qualys_vmdr: implement X-RateLimit header handling (#14899)

Author: efd6

packages/qualys_vmdr/_dev/deploy/docker/files/config.yml

@@ -12,6 +12,13 @@ rules:
       ids: 1,2,3
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         # Response only has host.id = [1,2] because of truncation limit
         body: |-
           <?xml version="1.0" encoding="UTF-8"?>
@@ -209,6 +216,13 @@ rules:
       show_cloud_tags: 1
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8"?>
           <!DOCTYPE HOST_LIST_VM_DETECTION_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/3.0/fo/asset/host/vm/detection/dtd/output.dtd">
@@ -319,6 +333,13 @@ rules:
       show_cloud_tags: 1
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: "" # handling empty XML response
   # Request knowledge_base with QID from Asset Host QID.
   # QID: 101,102,103 (3 unique QIDs for host ID: 1,2)
@@ -329,6 +350,13 @@ rules:
       action: list
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
           <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
@@ -509,6 +537,13 @@ rules:
       action: list
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
           <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
@@ -644,6 +679,13 @@ rules:
       last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
           <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
@@ -714,6 +756,13 @@ rules:
       last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
           <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg2.apps.qualys.com/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
@@ -910,6 +959,13 @@ rules:
       last_modified_after: '{last_modified_after:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           <?xml version="1.0" encoding="UTF-8" ?>
           <!DOCTYPE KNOWLEDGE_BASE_VULN_LIST_OUTPUT SYSTEM "https://qualysapi.qg1.apps.qualys.in/api/3.0/fo/knowledge_base/vuln/knowledge_base_vuln_list_output.dtd">
@@ -928,6 +984,13 @@ rules:
       since_datetime: '{since_datetime:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           ----BEGIN_RESPONSE_BODY_CSV
           "Date","Action","Module","Details","User Name","User Role","User IP"
@@ -941,6 +1004,13 @@ rules:
       since_datetime: '{since_datetime:\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}}Z'
     responses:
       - status_code: 200
+        headers:
+          x-ratelimit-limit: ["300"]
+          x-ratelimit-window-sec: ["3600"]
+          x-concurrency-limit-limit: ["2"]
+          x-concurrency-limit-running: ["0"]
+          x-ratelimit-towait-sec: ["0"]
+          x-ratelimit-remaining: ["299"]
         body: |-
           ----BEGIN_RESPONSE_BODY_CSV
           "Date","Action","Module","Details","User Name","User Role","User IP"

packages/qualys_vmdr/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "6.9.0"
+  changes:
+    - description: Implement X-RateLimit header handling.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14899
 - version: "6.8.1"
   changes:
     - description: Update the logic for populating the `vulnerability.score.base`, `vulnerability.score.version`, and `vulnerability.severity` fields.

packages/qualys_vmdr/data_stream/asset_host_detection/agent/stream/input.yml.hbs

@@ -55,9 +55,8 @@ program: |
                 "X-Requested-With": ["curl"],
                 "Authorization": ["Basic "+(state.user+":"+state.password).base64()],
             }
-        }).do_request().as(resp,
-          resp.StatusCode == 200 
-          ?
+        }).do_request().as(resp, (
+          resp.StatusCode == 200 ?
             (
               has(resp.Body) && size(resp.Body) != 0
               ?
@@ -152,7 +151,43 @@ program: |
               },
               "want_more": false,
             })
-        )
+        ).with(
+          resp.Header.transformMapEntry(k, v,
+            // Canonicalise header keys to match rate_limit conventions.
+            // -Limit, -Remaining and -Reset are magic suffixes in rate_limit.
+            {
+              k.has_suffix("-Limit") ?
+                (k.trim_suffix("-Limit").to_lower() + "-Limit")
+              : k.has_suffix("-Remaining") ?
+                (k.trim_suffix("-Remaining").to_lower() + "-Remaining")
+              :
+                k.to_lower(): v,
+            }
+          ).as(headers,
+            // Calculate rate limits.
+            rate_limit(
+              headers.with(
+                {
+                  "x-ratelimit-Reset": [string(headers[?"x-ratelimit-towait-sec"][0].orValue("3600"))],
+                }
+              ),
+              "x-ratelimit",
+              false,
+              true,
+              duration(string(headers[?"x-ratelimit-window-sec"][0].orValue("3600")) + "s"),
+              0
+            )
+          ).as(rate_headers, rate_headers.with({
+            // Work around inf detection in input.
+            // If the headers are missing or rate_limit failed, rate and
+            // next may be missing. So use optional types.
+            ?"rate": rate_headers.?rate == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+            ?"next": rate_headers.?next == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+          })).as(limit, {
+            "header": resp.Header,
+            "rate_limit": limit,
+          })
+        ))
       )
     ).as(state, state.with(
       !has(state.worklist) ? state : 
@@ -167,7 +202,7 @@ program: |
               "X-Requested-With": ["curl"],
               "Authorization": ["Basic "+(state.user+":"+state.password).base64()],
             }
-          }).do_request().as(resp, resp.StatusCode == 200 ?
+          }).do_request().as(resp, (resp.StatusCode == 200 ?
             resp.Body.as(xml, try(xml.decode_xml('qualys_api_3_0_kb'), "decode_xml_error_kb").as(kb_body, 
               !has(kb_body.decode_xml_error_kb) 
               ?
@@ -271,7 +306,43 @@ program: |
               },
               "want_more": false,
             }
-          )
+          ).with(
+            resp.Header.transformMapEntry(k, v,
+              // Canonicalise header keys to match rate_limit conventions.
+              // -Limit, -Remaining and -Reset are magic suffixes in rate_limit.
+              {
+                k.has_suffix("-Limit") ?
+                  (k.trim_suffix("-Limit").to_lower() + "-Limit")
+                : k.has_suffix("-Remaining") ?
+                  (k.trim_suffix("-Remaining").to_lower() + "-Remaining")
+                :
+                  k.to_lower(): v,
+              }
+            ).as(headers,
+              // Calculate rate limits.
+              rate_limit(
+                headers.with(
+                  {
+                    "x-ratelimit-Reset": [string(headers[?"x-ratelimit-towait-sec"][0].orValue("3600"))],
+                  }
+                ),
+                "x-ratelimit",
+                false,
+                true,
+                duration(string(headers[?"x-ratelimit-window-sec"][0].orValue("3600")) + "s"),
+                0
+              )
+            ).as(rate_headers, rate_headers.with({
+              // Work around inf detection in input.
+              // If the headers are missing or rate_limit failed, rate and
+              // next may be missing. So use optional types.
+              ?"rate": rate_headers.?rate == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+              ?"next": rate_headers.?next == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+            })).as(limit, {
+              "header": resp.Header,
+              "rate_limit": limit,
+            })
+          ))
         :
           {
             "events": [],

packages/qualys_vmdr/data_stream/knowledge_base/agent/stream/input.yml.hbs

@@ -36,9 +36,8 @@ program: |
         "X-Requested-With": ["curl"],
         "Authorization": ["Basic "+(state.user+":"+state.password).base64()],
       }
-    }).do_request().as(resp,
-      resp.StatusCode == 200
-      ?
+    }).do_request().as(resp, (
+      resp.StatusCode == 200 ?
         resp.Body.as(xml, bytes(xml).decode_xml('qualys_api_3_0').as(body, {
           "events": (
             has(body.doc.KNOWLEDGE_BASE_VULN_LIST_OUTPUT.RESPONSE.VULN_LIST)
@@ -83,7 +82,43 @@ program: |
           },
           "want_more": false,
         }
-    )
+    ).with(
+      resp.Header.transformMapEntry(k, v,
+        // Canonicalise header keys to match rate_limit conventions.
+        // -Limit, -Remaining and -Reset are magic suffixes in rate_limit.
+        {
+          k.has_suffix("-Limit") ?
+            (k.trim_suffix("-Limit").to_lower() + "-Limit")
+          : k.has_suffix("-Remaining") ?
+            (k.trim_suffix("-Remaining").to_lower() + "-Remaining")
+          :
+            k.to_lower(): v,
+        }
+      ).as(headers,
+        // Calculate rate limits.
+        rate_limit(
+          headers.with(
+            {
+              "x-ratelimit-Reset": [string(headers[?"x-ratelimit-towait-sec"][0].orValue("3600"))],
+            }
+          ),
+          "x-ratelimit",
+          false,
+          true,
+          duration(string(headers[?"x-ratelimit-window-sec"][0].orValue("3600")) + "s"),
+          0
+        )
+      ).as(rate_headers, rate_headers.with({
+        // Work around inf detection in input.
+        // If the headers are missing or rate_limit failed, rate and
+        // next may be missing. So use optional types.
+        ?"rate": rate_headers.?rate == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+        ?"next": rate_headers.?next == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+      })).as(limit, {
+        "header": resp.Header,
+        "rate_limit": limit,
+      })
+    ))
   )
 tags:
 {{#if preserve_original_event}}

packages/qualys_vmdr/data_stream/user_activity/agent/stream/cel.yml.hbs

@@ -42,9 +42,8 @@ program: |
         "Authorization": ["Basic " + (state.user + ":" + state.password).base64()],
         "X-Requested-With": ["curl"],
       }
-    }).do_request().as(resp,
-      resp.StatusCode == 200
-      ?
+    }).do_request().as(resp, (
+      resp.StatusCode == 200 ?
         string(resp.Body).as(text, {
           "csv": (
             text.contains_substr("----BEGIN_RESPONSE_BODY_CSV") ?
@@ -92,7 +91,43 @@ program: |
           },
           "want_more": false,
         }
-    )
+    ).with(
+      resp.Header.transformMapEntry(k, v,
+        // Canonicalise header keys to match rate_limit conventions.
+        // -Limit, -Remaining and -Reset are magic suffixes in rate_limit.
+        {
+          k.has_suffix("-Limit") ?
+            (k.trim_suffix("-Limit").to_lower() + "-Limit")
+          : k.has_suffix("-Remaining") ?
+            (k.trim_suffix("-Remaining").to_lower() + "-Remaining")
+          :
+            k.to_lower(): v,
+        }
+      ).as(headers,
+        // Calculate rate limits.
+        rate_limit(
+          headers.with(
+            {
+              "x-ratelimit-Reset": [string(headers[?"x-ratelimit-towait-sec"][0].orValue("3600"))],
+            }
+          ),
+          "x-ratelimit",
+          false,
+          true,
+          duration(string(headers[?"x-ratelimit-window-sec"][0].orValue("3600")) + "s"),
+          0
+        )
+      ).as(rate_headers, rate_headers.with({
+        // Work around inf detection in input.
+        // If the headers are missing or rate_limit failed, rate and
+        // next may be missing. So use optional types.
+        ?"rate": rate_headers.?rate == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+        ?"next": rate_headers.?next == optional.of(double("Infinity")) ? optional.of("inf") : optional.none(),
+      })).as(limit, {
+         "header": resp.Header,
+         "rate_limit": limit,
+       })
+    ))
   )
 tags:
 {{#if preserve_duplicate_custom_fields}}

packages/qualys_vmdr/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.4.0"
 name: qualys_vmdr
 title: Qualys VMDR
-version: "6.8.1"
+version: "6.9.0"
 description: Collect data from Qualys VMDR platform with Elastic Agent.
 type: integration
 categories: