[backend] WIP Update model: authorized members activation via entity(#4538)

Author: marieflorescontact

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -9883,6 +9883,7 @@ type CaseIncident implements BasicObject & StixObject & StixCoreObject & StixDom
   severity: String
   priority: String
   authorized_members: [MemberAccess!]
+  currentUserAccessRight: String
 }
 
 enum CaseIncidentsOrdering {

opencti-platform/opencti-graphql/src/generated/graphql.ts

@@ -2018,6 +2018,7 @@ export type CaseIncident = BasicObject & Case & Container & StixCoreObject & Sti
   createdBy?: Maybe<Identity>;
   created_at: Scalars['DateTime']['output'];
   creators?: Maybe<Array<Creator>>;
+  currentUserAccessRight?: Maybe<Scalars['String']['output']>;
   description?: Maybe<Scalars['String']['output']>;
   editContext?: Maybe<Array<EditUserContext>>;
   entity_type: Scalars['String']['output'];
@@ -30981,6 +30982,7 @@ export type CaseIncidentResolvers<ContextType = any, ParentType extends Resolver
   createdBy?: Resolver<Maybe<ResolversTypes['Identity']>, ParentType, ContextType>;
   created_at?: Resolver<ResolversTypes['DateTime'], ParentType, ContextType>;
   creators?: Resolver<Maybe<Array<ResolversTypes['Creator']>>, ParentType, ContextType>;
+  currentUserAccessRight?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   description?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   editContext?: Resolver<Maybe<Array<ResolversTypes['EditUserContext']>>, ParentType, ContextType>;
   entity_type?: Resolver<ResolversTypes['String'], ParentType, ContextType>;

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident-domain.ts

@@ -1,9 +1,9 @@
 import type { AuthContext, AuthUser } from '../../../types/user';
-import { createEntity, patchAttribute } from '../../../database/middleware';
+import { createEntity } from '../../../database/middleware';
 import type { EntityOptions } from '../../../database/middleware-loader';
 import { internalLoadById, listEntitiesPaginated, storeLoadById } from '../../../database/middleware-loader';
 import { BUS_TOPICS } from '../../../config/conf';
-import { ABSTRACT_STIX_CORE_OBJECT, ABSTRACT_STIX_DOMAIN_OBJECT, buildRefRelationKey } from '../../../schema/general';
+import { ABSTRACT_STIX_DOMAIN_OBJECT, buildRefRelationKey } from '../../../schema/general';
 import { notify } from '../../../database/redis';
 import { now } from '../../../utils/format';
 import { userAddIndividual } from '../../../domain/user';
@@ -16,9 +16,7 @@ import type { CaseIncidentAddInput, MemberAccessInput } from '../../../generated
 import { isStixId } from '../../../schema/schemaUtils';
 import { RELATION_OBJECT } from '../../../schema/stixRefRelationship';
 import { FilterMode } from '../../../generated/graphql';
-import { isValidMemberAccessRight } from '../../../utils/access';
-import { containsValidAdmin } from '../../../utils/authorizedMembers';
-import { FunctionalError } from '../../../config/errors';
+import { editAuthorizedMembers } from '../../../utils/authorizedMembers';
 
 export const findById: DomainFindById<BasicStoreEntityCaseIncident> = (context: AuthContext, user: AuthUser, caseIncidentId: string) => {
   return storeLoadById(context, user, caseIncidentId, ENTITY_TYPE_CONTAINER_CASE_INCIDENT);
@@ -63,7 +61,7 @@ export const caseIncidentContainsStixObjectOrStixRelationship = async (context:
   return caseIncidentFound.edges.length > 0;
 };
 
-export const caseIncidentEditAuthorizedMembers = async (
+/* export const caseIncidentEditAuthorizedMembers = async (
   context: AuthContext,
   user: AuthUser,
   entityId: string,
@@ -92,4 +90,14 @@ export const caseIncidentEditAuthorizedMembers = async (
   const patch = { authorized_members };
   const { element } = await patchAttribute(context, user, entityId, ENTITY_TYPE_CONTAINER_CASE_INCIDENT, patch);
   return notify(BUS_TOPICS[ABSTRACT_STIX_CORE_OBJECT].EDIT_TOPIC, element, user);
+}; */
+
+export const caseIncidentEditAuthorizedMembers = async (
+  context: AuthContext,
+  user: AuthUser,
+  entityId: string,
+  input: MemberAccessInput[] | undefined | null
+) => {
+  const requiredCapabilities = ['KNOWLEDGE_KNUPDATE_KNMANAGEAUTHMEMBERS'];
+  return editAuthorizedMembers(context, user, entityId, input, requiredCapabilities, ENTITY_TYPE_CONTAINER_CASE_INCIDENT);
 };

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident-resolvers.ts

@@ -4,6 +4,7 @@ import { RELATION_OBJECT_ASSIGNEE } from '../../../schema/stixRefRelationship';
 import { stixDomainObjectDelete } from '../../../domain/stixDomainObject';
 import { addCaseIncident, caseIncidentContainsStixObjectOrStixRelationship, findAll, findById, caseIncidentEditAuthorizedMembers } from './case-incident-domain';
 import { getAuthorizedMembers } from '../../../utils/authorizedMembers';
+import { getUserAccessRight } from '../../../utils/access';
 
 const caseIncidentResolvers: Resolvers = {
   Query: {
@@ -15,6 +16,7 @@ const caseIncidentResolvers: Resolvers = {
   },
   CaseIncident: {
     authorized_members: (caseIncidentResponse, _, context) => getAuthorizedMembers(context, context.user, caseIncidentResponse),
+    currentUserAccessRight: (caseIncidentResponse, _, context) => getUserAccessRight(context.user, caseIncidentResponse),
   },
   CaseIncidentsOrdering: {
     creator: 'creator_id',

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident.graphql

@@ -138,6 +138,7 @@ type CaseIncident implements BasicObject & StixObject & StixCoreObject & StixDom
   severity: String
   priority: String
   authorized_members: [MemberAccess!]
+  currentUserAccessRight: String
 }
 
 # Ordering

opencti-platform/opencti-graphql/src/utils/authorizedMembers.ts

@@ -2,10 +2,11 @@ import { uniq } from 'ramda';
 import { isEmptyField } from '../database/utils';
 import type { AuthContext, AuthUser } from '../types/user';
 import type { BasicGroupEntity, BasicStoreEntity } from '../types/store';
-import type { MemberAccess } from '../generated/graphql';
+import type { MemberAccess, MemberAccessInput } from '../generated/graphql';
 import {
   type AuthorizedMember,
   isUserHasCapabilities,
+  isValidMemberAccessRight,
   MEMBER_ACCESS_ALL,
   MEMBER_ACCESS_CREATOR,
   MEMBER_ACCESS_RIGHT_ADMIN,
@@ -16,6 +17,12 @@ import { findAllMembers, findById as findUser } from '../domain/user';
 import { findById as findGroup } from '../domain/group';
 import { findById as findOrganization } from '../modules/organization/organization-domain';
 import { RELATION_MEMBER_OF, RELATION_PARTICIPATE_TO } from '../schema/internalRelationship';
+import { FunctionalError } from '../config/errors';
+import { patchAttribute } from '../database/middleware';
+import { ENTITY_TYPE_CONTAINER_FEEDBACK } from '../modules/case/feedback/feedback-types';
+import { notify } from '../database/redis';
+import { BUS_TOPICS } from '../config/conf';
+import { ABSTRACT_STIX_CORE_OBJECT } from '../schema/general';
 
 export const getAuthorizedMembers = async (
   context: AuthContext,
@@ -80,3 +87,37 @@ export const containsValidAdmin = async (
   // at least 1 user with admin access and admin exploration capability
   return authorizedUsers.length > 0;
 };
+
+export const editAuthorizedMembers = async (
+  context: AuthContext,
+  user: AuthUser,
+  entityId: string,
+  input: MemberAccessInput[] | undefined | null,
+  requiredCapabilities: string[],
+  entityType: string,
+) => {
+  let authorized_members: { id: string, access_right: string }[] | null = null;
+
+  if (input) {
+    // validate input (validate access right) and remove duplicates
+    const filteredInput = input.filter((value, index, array) => {
+      return isValidMemberAccessRight(value.access_right) && array.findIndex((e) => e.id === value.id) === index;
+    });
+
+    const hasValidAdmin = await containsValidAdmin(
+      context,
+      filteredInput,
+      requiredCapabilities,
+    );
+    if (!hasValidAdmin) {
+      throw FunctionalError('It should have at least one valid member with admin access');
+    }
+
+    authorized_members = filteredInput.map(({ id, access_right }) => ({ id, access_right }));
+  }
+
+  const patch = { authorized_members };
+  const { element } = await patchAttribute(context, user, entityId, entityType, patch);
+  // TODO FIX type error
+  return notify(BUS_TOPICS[entityType].EDIT_TOPIC, element, user);
+};

opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/case-incident-response-test.ts

@@ -29,7 +29,9 @@ const READ_QUERY = gql`
       toStix
       authorized_members {
         id
+        access_right
       }
+      currentUserAccessRight
     }
   }
 `;
@@ -186,6 +188,16 @@ describe('Case Incident Response standard behavior with authorized_members activ
       }
     ]);
   });
+  it('should Case Incident Response get current User access right', async () => {
+    // Get current User access right
+    const currentUserAccessRightQueryResult = await queryAsAdmin({
+      query: READ_QUERY,
+      variables: { id: caseIncidentResponse.id },
+    });
+
+    expect(currentUserAccessRightQueryResult).not.toBeNull();
+    expect(currentUserAccessRightQueryResult?.data?.caseIncident.currentUserAccessRight).toEqual('admin');
+  });
   it('should Case Incident Response deleted', async () => {
     // Delete the case
     await queryAsAdmin({