[backend] Improve redaction of user information in demo mode

Author: richard-julien

opencti-platform/opencti-graphql/src/database/entity-representative.js

@@ -1,9 +1,10 @@
 import moment from 'moment';
-import { isEmptyField, isNotEmptyField } from './utils';
+import { isEmptyField, isNotEmptyField, REDACTED_INFORMATION } from './utils';
 import { isStixRelationship } from '../schema/stixRelationship';
-import { ENTITY_TYPE_CAPABILITY, ENTITY_TYPE_STATUS } from '../schema/internalObject';
+import { ENTITY_TYPE_CAPABILITY, ENTITY_TYPE_STATUS, ENTITY_TYPE_USER } from '../schema/internalObject';
 import { isStixCyberObservable } from '../schema/stixCyberObservable';
 import { observableValue } from '../utils/format';
+import { ENABLED_DEMO_MODE } from '../config/conf';
 
 export const extractRepresentativeDescription = (entityData) => {
   let secondValue;
@@ -40,7 +41,9 @@ const extractRelationshipRepresentative = (relationshipData) => {
 // TODO migrate to extractStixRepresentative from convertStoreToStix
 export const extractEntityRepresentativeName = (entityData) => {
   let mainValue;
-  if (isStixCyberObservable(entityData.entity_type)) {
+  if (entityData.entity_type === ENTITY_TYPE_USER) {
+    mainValue = ENABLED_DEMO_MODE ? REDACTED_INFORMATION : entityData.name;
+  } else if (isStixCyberObservable(entityData.entity_type)) {
     mainValue = observableValue(entityData);
   } else if (entityData.entity_type === ENTITY_TYPE_STATUS && entityData.name && entityData.type) {
     mainValue = `${entityData.type} - ${entityData.name}`;

opencti-platform/opencti-graphql/src/database/utils.js

@@ -22,6 +22,8 @@ export const RABBIT_QUEUE_PREFIX = rabbitmqPrefix ? `${rabbitmqPrefix}_` : '';
 
 export const MAX_EVENT_LOOP_PROCESSING_TIME = 50;
 
+export const REDACTED_INFORMATION = '*** Redacted ***';
+
 export const EVENT_TYPE_CREATE = 'create';
 export const EVENT_TYPE_DELETE = 'delete';
 export const EVENT_TYPE_DEPENDENCIES = 'init-dependencies';

opencti-platform/opencti-graphql/src/domain/user.js

@@ -218,7 +218,7 @@ const buildCreatorUser = (user) => {
   return {
     id: user.id,
     entity_type: user.entity_type,
-    name: user.name,
+    name: ENABLED_DEMO_MODE ? REDACTED_USER.name : user.name,
     description: user.description,
     standard_id: user.id
   };

opencti-platform/opencti-graphql/src/resolvers/stix.js

@@ -5,11 +5,13 @@ import { batchCreators } from '../domain/user';
 import { batchInternalRels } from '../domain/stixCoreObject';
 import { schemaRelationsRefDefinition } from '../schema/schema-relationsRef';
 import { INPUT_GRANTED_REFS } from '../schema/general';
-import { isUserHasCapability, KNOWLEDGE_ORGANIZATION_RESTRICT } from '../utils/access';
+import { isUserHasCapability, KNOWLEDGE_ORGANIZATION_RESTRICT, REDACTED_USER } from '../utils/access';
+import { ENABLED_DEMO_MODE } from '../config/conf';
+import { ENTITY_TYPE_USER } from '../schema/internalObject';
 
 const creatorsLoader = batchLoader(batchCreators);
 const relBatchLoader = batchLoader(batchInternalRels);
-export const loadThroughDenormalized = (context, user, element, inputName, args = {}) => {
+const internalLoadThroughDenormalized = (context, user, element, inputName, args = {}) => {
   if (inputName === INPUT_GRANTED_REFS) {
     if (!isUserHasCapability(user, KNOWLEDGE_ORGANIZATION_RESTRICT)) {
       return []; // Granted_refs visibility is only for manager
@@ -28,6 +30,22 @@ export const loadThroughDenormalized = (context, user, element, inputName, args
   return relBatchLoader.load({ element, definition: ref }, context, user, args);
 };
 
+export const loadThroughDenormalized = async (context, user, element, inputName, args = {}) => {
+  const data = await internalLoadThroughDenormalized(context, user, element, inputName, args);
+  if (ENABLED_DEMO_MODE) {
+    if (Array.isArray(data)) {
+      return data.map((d) => {
+        if (d.entity_type === ENTITY_TYPE_USER) {
+          return { ...d, name: REDACTED_USER.name, user_email: REDACTED_USER.user_email };
+        }
+        return d;
+      });
+    }
+    return data ? { ...data, name: REDACTED_USER.name, user_email: REDACTED_USER.user_email } : data;
+  }
+  return data;
+};
+
 const stixResolvers = {
   Query: {
     stix: async (_, { id }, context) => stixLoadByIdStringify(context, context.user, id),

opencti-platform/opencti-graphql/src/utils/access.ts

@@ -18,7 +18,7 @@ import type { BasicStoreSettings } from '../types/settings';
 import { ACCOUNT_STATUS_ACTIVE } from '../config/conf';
 import { schemaAttributesDefinition } from '../schema/schema-attributes';
 import { FunctionalError } from '../config/errors';
-import { isNotEmptyField } from '../database/utils';
+import { isNotEmptyField, REDACTED_INFORMATION } from '../database/utils';
 import { isStixObject } from '../schema/stixCoreObject';
 
 export const DEFAULT_INVALID_CONF_VALUE = 'ChangeMe';
@@ -288,8 +288,8 @@ export const REDACTED_USER: AuthUser = {
   id: REDACTED_USER_UUID,
   internal_id: REDACTED_USER_UUID,
   individual_id: undefined,
-  name: '*** Redacted ***',
-  user_email: '*** Redacted ***',
+  name: REDACTED_INFORMATION,
+  user_email: REDACTED_INFORMATION,
   inside_platform_organization: false,
   origin: { user_id: REDACTED_USER_UUID, socket: 'internal' },
   roles: [],