Many of our customers are building useful services using our webhook feature ― but unfortunately, others are not. Often we hear that no one on their team is proficient enough to write a service that can ingest a webhook payload and do something with the data. That leaves them either hoping to get cycles from their development team (unlikely) or continuing to do without.
But what if you could write your own web services?How many routine tasks that involve taking data from system A and inputting it into system B could you automate?
Learning to code well enough can be a major skill in your tool chest and a major asset for optimizing security processes in your organization.
So in this post, I’m going to walk you through a tutorial that will get you started on the road to writing your own web services using python Flask.
What We’re BuildingI’m going to walk through the creation of a simple Python Flask app that provides a RESTful web service. Specifically, the service will provide an endpoint to:
Ingest a JSON formatted payload (webhook) from Threat Stack Parse the payload for Threat Stack Alert IDs Retrieve detailed alert data from Threat Stack Archive the webhook and alert data to AWS S3But before we jump in, here are a couple of things to keep in mind:
We will not be bothering with any sort of frontend display functionality, so you don’t need to worry about HTML or CSS. Our organization follows Flask’s own suggested organization . We are going to skip the single module pattern and go straight to the Packages and Blueprints models . There’s a large range of Flask tutorials. On one hand, there are tutorials that explain how to build small, simple apps (where the entire app fits in a single file). On the other hand, there are tutorials that explain how to build much larger, complicated apps. This tutorial fills a sweet spot in the middle and demonstrates a structure that is simple, but which can immediately accommodate increasingly complex requirements. Project StructureThe structure of the project that we’re going to build, which comes from Explore Flask , is shown below:
threatstack-to-s3
├── app
│ ├── __init__.py
│ ├── models
│ │ ├── __init__.py
│ │ ├── s3.py
│ │ └── threatstack.py
│ └── views
│ ├── __init__.py
│ └── s3.py
├── gunicorn.conf.py
├── requirements.osx.txt
├── requirements.txt
└── threatstack-to-s3.py
Let’s start the discussion with the top-level files that are useful to us as we build the service:
gunicorn.conf.py: This is a configuration file for the Gunicorn WSGI HTTP server that will serve this app up. While the application can run and accept connections on its own, Gunicorn is more efficient at handling multiple connections and allowing the app to scale with load. requirements.txt / requirements.osx.txt: The app’s dependencies are listed in this file. It is used by the “pip” utility to install the needed Python packages. For information on installing dependencies, see the Setup section of this README.md . threatstack-to-s3.py: This is the application launcher. It can be run directly using “python” if you are doing local debugging, or it can be passed as an argument to “gunicorn” as the application entry point. For information on how to launch a service, see README.md . app Package (app/ Directory)The app package is our application package. The logic for the application is underneath this directory. As mentioned earlier , we have chosen to break the app into a collection of smaller modules rather than use a single, monolithic module file.
The following four usable modules defined in this package are:
app app.views.s3 app.models.threatstack app.models.s3These are described below.
Note: app.views and app.models do not provide anything. See that their __init__.py files are empty.
app ModuleThe app module has the job of creating the Flask application. It exports a single function, create_app() , that will create a Flask application object and configure it. Currently it initializes application blueprints that correspond to our application views. Eventually, create_app() will do other things such as initialize logging, but we’ve skipped that now for clarity and simplicity.
app/__init__.py from flask import Flask def _initialize_blueprints(application): ''' Register Flask blueprints ''' from app.views.s3 import s3 application.register_blueprint(s3, url_prefix='/api/v1/s3') def create_app(): ''' Create an app by initializing components. ''' application = Flask(__name__) _initialize_blueprints(application) # Do it! return applicationThis module is used by threatstack-to-s3.py to start the application. See that it imports create_app() and then uses it to create a Flask application instance.
threatstack-to-s3.py #!/usr/bin/env python from app import create_app # Gunicorn entry point. application = create_app() if __name__ == '__main__': # Entry point when run via Python interpreter. print("== Running in debug mode ==") application.run(host='localhost', port=8080, debug=True) views and Flask BlueprintsBefore discussing the remaining three modules, we’ll talk about what views and Flask blueprints are before diving into the app.views.s3 module.
views: Views are what the application consumer sees. There’s no frontend to this application, but ther