Add RDAP analyzer#3758
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new RDAP observable analyzer (using rdap.org) and wires it into the app via a Django migration, with accompanying unit tests.
Changes:
- Introduce
Rdapobservable analyzer that queries rdap.org for IP/domain/URL registration data - Add analyzer configuration via migration
0193_analyzer_config_rdap - Add mocked unit tests covering core success and negative (404) scenarios
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| tests/api_app/analyzers_manager/observable_analyzers/test_rdap.py | Adds unit tests validating endpoint selection and 404 handling |
| api_app/analyzers_manager/observable_analyzers/rdap.py | Implements the RDAP analyzer logic (path selection + HTTP call) |
| api_app/analyzers_manager/migrations/0193_analyzer_config_rdap.py | Registers the new analyzer config in the database via migration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| def update(self) -> bool: | ||
| pass |
| python_path = plugin.pop("model") | ||
| Model = apps.get_model(*python_path.split(".")) | ||
| if not Model.objects.filter(name=plugin["name"]).exists(): |
| python_path = plugin.pop("model") | ||
| Model = apps.get_model(*python_path.split(".")) | ||
| Model.objects.get(name=plugin["name"]).delete() |
| # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl | ||
| # See the file 'LICENSE' for copying permission. | ||
|
|
||
| import logging |
| from api_app.analyzers_manager.exceptions import AnalyzerRunException | ||
| from api_app.choices import Classification | ||
|
|
||
| logger = logging.getLogger(__name__) |
| @patch("requests.get") | ||
| def test_domain_found(self, mock_get): |
| hostname = urlparse(self.observable_name).hostname | ||
| if not hostname: | ||
| raise AnalyzerRunException( | ||
| f"unable to extract a hostname from URL {self.observable_name}" | ||
| ) |
Adds an observable analyzer that queries the public RDAP bootstrap (rdap.org) for registration data of IPs, domains, and URLs. RDAP (RFC 9082/9083) is the free, unauthenticated, IETF-standard successor to WHOIS; the existing WHOIS analyzers are either paid (whoisxmlapi) or registry-specific (whoisripe).
thunderstornX
force-pushed
the
analyzer-rdap
branch
from
5f09c60 to
1d6b2ef
Compare
|
you have to follow the guidelines, first create an issue, get assigned and here provide proof that it works |
|
Apologies @mlodic — I jumped to the PR; I should have opened the issue first. Done now: #3759 (requesting assignment there). Proof it works — live CI is green — backend-tests ran the analyzer's test and applied the migration, linters pass. Also addressed the automated review notes (dropped the unused logger, patch the call site in the tests, added a test for the no-hostname URL path). |
|
IntelOWl GUI's screenshot is required |
Adds an observable analyzer that queries the public RDAP bootstrap (https://rdap.org) for registration data of IPs, domains, and URLs.
RDAP (RFC 9082/9083) is the IETF-standard, free, unauthenticated successor to WHOIS. The existing WHOIS analyzers are either paid (
whoisxmlapi) or registry-specific (whoisripe), so a free, global lookup fills a gap.ip,domain, andurl(resolved to its host) observables;maximum_tlpAMBER.{"found": false}rather than an error.tests/api_app/analyzers_manager/observable_analyzers/test_rdap.pycovers the routing and 404 handling with the HTTP layer mocked.