COSSAS · MaartendeKruijf · May 15, 2024 · May 1, 2024 · May 6, 2024 · May 7, 2024
diff --git a/docs/content/en/docs/core-components/api-reporter.md b/docs/content/en/docs/core-components/api-reporter.md
@@ -73,7 +73,6 @@ Response data model:
 |ended              |timestamp              |string             |The time at which the execution of the playbook ended (if so)
 |status             |execution-status-enum  |string             |The current [status](#execution-stataus) of the execution
 |status_text        |explanation            |string             |A natural language explanation of the current status or related info
-|error              |error                  |string     |Error raised along the execution of the playbook at execution level
 |step_results       |step_results           |dictionary         |Map of step-id to related [step execution data](#step-execution-data)
 |request_interval   |seconds                |integer            |Suggests the polling interval for the next request (default suggested is 5 seconds).
 

diff --git a/internal/reporter/downstream_reporter/cache/cache.go b/internal/reporter/downstream_reporter/cache/cache.go
@@ -2,7 +2,6 @@ package cache
 
 import (
 	b64 "encoding/base64"
-	"encoding/json"
 	"errors"
 	"reflect"
 	"soarca/logger"
@@ -110,7 +109,7 @@ func (cacheReporter *Cache) ReportWorkflowEnd(executionId uuid.UUID, playbook ca
 	}
 
 	if workflowError != nil {
-		executionEntry.PlaybookResult = workflowError
+		executionEntry.Error = workflowError
 		executionEntry.Status = cache_report.Failed
 	} else {
 		executionEntry.Status = cache_report.SuccessfullyExecuted
@@ -203,9 +202,10 @@ func (cacheReporter *Cache) GetExecutions() ([]cache_report.ExecutionEntry, erro
 	// NOTE: fetched via fifo register key reference as is ordered array,
 	// needed to test and report back ordered executions stored
 	for _, executionEntryKey := range cacheReporter.fifoRegister {
-		entry, err := cacheReporter.copyExecutionEntry(executionEntryKey)
-		if err != nil {
-			return []cache_report.ExecutionEntry{}, err
+		// NOTE: cached executions are passed by reference, so they must not be modified
+		entry, present := cacheReporter.Cache[executionEntryKey]
+		if !present {
+			return []cache_report.ExecutionEntry{}, errors.New("internal error. cache fifo register and cache executions mismatch.")
 		}
 		executions = append(executions, entry)
 	}
@@ -221,17 +221,3 @@ func (cacheReporter *Cache) GetExecutionReport(executionKey uuid.UUID) (cache_re
 
 	return report, nil
 }
-
-func (cacheReporter *Cache) copyExecutionEntry(executionKeyStr string) (cache_report.ExecutionEntry, error) {
-	// NOTE: Deep copy via JSON serialization and de-serialization, longer computation time than custom function
-	// might want to implement custom deep copy in future
-	origJSON, err := json.Marshal(cacheReporter.Cache[executionKeyStr])
-	if err != nil {
-		return cache_report.ExecutionEntry{}, err
-	}
-	clone := cache_report.ExecutionEntry{}
-	if err = json.Unmarshal(origJSON, &clone); err != nil {
-		return cache_report.ExecutionEntry{}, err
-	}
-	return clone, nil
-}
diff --git a/models/api/reporter.go b/models/api/reporter.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"soarca/models/cacao"
 	cache_model "soarca/models/cache"
+	"time"
 )
 
 type Status uint8
@@ -35,30 +36,28 @@ const (
 )
 
 type PlaybookExecutionReport struct {
-	Type            string
-	ExecutionId     string
-	PlaybookId      string
-	Started         string
-	Ended           string
-	Status          string
-	StatusText      string
-	StepResults     map[string]StepExecutionReport
-	Error           string
-	RequestInterval int
+	Type            string                         `bson:"type" json:"type"`
+	ExecutionId     string                         `bson:"execution_id" json:"execution_id"`
+	PlaybookId      string                         `bson:"playbook_id" json:"playbook_id"`
+	Started         time.Time                      `bson:"started" json:"started"`
+	Ended           time.Time                      `bson:"ended" json:"ended"`
+	Status          string                         `bson:"status" json:"status"`
+	StatusText      string                         `bson:"status_text" json:"status_text"`
+	StepResults     map[string]StepExecutionReport `bson:"step_results" json:"step_results"`
+	RequestInterval int                            `bson:"request_interval" json:"request_interval"`
 }
 
 type StepExecutionReport struct {
-	ExecutionId        string
-	StepId             string
-	Started            string
-	Ended              string
-	Status             string
-	StatusText         string
-	ExecutedBy         string
-	CommandsB64        []string
-	Error              string
-	Variables          map[string]cacao.Variable
-	AutomatedExecution string
+	ExecutionId        string                    `bson:"execution_id" json:"execution_id"`
+	StepId             string                    `bson:"step_id" json:"step_id"`
+	Started            time.Time                 `bson:"started" json:"started"`
+	Ended              time.Time                 `bson:"ended" json:"ended"`
+	Status             string                    `bson:"status" json:"status"`
+	StatusText         string                    `bson:"status_text" json:"status_text"`
+	ExecutedBy         string                    `bson:"executed_by" json:"executed_by"`
+	CommandsB64        []string                  `bson:"commands_b64" json:"commands_b64"`
+	Variables          map[string]cacao.Variable `bson:"variables" json:"variables"`
+	AutomatedExecution bool                      `bson:"automated_execution" json:"automated_execution"`
 	// Make sure we can have a playbookID for playbook actions, and also
 	// the execution ID for the invoked playbook
 }

diff --git a/models/cacao/cacao.go b/models/cacao/cacao.go
@@ -17,7 +17,18 @@ const (
 	StepTypeWhileCondition  = "while-condition"
 	StepTypeSwitchCondition = "switch-condition"
 
-	CommandTypeManual = "manual"
+	CommandTypeManual     = "manual"
+	CommandTypeBash       = "bash"
+	CommandTypeCalderaCmd = "caldera-cmd"
+	CommandTypeElastic    = "elastic"
+	CommandTypeHttpApi    = "http-api"
+	CommandTypeJupyter    = "jupyter"
+	CommandTypeKestrel    = "kestrel"
+	CommandTypeOpenC2Http = "openc2-http"
+	CommandTypePowershell = "powershell"
+	CommandTypeSigma      = "sigma"
+	CommandTypeSsh        = "ssh"
+	CommandTypeYara       = "yara"
 
 	AuthInfoOAuth2Type    = "oauth2"
 	AuthInfoHTTPBasicType = "http-basic"

diff --git a/models/cache/cache.go b/models/cache/cache.go
@@ -21,13 +21,13 @@ const (
 )
 
 type ExecutionEntry struct {
-	ExecutionId    uuid.UUID
-	PlaybookId     string
-	Started        time.Time
-	Ended          time.Time
-	StepResults    map[string]StepResult
-	PlaybookResult error
-	Status         Status
+	ExecutionId uuid.UUID
+	PlaybookId  string
+	Started     time.Time
+	Ended       time.Time
+	StepResults map[string]StepResult
+	Error       error
+	Status      Status
 }
 
 type StepResult struct {

diff --git a/routes/reporter/reporter_parser.go b/routes/reporter/reporter_parser.go
@@ -12,13 +12,13 @@ func parseCachePlaybookEntry(cacheEntry cache_model.ExecutionEntry) (api_model.P
 	if err != nil {
 		return api_model.PlaybookExecutionReport{}, err
 	}
+
 	playbookStatusText, err := api_model.GetCacheStatusText(playbookStatus, api_model.ReportLevelPlaybook)
 	if err != nil {
 		return api_model.PlaybookExecutionReport{}, err
 	}
-	playbookErrorStr := ""
-	if cacheEntry.PlaybookResult != nil {
-		playbookErrorStr = cacheEntry.PlaybookResult.Error()
+	if cacheEntry.Error != nil {
+		playbookStatusText = playbookStatusText + " - error: " + cacheEntry.Error.Error()
 	}
 
 	stepResults, err := parseCacheStepEntries(cacheEntry.StepResults)
@@ -30,11 +30,10 @@ func parseCachePlaybookEntry(cacheEntry cache_model.ExecutionEntry) (api_model.P
 		Type:            "execution_status",
 		ExecutionId:     cacheEntry.ExecutionId.String(),
 		PlaybookId:      cacheEntry.PlaybookId,
-		Started:         cacheEntry.Started.String(),
-		Ended:           cacheEntry.Ended.String(),
+		Started:         cacheEntry.Started,
+		Ended:           cacheEntry.Ended,
 		Status:          playbookStatus,
 		StatusText:      playbookStatusText,
-		Error:           playbookErrorStr,
 		StepResults:     stepResults,
 		RequestInterval: defaultRequestInterval,
 	}
@@ -54,29 +53,21 @@ func parseCacheStepEntries(cacheStepEntries map[string]cache_model.StepResult) (
 			return map[string]api_model.StepExecutionReport{}, err
 		}
 
-		stepError := stepEntry.Error
-		stepErrorStr := ""
-		if stepError != nil {
-			stepErrorStr = stepError.Error()
-		}
-
-		automatedExecution := "true"
-		if !stepEntry.IsAutomated {
-			automatedExecution = "false"
+		if stepEntry.Error != nil {
+			stepStatusText = stepStatusText + " - error: " + stepEntry.Error.Error()
 		}
 
 		parsedEntries[stepId] = api_model.StepExecutionReport{
 			ExecutionId:        stepEntry.ExecutionId.String(),
 			StepId:             stepEntry.StepId,
-			Started:            stepEntry.Started.String(),
-			Ended:              stepEntry.Ended.String(),
+			Started:            stepEntry.Started,
+			Ended:              stepEntry.Ended,
 			Status:             stepStatus,
 			StatusText:         stepStatusText,
 			ExecutedBy:         "soarca",
 			CommandsB64:        stepEntry.CommandsB64,
-			Error:              stepErrorStr,
 			Variables:          stepEntry.Variables,
-			AutomatedExecution: automatedExecution,
+			AutomatedExecution: stepEntry.IsAutomated,
 		}
 	}
 	return parsedEntries, nil

diff --git a/test/unittest/reporters/downstream_reporter/cache_test.go b/test/unittest/reporters/downstream_reporter/cache_test.go
@@ -100,13 +100,13 @@ func TestReportWorkflowStartFirst(t *testing.T) {
 	expectedEnded, _ := time.Parse(layout, "0001-01-01T00:00:00Z")
 	expectedExecutions := []cache_model.ExecutionEntry{
 		{
-			ExecutionId:    executionId0,
-			PlaybookId:     "test",
-			Started:        expectedStarted,
-			Ended:          expectedEnded,
-			StepResults:    map[string]cache_model.StepResult{},
-			PlaybookResult: nil,
-			Status:         2,
+			ExecutionId: executionId0,
+			PlaybookId:  "test",
+			Started:     expectedStarted,
+			Ended:       expectedEnded,
+			StepResults: map[string]cache_model.StepResult{},
+			Error:       nil,
+			Status:      2,
 		},
 	}
 
@@ -207,13 +207,13 @@ func TestReportWorkflowStartFifo(t *testing.T) {
 	for _, executionId := range executionIds[:len(executionIds)-1] {
 		t.Log(executionId)
 		entry := cache_model.ExecutionEntry{
-			ExecutionId:    executionId,
-			PlaybookId:     "test",
-			Started:        expectedStarted,
-			Ended:          expectedEnded,
-			StepResults:    map[string]cache_model.StepResult{},
-			PlaybookResult: nil,
-			Status:         2,
+			ExecutionId: executionId,
+			PlaybookId:  "test",
+			Started:     expectedStarted,
+			Ended:       expectedEnded,
+			StepResults: map[string]cache_model.StepResult{},
+			Error:       nil,
+			Status:      2,
 		}
 		expectedExecutionsFull = append(expectedExecutionsFull, entry)
 	}
@@ -222,13 +222,13 @@ func TestReportWorkflowStartFifo(t *testing.T) {
 	for _, executionId := range executionIds[1:] {
 		t.Log(executionId)
 		entry := cache_model.ExecutionEntry{
-			ExecutionId:    executionId,
-			PlaybookId:     "test",
-			Started:        expectedStarted,
-			Ended:          expectedEnded,
-			StepResults:    map[string]cache_model.StepResult{},
-			PlaybookResult: nil,
-			Status:         2,
+			ExecutionId: executionId,
+			PlaybookId:  "test",
+			Started:     expectedStarted,
+			Ended:       expectedEnded,
+			StepResults: map[string]cache_model.StepResult{},
+			Error:       nil,
+			Status:      2,
 		}
 		expectedExecutionsFifo = append(expectedExecutionsFifo, entry)
 	}

diff --git a/test/unittest/routes/reporter_api/reporter_api_invocation_test.go b/test/unittest/routes/reporter_api/reporter_api_invocation_test.go
@@ -95,36 +95,34 @@ func TestGetExecutionReportInvocation(t *testing.T) {
 	app.ServeHTTP(recorder, request)
 
 	expectedResponse := `{
-		"Type":"execution_status",
-		"ExecutionId":"6ba7b810-9dad-11d1-80b4-00c04fd430c0",
-		"PlaybookId":"test",
-		"Started":"2014-11-12 11:45:26.371 +0000 UTC",
-		"Ended":"0001-01-01 00:00:00 +0000 UTC",
-		"Status":"ongoing",
-		"StatusText":"this playbook is currently being executed",
-		"StepResults":{
+		"type":"execution_status",
+		"execution_id":"6ba7b810-9dad-11d1-80b4-00c04fd430c0",
+		"playbook_id":"test",
+		"started":"2014-11-12T11:45:26.371Z",
+		"ended":"0001-01-01T00:00:00Z",
+		"status":"ongoing",
+		"status_text":"this playbook is currently being executed",
+		"step_results":{
 		   "action--test":{
-			  "ExecutionId":"6ba7b810-9dad-11d1-80b4-00c04fd430c0",
-			  "StepId": "action--test",
-			  "Started": "2014-11-12 11:45:26.371 +0000 UTC",
-			  "Ended": "2014-11-12 11:45:26.371 +0000 UTC",
-			  "Status": "successfully_executed",
-			  "StatusText": "step execution completed successfully",
-			  "Error":"",
+			  "execution_id":"6ba7b810-9dad-11d1-80b4-00c04fd430c0",
+			  "step_id": "action--test",
+			  "started": "2014-11-12T11:45:26.371Z",
+			  "ended": "2014-11-12T11:45:26.371Z",
+			  "status": "successfully_executed",
+			  "status_text": "step execution completed successfully",
 			  "Variables":{
 				 "var1":{
 					"type":"string",
 					"name":"var1",
 					"value":"testing"
 				 }
 			  },
-			  "CommandsB64" : [],
-			  "AutomatedExecution" : "true",
-			  "ExecutedBy" : "soarca"
+			  "commands_b64" : [],
+			  "automated_execution" : true,
+			  "executed_by" : "soarca"
 		   }
 		},
-		"Error":"",
-		"RequestInterval":5
+		"request_interval":5
 	}`
 	expectedResponseData := api_model.PlaybookExecutionReport{}
 	err = json.Unmarshal([]byte(expectedResponse), &expectedResponseData)