From 458de0e3962159591752a8fdc128bd5f0dc5c576 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Thu, 7 Jan 2021 07:55:39 +0100
Subject: [PATCH] #1732 Add API for observable update in an alert

---
 .../org/thp/thehive/controllers/v0/ObservableCtrl.scala    | 4 ++--
 thehive/app/org/thp/thehive/controllers/v0/Router.scala    | 4 +++-
 .../org/thp/thehive/controllers/v1/ObservableCtrl.scala    | 7 ++-----
 thehive/app/org/thp/thehive/services/ObservableSrv.scala   | 7 +++++++
 4 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
index c35d18157b..bb8fb1d893 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/ObservableCtrl.scala
@@ -223,7 +223,7 @@ class ObservableCtrl @Inject() (
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
           .update(
-            _.get(EntityIdOrName(observableId)).can(Permissions.manageObservable),
+            _.get(EntityIdOrName(observableId)).canManage,
             propertyUpdaters
           )
           .flatMap {
@@ -259,7 +259,7 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).can(Permissions.manageObservable), properties)
+              .update(_.get(EntityIdOrName(id)).canManage, properties)
           }
           .map(_ => Results.NoContent)
       }
diff --git a/thehive/app/org/thp/thehive/controllers/v0/Router.scala b/thehive/app/org/thp/thehive/controllers/v0/Router.scala
index 1930dbb96d..80cd24e4eb 100644
--- a/thehive/app/org/thp/thehive/controllers/v0/Router.scala
+++ b/thehive/app/org/thp/thehive/controllers/v0/Router.scala
@@ -78,13 +78,15 @@ class Router @Inject() (
     //    case POST(p"/case/:caseId/artifact/_search")    => observableCtrl.findInCase(caseId)
     case POST(p"/case/artifact/_stats")               => observableCtrl.stats
     case POST(p"/case/$caseId/artifact")              => observableCtrl.createInCase(caseId)   // Audit ok
-    case POST(p"/alert/$alertId/artifact")            => observableCtrl.createInAlert(alertId) // Audit ok
     case GET(p"/case/artifact/$observableId")         => observableCtrl.get(observableId)
     case DELETE(p"/case/artifact/$observableId")      => observableCtrl.delete(observableId)   // Audit ok
     case PATCH(p"/case/artifact/_bulk")               => observableCtrl.bulkUpdate             // Audit ok
     case PATCH(p"/case/artifact/$observableId")       => observableCtrl.update(observableId)   // Audit ok
     case GET(p"/case/artifact/$observableId/similar") => observableCtrl.findSimilar(observableId)
     case POST(p"/case/artifact/$observableId/shares") => shareCtrl.shareObservable(observableId)
+    case POST(p"/alert/$alertId/artifact")            => observableCtrl.createInAlert(alertId) // Audit ok
+    case PATCH(p"/alert/artifact/$observableId")      => observableCtrl.update(observableId)   // Audit ok
+    case PATCH(p"/alert/artifact/_bulk")              => observableCtrl.bulkUpdate             // Audit ok
 
     case GET(p"/case")                  => caseCtrl.search
     case POST(p"/case")                 => caseCtrl.create         // Audit ok
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
index 13ce290bce..8cf373d168 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableCtrl.scala
@@ -259,10 +259,7 @@ class ObservableCtrl @Inject() (
       .authTransaction(db) { implicit request => implicit graph =>
         val propertyUpdaters: Seq[PropertyUpdater] = request.body("observable")
         observableSrv
-          .update(
-            _.get(EntityIdOrName(observableId)).can(Permissions.manageObservable),
-            propertyUpdaters
-          )
+          .update(_.get(EntityIdOrName(observableId)).canManage, propertyUpdaters)
           .map(_ => Results.NoContent)
       }
 
@@ -276,7 +273,7 @@ class ObservableCtrl @Inject() (
         ids
           .toTry { id =>
             observableSrv
-              .update(_.get(EntityIdOrName(id)).can(Permissions.manageObservable), properties)
+              .update(_.get(EntityIdOrName(id)).canManage, properties)
           }
           .map(_ => Results.NoContent)
       }
diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
index b95f40f7aa..e63e74016b 100644
--- a/thehive/app/org/thp/thehive/services/ObservableSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
@@ -15,6 +15,7 @@ import org.thp.scalligraph.traversal.{Converter, StepLabel, Traversal}
 import org.thp.scalligraph.utils.Hash
 import org.thp.scalligraph.{EntityIdOrName, RichSeq}
 import org.thp.thehive.models._
+import org.thp.thehive.services.AlertOps._
 import org.thp.thehive.services.ObservableOps._
 import org.thp.thehive.services.OrganisationOps._
 import org.thp.thehive.services.ShareOps._
@@ -229,6 +230,12 @@ object ObservableOps {
       else
         traversal.limit(0)
 
+    def canManage(implicit authContext: AuthContext): Traversal.V[Observable] =
+      if (authContext.isPermitted(Permissions.manageAlert))
+        traversal.filter(_.or(_.alert.visible, _.can(Permissions.manageObservable)))
+      else
+        can(Permissions.manageObservable)
+
     def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], Vertex, Converter[Set[Permission], Vertex]] =
       traversal
         .share(authContext.organisation)