From 08062a995c5ac804678e132b7ad2aa78abd67f67 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Thu, 18 Mar 2021 08:44:28 +0100
Subject: [PATCH] #1731 Fix MISP synchronisation

---
 .../org/thp/misp/client/MispClient.scala      |  2 +-
 .../misp/services/MispImportSrv.scala         | 42 ++++++++++---------
 2 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala b/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
index 5cca2c8816..2433ad8a94 100644
--- a/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
+++ b/misp/client/src/main/scala/org/thp/misp/client/MispClient.scala
@@ -167,7 +167,7 @@ class MispClient(
     val fromDate = (maxAge.map(a => System.currentTimeMillis() - a.toMillis).toSeq ++ publishDate.map(_.getTime))
       .sorted(Ordering[Long].reverse)
       .headOption
-      .map(d => "searchpublish_timestamp" -> JsNumber((d / 1000) + 1))
+      .map(d => "searchtimestamp" -> JsNumber((d / 1000) + 1))
     val tagFilter          = (whitelistTags ++ excludedTags.map("!" + _)).map(JsString.apply)
     val organisationFilter = (whitelistOrganisations ++ excludedOrganisations.map("!" + _)).map(JsString.apply)
     val query = JsObject
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
index 8c05f8a7a2..d7242fa4f6 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispImportSrv.scala
@@ -181,18 +181,20 @@ class MispImportSrv @Inject() (
   ): Option[Date] = {
     val lastOrgSynchro = client
       .organisationFilter(organisationSrv.startTraversal)
-      .group(
-        _.by,
-        _.by(
-          _.alerts
-            .filterBySource(mispOrganisation)
-            .filterByType("misp")
-            .value(a => a.lastSyncDate)
-            .max
-        )
-      )
-      .head
-      .values
+      .notAdmin
+      ._id
+      .toIterator
+      .flatMap { orgId =>
+        alertSrv
+          .startTraversal
+          .filterBySource(mispOrganisation)
+          .filterByType("misp")
+          .has(_.organisationId, orgId)
+          .value(a => a.lastSyncDate)
+          .max
+          .headOption
+      }
+      .toSeq
 
     if (lastOrgSynchro.size == organisations.size && organisations.nonEmpty) Some(lastOrgSynchro.min)
     else None
@@ -213,8 +215,8 @@ class MispImportSrv @Inject() (
               observableSrv
                 .startTraversal
                 .has(_.organisationIds, organisationSrv.currentId)
-                .has(_.relatedId, observable.relatedId)
-                .has(_.data, observable.data.get)
+                .has(_.relatedId, alert._id)
+                .has(_.data, data)
                 .richObservable
                 .getOrFail("Observable")
             _ <-
@@ -273,7 +275,7 @@ class MispImportSrv @Inject() (
     }
   }
 
-  def importAttibutes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
+  def importAttributes(client: TheHiveMispClient, event: Event, alert: Alert with Entity, lastSynchro: Option[Date])(implicit
       graph: Graph,
       authContext: AuthContext
   ): Unit = {
@@ -348,10 +350,10 @@ class MispImportSrv @Inject() (
   )(implicit graph: Graph, authContext: AuthContext): Try[(Alert with Entity, JsObject)] = {
     logger.debug(s"updateOrCreateAlert ${client.name}#${event.id} for organisation ${organisation.name}")
     eventToAlert(client, event, organisation._id).flatMap { alert =>
-      organisationSrv
-        .get(organisation)
-        .alerts
+      alertSrv
+        .startTraversal
         .getBySourceId("misp", mispOrganisation, event.id)
+        .has(_.organisationId, organisation._id)
         .richAlert
         .headOption match {
         case None => // if the related alert doesn't exist, create it
@@ -404,7 +406,7 @@ class MispImportSrv @Inject() (
 
           logger.debug(s"Get eligible organisations")
           val organisations = db.roTransaction { implicit graph =>
-            client.organisationFilter(organisationSrv.startTraversal).toSeq
+            client.organisationFilter(organisationSrv.startTraversal).notAdmin.toSeq
           }
           val lastSynchro = db.roTransaction { implicit graph =>
             getLastSyncDate(client, mispOrganisation, organisations)
@@ -423,7 +425,7 @@ class MispImportSrv @Inject() (
                   updateOrCreateAlert(client, organisation, mispOrganisation, event, caseTemplate)
                     .map {
                       case (alert, updatedFields) =>
-                        importAttibutes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
+                        importAttributes(client, event, alert, if (alert._updatedBy.isEmpty) None else lastSynchro)
                         (alert, updatedFields)
                     }
                     .recoverWith {