[minor] change default before/after/limit values in db search queries

database/searches.go

@@ -40,8 +40,8 @@ type SearchParameters struct {
 
 // NewSearchParameters initializes search parameters
 func NewSearchParameters() (p SearchParameters) {
-	p.Before = time.Now().UTC()
-	p.After = time.Now().Add(-168 * time.Hour).UTC()
+	p.Before = time.Now().Add(39600 * time.Hour).UTC()
+	p.After = time.Now().Add(-39600 * time.Hour).UTC()
 	p.AgentName = "%"
 	p.AgentID = "∞"
 	p.ActionName = "%"
@@ -49,7 +49,7 @@ func NewSearchParameters() (p SearchParameters) {
 	p.CommandID = "∞"
 	p.ThreatFamily = "%"
 	p.Status = "%"
-	p.Limit = 10000
+	p.Limit = 100
 	p.Offset = 0
 	p.InvestigatorID = "∞"
 	p.InvestigatorName = "%"
@@ -87,9 +87,7 @@ func (p SearchParameters) String() (query string) {
 	if p.Status != "%" {
 		query += fmt.Sprintf("&status=%s", p.Status)
 	}
-	if p.Limit != 10000 {
 	query += fmt.Sprintf("&limit=%.0f", p.Limit)
-	}
 	if p.Offset != 0 {
 		query += fmt.Sprintf("&offset=%.0f", p.Offset)
 	}

doc/api.rst

@@ -944,23 +944,22 @@ GET /api/v1/search
 
 	- `actionname`: filter results on string action name, accept `ILIKE` pattern
 
-	- `after`: return results recorded after this RFC3339 date, depends on type:
+	- `after`: return results recorded after this RFC3339 date. If not set,
+	  return results for last 10 years. Impact on search depends on the type:
 
-		- `action`: select actions with a `validfrom` date greater than
-		  `after`. Default is last 7 days.
+		- `action`: select actions with a `validfrom` date greater than `after`.
 		- `agent`: select agents that have sent a heartbeat since `after`.
-		  Default is last 7 days.
-		- `command`: select commands with a `starttime` date greated than
-		  `after`. Default is last 7 days.
+		- `command`: select commands with a `starttime` date greated than `after`.
 		- `investigator`: select investigators with a `createdat` date greater
-		  than `after`. Default is last 1,000 years.
+		  than `after`.
 
 	- `agentid`: filter results on the agent ID
 
 	- `agentname`: filter results on string agent name, accept `ILIKE` pattern
 
-	- `before`: return results recorded before this RFC3339 date. If not defined,
-	  default is to retrieve results until now.
+	- `before`: return results recorded before this RFC3339 date. If not set,
+	  return results for the next 10 years. Impact on search depends on the
+	  type:
 
 		- `action`: select actions with a `expireafter` date lower than `before`
 		- `agent`: select agents that have sent a heartbeat priot to `before`
@@ -978,7 +977,7 @@ GET /api/v1/search
 	- `investigatorname`: filter results on string investigator name, accept
 	  `ILIKE` pattern
 
-	- `limit`: limit the number of results to 10,000 by default
+	- `limit`: limit the number of results, default is set to 100
 
 	- `offset`: discard the X first results, defaults to 0. Used in conjunction
 	  with `limit`, offset can be used to paginate search results.

doc/api.rst.html

@@ -931,15 +931,14 @@ investigator's action history.</p></li><li><p>Authentication: X-PGPAUTHORIZATION
   <span class="punctuation">}</span>
 <span class="punctuation">}</span></code></pre></section><section id="post-api-v1-investigator-create"><header><h3><a href="#id16">2.9   POST /api/v1/investigator/create/</a></h3></header><ul><li><p>Description: create a new investigator in the database</p></li><li><p>Authentication: X-PGPAUTHORIZATION</p></li><li><dl><dt>Parameters: (POST body)</dt><dd><ul><li><p><cite>name</cite>: string that represents the full name</p></li><li><p><cite>publickey</cite>: armored GPG public key</p></li></ul></dd></dl></li><li><p>Response Code: 201 Created</p></li><li><p>Response: Collection+JSON</p></li><li><p>Example: (without authentication)</p></li></ul><pre><code class="code bash"><span class="name variable">$ </span>gpg --export -a --export-options <span class="name builtin">export</span>-minimal bob_kelso@example.net &gt; /tmp/bobpubkey
 <span class="name variable">$ </span>curl -iv -F <span class="literal string double">"name=Bob Kelso"</span> -F <span class="name variable">publickey</span><span class="operator">=</span>@/tmp/pubkey https://api.mig.example.net/api/v1/investigator/create/</code></pre></section><section id="post-api-v1-investigator-update"><header><h3><a href="#id17">2.10   POST /api/v1/investigator/update/</a></h3></header><ul><li><p>Description: update an existing investigator in the database</p></li><li><p>Authentication: X-PGPAUTHORIZATION</p></li><li><dl><dt>Parameters: (POST body)</dt><dd><ul><li><p><cite>id</cite>: investigator id, to identify the target investigator</p></li><li><p><cite>status</cite>: new status of the investigator, to be updated</p></li></ul></dd></dl></li><li><p>Response Code: 201 Created</p></li><li><p>Response: Collection+JSON</p></li><li><p>Example: (without authentication)</p></li></ul><pre><code class="code bash"><span class="name variable">$ </span>curl -iv -X POST -d <span class="name variable">id</span><span class="operator">=</span><span class="literal number">1234</span> -d <span class="name variable">status</span><span class="operator">=</span>disabled https://api.mig.example.net/api/v1/investigator/update/</code></pre></section><section id="get-api-v1-search"><header><h3><a href="#id18">2.11   GET /api/v1/search</a></h3></header><ul><li><p>Description: search for actions, commands, agents or investigators.</p></li><li><p>Authentication: X-PGPAUTHORIZATION</p></li><li><p>Response Code: 200 OK</p></li><li><p>Response: Collection+JSON</p></li><li><dl><dt>Parameters:</dt><dd><ul><li><p><cite>type</cite>: define the type of item returned by the search.
-Valid types are: <cite>action</cite>, <cite>command</cite>, <cite>agent</cite> or <cite>investigator</cite>.</p><blockquote><ul><li><p><cite>action</cite>: (default) return a list of actions</p></li><li><p><cite>command</cite>: return a list of commands</p></li><li><p><cite>agent</cite>: return a list of agents that have shown activity</p></li><li><p><cite>investigator</cite>: return a list of investigators that have show activity</p></li></ul></blockquote></li><li><p><cite>actionid</cite>: filter results on numeric action ID</p></li><li><p><cite>actionname</cite>: filter results on string action name, accept <cite>ILIKE</cite> pattern</p></li><li><p><cite>after</cite>: return results recorded after this RFC3339 date, depends on type:</p><blockquote><ul><li><p><cite>action</cite>: select actions with a <cite>validfrom</cite> date greater than
-<cite>after</cite>. Default is last 7 days.</p></li><li><p><cite>agent</cite>: select agents that have sent a heartbeat since <cite>after</cite>.
-Default is last 7 days.</p></li><li><p><cite>command</cite>: select commands with a <cite>starttime</cite> date greated than
-<cite>after</cite>. Default is last 7 days.</p></li><li><p><cite>investigator</cite>: select investigators with a <cite>createdat</cite> date greater
-than <cite>after</cite>. Default is last 1,000 years.</p></li></ul></blockquote></li><li><p><cite>agentid</cite>: filter results on the agent ID</p></li><li><p><cite>agentname</cite>: filter results on string agent name, accept <cite>ILIKE</cite> pattern</p></li><li><p><cite>before</cite>: return results recorded before this RFC3339 date. If not defined,
-default is to retrieve results until now.</p><blockquote><ul><li><p><cite>action</cite>: select actions with a <cite>expireafter</cite> date lower than <cite>before</cite></p></li><li><p><cite>agent</cite>: select agents that have sent a heartbeat priot to <cite>before</cite></p></li><li><p><cite>command</cite>: select commands with a <cite>starttime</cite> date lower than <cite>before</cite></p></li><li><p><cite>investigator</cite>: select investigators with a <cite>lastmodified</cite> date lower
+Valid types are: <cite>action</cite>, <cite>command</cite>, <cite>agent</cite> or <cite>investigator</cite>.</p><blockquote><ul><li><p><cite>action</cite>: (default) return a list of actions</p></li><li><p><cite>command</cite>: return a list of commands</p></li><li><p><cite>agent</cite>: return a list of agents that have shown activity</p></li><li><p><cite>investigator</cite>: return a list of investigators that have show activity</p></li></ul></blockquote></li><li><p><cite>actionid</cite>: filter results on numeric action ID</p></li><li><p><cite>actionname</cite>: filter results on string action name, accept <cite>ILIKE</cite> pattern</p></li><li><p><cite>after</cite>: return results recorded after this RFC3339 date. If not set,
+return results for last 10 years. Impact on search depends on the type:</p><blockquote><ul><li><p><cite>action</cite>: select actions with a <cite>validfrom</cite> date greater than <cite>after</cite>.</p></li><li><p><cite>agent</cite>: select agents that have sent a heartbeat since <cite>after</cite>.</p></li><li><p><cite>command</cite>: select commands with a <cite>starttime</cite> date greated than <cite>after</cite>.</p></li><li><p><cite>investigator</cite>: select investigators with a <cite>createdat</cite> date greater
+than <cite>after</cite>.</p></li></ul></blockquote></li><li><p><cite>agentid</cite>: filter results on the agent ID</p></li><li><p><cite>agentname</cite>: filter results on string agent name, accept <cite>ILIKE</cite> pattern</p></li><li><p><cite>before</cite>: return results recorded before this RFC3339 date. If not set,
+return results for the next 10 years. Impact on search depends on the
+type:</p><blockquote><ul><li><p><cite>action</cite>: select actions with a <cite>expireafter</cite> date lower than <cite>before</cite></p></li><li><p><cite>agent</cite>: select agents that have sent a heartbeat priot to <cite>before</cite></p></li><li><p><cite>command</cite>: select commands with a <cite>starttime</cite> date lower than <cite>before</cite></p></li><li><p><cite>investigator</cite>: select investigators with a <cite>lastmodified</cite> date lower
 than <cite>before</cite></p></li></ul></blockquote></li><li><p><cite>commandid</cite>: filter results on the command ID</p></li><li><p><cite>foundanything</cite>: filter commands on the <cite>foundanything</cite> boolean of their
 results (only for type <cite>command</cite>, as it requires looking into results)</p></li><li><p><cite>investigatorid</cite>: filter results on the investigator ID</p></li><li><p><cite>investigatorname</cite>: filter results on string investigator name, accept
-<cite>ILIKE</cite> pattern</p></li><li><p><cite>limit</cite>: limit the number of results to 10,000 by default</p></li><li><p><cite>offset</cite>: discard the X first results, defaults to 0. Used in conjunction
+<cite>ILIKE</cite> pattern</p></li><li><p><cite>limit</cite>: limit the number of results, default is set to 100</p></li><li><p><cite>offset</cite>: discard the X first results, defaults to 0. Used in conjunction
 with <cite>limit</cite>, offset can be used to paginate search results.
 ex: <strong>&amp;limit=10&amp;offset=50</strong> will grab 10 results discarding the first 50.</p></li><li><dl><dt><cite>report</cite>: if set, return results in the given report format:</dt><dd><ul><li><p><cite>complianceitems</cite> returns command results as compliance items</p></li><li><p><cite>geolocations</cite> returns command results as geolocation endpoints</p></li></ul></dd></dl></li><li><p><cite>status</cite>: filter on internal status, accept <cite>ILIKE</cite> pattern.
 Status depends on the type. Below are the available statuses per type:</p><blockquote><ul><li><p><cite>action</cite>: pending, scheduled, preparing, invalid, inflight, completed</p></li><li><p><cite>agent</cite>: online, upgraded, destroyed, offline, idle</p></li><li><p><cite>command</cite>: prepared, sent, success, timeout, cancelled, expired, failed</p></li><li><p><cite>investigator</cite>: active, disabled</p></li></ul></blockquote></li><li><p><cite>target</cite>: returns agents that match a target query (only for <cite>agent</cite> type)</p></li><li><p><cite>threatfamily</cite>: filter results of the threat family of the action, accept