[backend] WIP Update model: authorized members activation via entity(#4538)

Author: marieflorescontact

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -8381,6 +8381,7 @@ type Mutation {
   caseTemplateRelationDelete(id: ID!, toId: StixRef!, relationship_type: String!): CaseTemplate
   caseIncidentAdd(input: CaseIncidentAddInput!): CaseIncident
   caseIncidentDelete(id: ID!): ID
+  caseIncidentEditAuthorizedMembers(id: ID!, input: [MemberAccessInput!]): CaseIncident
   caseRfiAdd(input: CaseRfiAddInput!): CaseRfi
   caseRfiDelete(id: ID!): ID
   caseRftAdd(input: CaseRftAddInput!): CaseRft

opencti-platform/opencti-graphql/src/generated/graphql.ts

@@ -12550,6 +12550,7 @@ export type Mutation = {
   caseDelete?: Maybe<Scalars['ID']['output']>;
   caseIncidentAdd?: Maybe<CaseIncident>;
   caseIncidentDelete?: Maybe<Scalars['ID']['output']>;
+  caseIncidentEditAuthorizedMembers?: Maybe<CaseIncident>;
   caseRfiAdd?: Maybe<CaseRfi>;
   caseRfiDelete?: Maybe<Scalars['ID']['output']>;
   caseRftAdd?: Maybe<CaseRft>;
@@ -13059,6 +13060,12 @@ export type MutationCaseIncidentDeleteArgs = {
 };
 
 
+export type MutationCaseIncidentEditAuthorizedMembersArgs = {
+  id: Scalars['ID']['input'];
+  input?: InputMaybe<Array<MemberAccessInput>>;
+};
+
+
 export type MutationCaseRfiAddArgs = {
   input: CaseRfiAddInput;
 };
@@ -34583,6 +34590,7 @@ export type MutationResolvers<ContextType = any, ParentType extends ResolversPar
   caseDelete?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType, RequireFields<MutationCaseDeleteArgs, 'id'>>;
   caseIncidentAdd?: Resolver<Maybe<ResolversTypes['CaseIncident']>, ParentType, ContextType, RequireFields<MutationCaseIncidentAddArgs, 'input'>>;
   caseIncidentDelete?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType, RequireFields<MutationCaseIncidentDeleteArgs, 'id'>>;
+  caseIncidentEditAuthorizedMembers?: Resolver<Maybe<ResolversTypes['CaseIncident']>, ParentType, ContextType, RequireFields<MutationCaseIncidentEditAuthorizedMembersArgs, 'id'>>;
   caseRfiAdd?: Resolver<Maybe<ResolversTypes['CaseRfi']>, ParentType, ContextType, RequireFields<MutationCaseRfiAddArgs, 'input'>>;
   caseRfiDelete?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType, RequireFields<MutationCaseRfiDeleteArgs, 'id'>>;
   caseRftAdd?: Resolver<Maybe<ResolversTypes['CaseRft']>, ParentType, ContextType, RequireFields<MutationCaseRftAddArgs, 'input'>>;

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident-domain.ts

@@ -1,9 +1,9 @@
 import type { AuthContext, AuthUser } from '../../../types/user';
-import { createEntity } from '../../../database/middleware';
+import { createEntity, patchAttribute } from '../../../database/middleware';
 import type { EntityOptions } from '../../../database/middleware-loader';
 import { internalLoadById, listEntitiesPaginated, storeLoadById } from '../../../database/middleware-loader';
 import { BUS_TOPICS } from '../../../config/conf';
-import { ABSTRACT_STIX_DOMAIN_OBJECT, buildRefRelationKey } from '../../../schema/general';
+import { ABSTRACT_STIX_CORE_OBJECT, ABSTRACT_STIX_DOMAIN_OBJECT, buildRefRelationKey } from '../../../schema/general';
 import { notify } from '../../../database/redis';
 import { now } from '../../../utils/format';
 import { userAddIndividual } from '../../../domain/user';
@@ -12,10 +12,13 @@ import { upsertTemplateForCase } from '../case-domain';
 import type { BasicStoreEntityCaseIncident } from './case-incident-types';
 import { ENTITY_TYPE_CONTAINER_CASE_INCIDENT } from './case-incident-types';
 import type { DomainFindById } from '../../../domain/domainTypes';
-import type { CaseIncidentAddInput } from '../../../generated/graphql';
+import type { CaseIncidentAddInput, MemberAccessInput } from '../../../generated/graphql';
 import { isStixId } from '../../../schema/schemaUtils';
 import { RELATION_OBJECT } from '../../../schema/stixRefRelationship';
 import { FilterMode } from '../../../generated/graphql';
+import { isValidMemberAccessRight } from '../../../utils/access';
+import { containsValidAdmin } from '../../../utils/authorizedMembers';
+import { FunctionalError } from '../../../config/errors';
 
 export const findById: DomainFindById<BasicStoreEntityCaseIncident> = (context: AuthContext, user: AuthUser, caseIncidentId: string) => {
   return storeLoadById(context, user, caseIncidentId, ENTITY_TYPE_CONTAINER_CASE_INCIDENT);
@@ -59,3 +62,34 @@ export const caseIncidentContainsStixObjectOrStixRelationship = async (context:
   const caseIncidentFound = await findAll(context, user, args);
   return caseIncidentFound.edges.length > 0;
 };
+
+export const caseIncidentEditAuthorizedMembers = async (
+  context: AuthContext,
+  user: AuthUser,
+  entityId: string,
+  input: MemberAccessInput[] | undefined | null
+) => {
+  let authorized_members: { id: string, access_right: string }[] | null = null;
+
+  if (input) {
+    // validate input (validate access right) and remove duplicates
+    const filteredInput = input.filter((value, index, array) => {
+      return isValidMemberAccessRight(value.access_right) && array.findIndex((e) => e.id === value.id) === index;
+    });
+
+    const hasValidAdmin = await containsValidAdmin(
+      context,
+      filteredInput,
+      ['KNOWLEDGE_KNUPDATE_KNMANAGEAUTHMEMBERS']
+    );
+    if (!hasValidAdmin) {
+      throw FunctionalError('It should have at least one valid member with admin access');
+    }
+
+    authorized_members = filteredInput.map(({ id, access_right }) => ({ id, access_right }));
+  }
+
+  const patch = { authorized_members };
+  const { element } = await patchAttribute(context, user, entityId, ENTITY_TYPE_CONTAINER_CASE_INCIDENT, patch);
+  return notify(BUS_TOPICS[ABSTRACT_STIX_CORE_OBJECT].EDIT_TOPIC, element, user);
+};

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident-resolvers.ts

@@ -2,7 +2,7 @@ import type { Resolvers } from '../../../generated/graphql';
 import { buildRefRelationKey } from '../../../schema/general';
 import { RELATION_OBJECT_ASSIGNEE } from '../../../schema/stixRefRelationship';
 import { stixDomainObjectDelete } from '../../../domain/stixDomainObject';
-import { addCaseIncident, caseIncidentContainsStixObjectOrStixRelationship, findAll, findById } from './case-incident-domain';
+import { addCaseIncident, caseIncidentContainsStixObjectOrStixRelationship, findAll, findById, caseIncidentEditAuthorizedMembers } from './case-incident-domain';
 import { getAuthorizedMembers } from '../../../utils/authorizedMembers';
 
 const caseIncidentResolvers: Resolvers = {
@@ -27,6 +27,9 @@ const caseIncidentResolvers: Resolvers = {
     caseIncidentDelete: (_, { id }, context) => {
       return stixDomainObjectDelete(context, context.user, id);
     },
+    caseIncidentEditAuthorizedMembers: (_, { id, input }, context) => {
+      return caseIncidentEditAuthorizedMembers(context, context.user, id, input);
+    },
   }
 };
 

opencti-platform/opencti-graphql/src/modules/case/case-incident/case-incident.graphql

@@ -218,4 +218,5 @@ input CaseIncidentAddInput {
 type Mutation {
   caseIncidentAdd(input: CaseIncidentAddInput!): CaseIncident @auth
   caseIncidentDelete(id: ID!): ID @auth(for: [KNOWLEDGE_KNUPDATE_KNDELETE])
+  caseIncidentEditAuthorizedMembers(id: ID!, input:[MemberAccessInput!]): CaseIncident @auth(for: [KNOWLEDGE_KNUPDATE_KNMANAGEAUTHMEMBERS])
 }

opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/case-incident-response-test.ts

@@ -120,7 +120,6 @@ describe('Case Incident Response resolver standard behavior', () => {
     });
     expect(queryResult?.data?.stixDomainObjectEdit.fieldPatch.name).toEqual('Case - updated');
   });
-  // TODO ADD context test even if i don't understand what it is?
   it('should Case Incident Response deleted', async () => {
     // Delete the case
     await queryAsAdmin({
@@ -134,9 +133,75 @@ describe('Case Incident Response resolver standard behavior', () => {
   });
 });
 
-describe('Case Incident Response authorized_members standard behavior', () => {
+describe('Case Incident Response standard behavior with authorized_members activation from entity', () => {
+  let caseIncidentResponse: CaseIncident;
+  it('should Case Incident Response created', async () => {
+    // Create Case Incident Response
+    const caseIncidentResponseQueryResult = await queryAsAdmin({
+      query: CREATE_QUERY,
+      variables: {
+        input: {
+          name: 'Case Incident Response With Authorized Members'
+        }
+      }
+    });
+    caseIncidentResponse = caseIncidentResponseQueryResult?.data?.caseIncidentAdd;
+
+    // Activate Authorized members
+    const EDIT_AUTHORIZED_MEMBERS_QUERY = gql`
+      mutation CaseIncidentEditAuthorizedMembers(
+        $id: ID!
+        $input: [MemberAccessInput!]!
+      ) {
+        caseIncidentEditAuthorizedMembers(id: $id, input: $input){
+          authorized_members {
+            id
+            name
+            entity_type
+            access_right
+          }
+          id
+        }
+      }
+    `;
+
+    await queryAsAdmin({
+      query: EDIT_AUTHORIZED_MEMBERS_QUERY,
+      variables: {
+        id: caseIncidentResponse.id,
+        input: [
+          {
+            id: ADMIN_USER.id,
+            access_right: 'admin'
+          }
+        ]
+      }
+    });
+    expect(caseIncidentResponseQueryResult).not.toBeNull();
+    expect(caseIncidentResponseQueryResult?.data?.caseIncidentAdd.authorized_members).not.toBeUndefined();
+    expect(caseIncidentResponseQueryResult?.data?.caseIncidentAdd.authorized_members).toEqual([
+      {
+        id: ADMIN_USER.id,
+        access_right: 'admin'
+      }
+    ]);
+  });
+  it('should Case Incident Response deleted', async () => {
+    // Delete the case
+    await queryAsAdmin({
+      query: DELETE_QUERY,
+      variables: { id: caseIncidentResponse.id },
+    });
+    // Verify is no longer found
+    const queryResult = await queryAsAdmin({ query: READ_QUERY, variables: { id: caseIncidentResponse.id } });
+    expect(queryResult).not.toBeNull();
+    expect(queryResult?.data?.caseIncident).toBeNull();
+  });
+});
+
+describe('Case Incident Response standard behavior with authorized_members activated via settings', () => {
   let caseIncidentResponseAuthorizedMembers: CaseIncident;
-  it('should Case Incident Response created with authorized_members activated via settings', async () => {
+  it('should Case Incident Response created', async () => {
     // Activate authorized members for IR
     const ENTITY_SETTINGS_READ_QUERY_BY_TARGET_TYPE = gql`
       query entitySettingsByTargetType($targetType: String!) {