData");
1776				##
1777
1778				sub get {
1779				my($iodef, $path, $value) = @_;
1780				my($root, $type, $att, @tagpath, $node, $n);
1781
1782				# did we get a path?
1783				croak "get: you did not give any path."
1784				if (!defined($path));
1785
1786				$path = $ROOT.$path;
1787				$root = $iodef->{"DOM"}->getDocumentElement;
1788
1789				# is this a known tagpath?
1790				croak "get: $path is not a known IODEF tag path (IODEF v$IODEF_VERSION)."
1791				if (!exists($EXPAND_PATH->{$path}));
1792
1793				# is it a content or attribute?
1794				($type, @tagpath) = @{$EXPAND_PATH->{$path}};
1795
1796				croak "get: $path does not lead to an attribute nor to an authorized node content."
1797				if ($type eq 'N');
1798
1799				$att = pop @tagpath
1800				if ($type eq 'A');
1801
1802				$node = find_node($root, @tagpath);
1803
1804				# if node does not exists, return undef
1805				return undef
1806				if (!defined($node));
1807
1808				# let's fetch the content or attribute
1809				if ($type eq 'A') {
1810				return $node->getAttribute($att);
1811
1812				} elsif ($type eq 'C') {
1813
1814				# does this node has a text node?
1815				foreach $n ($node->getChildNodes()) {
1816				if ($n->getNodeType() == TEXT_NODE) {
1817				return $n->getData;
1818				}
1819				}
1820
1821				return undef;
1822				}
1823
1824				# no content in this node
1825				return undef;
1826				}
1827
1828
1829
1830				##----------------------------------------------------------------------------------------
1831				##
1832				## create_ident() -- deprecated
1833				##
1834				## ARGS:
1835				## iodef message object
1836				##
1837				## RETURN:
1838				## nothing.
1839				##
1840				## DESC:
1841				## Set the root ident attribute field of this IODEF message with a unique,
1842				## randomly generated ID number. The code for the ID number generator is actually
1843				## inspired from Sys::UniqueID. If no IODEF type is given, "Incident" is assumed as default.
1844				##
1845
1846				sub create_ident {
1847				my($id, $iodef, $name, $netaddr);
1848				$iodef = shift;
1849
1850				warn 'create_ident is deprecated, you should be using your domain-name in conjuction with the ID from your workflow system';
1851
1852				$name = $iodef->get_type();
1853				$name = "Incident" if (!defined $name);
1854
1855				# code cut n paste from Sys::UniqueID. replaced IP with random number.
1856				# absolutely ensure that id is unique: < 0x10000/second
1857				$netaddr = int(rand 10000000);
1858
1859				unless(++$ID_COUNT < 0x10000) { sleep 1; $ID_COUNT= 0; }
1860				$id = sprintf '%012X%s%08X%04X', time, $netaddr, $$, $ID_COUNT;
1861
1862				$iodef->add($name."IncidentID", $id);
1863				}
1864
1865
1866
1867				##----------------------------------------------------------------------------------------
1868				##
1869				## create_time(, [])
1870				##
1871				## ARGS:
1872				## iodef message object
1873				## optional. epoch time (time since January 1, 1970, UTC).
1874				##
1875				## RETURN:
1876				## nothing.
1877				##
1878				## DESC:
1879				## Set the CreateTime field of this iodef message with the current time
1880				## (if no epoch argument if provided), or to the time corresponding to
1881				## the epoch value provided, in both the content and ntpstamp fields.
1882				## If the IODEF message does not yet have a type, "Incident" is assumed by
1883				## default.
1884				##
1885
1886				sub create_time {
1887				my $iodef = shift;
1888				my $utc = shift \|\| time();
1889
1890				my $timestamp = DateTime->from_epoch(epoch => $utc);
1891				add($iodef,'IncidentReportTime',$timestamp.'Z');
1892				}
1893
1894				##----------------------------------------------------------------------------------------
1895				##
1896				## to_hash()
1897				##
1898				## ARGS:
1899				## hash containing an IODEF message in XML::Simple representation
1900				##
1901				## RETURN:
1902				## a hash enumerating all the contents and attributes of this IODEF message.
1903				## each key is a concatenated sequence of tags leading to the content/attribute,
1904				## and the corresponding value is the content/attribute itself.
1905				## all IODEF contents and values are converted from IODEF format (STRING or BYTE)
1906				## back to the original ascii string.
1907				##
1908				## EXAMPLES:
1909				##
1910				##
1911				##
1912				##
1913				## #12345
1914				##
1915				## data1
1916				## data2
1917				##
1918				##
1919				##
1920				## becomes:
1921				##
1922				## { "version" => [ "1.0" ],
1923				## "Incidentpurpose" => [ "handling" ],
1924				## "IncidentIncidentID" => [ "#12345" ],
1925				## "IncidentAdditionalDatameaning" => [ "datatype1", "datatype2" ], #meaning & contents are
1926				## "IncidentAdditionalData" => [ "type1", "type2" ], #listed in same order
1927				## }
1928				##
1929				##
1930
1931				sub to_hash {
1932				my $iodef = shift;
1933				my $result = {};
1934				my $root = $iodef->{"DOM"}->getDocumentElement;
1935
1936				dom_to_hash($root, $result, "");
1937
1938				return $result;
1939				}
1940
1941				# there's probably a 'better' way to do this wihtin DOM
1942				# but who has that kind of time with XML::Simple :)
1943				sub to_tree {
1944				my $iodef = shift;
1945				return(XMLin($iodef->out()));
1946				}
1947
1948
1949				#----------------------------------------------------------------------------------------
1950				#
1951				# dom_to_hash($node, $result, $path)
1952				#
1953				# explore node and add its attributes and content to $result, and
1954				# explore recursively each of node's children.
1955				#
1956
1957				sub dom_to_hash {
1958				my($node, $result, $path) = @_;
1959				my($n, $type);
1960
1961				return if (!defined($node));
1962
1963				# explore node's attributes
1964				foreach $n ($node->getAttributes->getValues) {
1965				add_to_result($result, $path.$n->getName, $n->getValue);
1966				}
1967
1968				# explore node's children
1969				foreach $n ($node->getChildNodes()) {
1970
1971				$type = $n->getNodeType();
1972
1973				if ($type == TEXT_NODE) {
1974				# first check if the DTD accepts content for this node
1975				# this is to avoid all the '\n' that DOM::Parser consider
1976				# as content.
1977				if (@{$EXPAND_PATH->{$ROOT.$path}}[0] eq 'C') {
1978				add_to_result($result, $path, $n->getData);
1979				}
1980				} elsif ($type == ELEMENT_NODE) {
1981				dom_to_hash($n, $result, $path.$n->getTagName);
1982				}
1983				}
1984				}
1985
1986				sub add_to_result {
1987				my($result, $path, $val) = @_;
1988
1989				if (exists($result->{$path})) {
1990				push @{$result->{$path}}, $val;
1991				} else {
1992				$result->{$path} = [ $val ];
1993				}
1994				}
1995
1996
1997
1998				##=========================================================================================
1999				##
2000				## BACKWARD COMPATIBILIY FUNCTIONS
2001				##
2002				##=========================================================================================
2003
2004				##
2005				##
2006				## CLASS FUNCTIONS:
2007				## ----------------
2008				##
2009
2010				# wrapper for contains()
2011				sub at_least_one {
2012				return contains(@_);
2013				}
2014
2015				##
2016				##
2017				## EXPORTED FUNCTIONS:
2018				## -------------------
2019				##
2020
2021				# wrapper for extend_dtd()
2022				sub extend_iodef { extend_dtd(@_); }
2023
2024				##----------------------------------------------------------------------------------------
2025				##
2026				## = byte_to_string()
2027				##
2028				## ARGS:
2029				## a binary string
2030				##
2031				## RETURN:
2032				## : the string obtained by converting into its IODEF representation,
2033				## refered to as type BYTE[] in the IODEF rfc.
2034				##
2035
2036				sub byte_to_string {
2037				return join '', map( { "&\#$_;" } unpack("C*", $_[0]) );
2038				}
2039
2040				##----------------------------------------------------------------------------------------
2041				##
2042				## = xml_encode()
2043				##
2044				## ARGS:
2045				## a usual string
2046				##
2047				## RETURN:
2048				## : the xml encoded string equivalent to .
2049				##
2050				## DESC:
2051				## You don't need this function if you are using add() calls (which already calls it).
2052				## To convert a string into an iodef STRING, xml_encode basically replaces
2053				## characters: with:
2054				## & &
2055				## < <
2056				## > >
2057				## " "
2058				## ' '
2059				## and all non printable characters (ie charcodes >126 or <32 except 10) into
2060				## the corresponding �XX; form.
2061				##
2062
2063				# create a lookup array, start with filling it with xml encoded chars
2064				my @xml_enc = map { sprintf("&\#x00%.2x;", $_) } 0..255;
2065
2066				# map the printable characters to themselves
2067				# NOTE: XML standard says encode all chars < 32 except 10, and all > 126
2068				for (10,32..126) {
2069				$xml_enc[$_] = chr($_);
2070				}
2071
2072				# the special xml characters maps to their own encodings
2073				$xml_enc[ord('&')] = "&";
2074				$xml_enc[ord('<')] = "<";
2075				$xml_enc[ord('>')] = ">";
2076				$xml_enc[ord('"')] = """;
2077				$xml_enc[ord('\'')] = "'";
2078
2079				sub xml_encode {
2080				my ($st) = @_;
2081				return join('', map { $xml_enc[ord($_)]} ($st =~ /(.)/gs));
2082				}
2083
2084				##----------------------------------------------------------------------------------------
2085				##
2086				## = xml_decode()
2087				##
2088				## ARGS:
2089				## a xml encoded IODEF STRING
2090				##
2091				## RETURN:
2092				## the corresponding decoded string
2093				##
2094				## DESC:
2095				## You don't need this function with 'to_hash' (which already calls it).
2096				## It decodes into a string, ie replace the following
2097				## characters: with:
2098				## & &
2099				## < <
2100				## > >
2101				## " "
2102				## &apos '
2103				## &#XX; XX in base 10
2104				## &#xXXXX; XXXX in base 16
2105				## It also decodes strings encoded with 'byte_to_string'
2106				##
2107
2108				sub xml_decode {
2109				my ($st) = @_;
2110
2111				if (defined $st) {
2112
2113				$st =~ s/&\;/&/gs;
2114				$st =~ s/<\;/
2115				$st =~ s/>\;/>/gs;
2116				$st =~ s/"\;/\"/gs;
2117				$st =~ s/&apos\;/\'/gs;
2118
2119				$st =~ s/&\#x(.{4});/chr(hex $1)/ges;
2120				$st =~ s/&\#(.{2,3});/chr($1)/ges;
2121				}
2122
2123				return $st;
2124				}
2125
2126
2127
2128				#----------------------------------------------------------------------------------------
2129				#
2130				# END OF CODE - START OF POD DOC
2131				#
2132				#----------------------------------------------------------------------------------------
2133
2134				1;
2135
2136				__END__