Merge tag '2.13.0' into develop

2.13.0

CHANGELOG.md

@@ -1,7 +1,34 @@
 # Change Log
 
-## [2.12.1](https://github.com/CERT-BDF/TheHive/tree/2.12.1) (2017-08-01)
+## [2.13](https://github.com/CERT-BDF/TheHive/tree/2.13) (2017-09-15)
+
+[Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.12.1...2.13)
+
+**Implemented enhancements:**
+
+- Group ownership in Docker image prevents running on OpenShift [\#307](https://github.com/CERT-BDF/TheHive/issues/307)
+- Improve the content of alert flow items [\#304](https://github.com/CERT-BDF/TheHive/issues/304)
+- Add a basic support for webhooks [\#293](https://github.com/CERT-BDF/TheHive/issues/293)
+- Add basic authentication to Stream API [\#291](https://github.com/CERT-BDF/TheHive/issues/291)
+- Add Support for Play 2.6.x and Elasticsearch 5.x [\#275](https://github.com/CERT-BDF/TheHive/issues/275)
+- Fine grained user permissions for API access [\#263](https://github.com/CERT-BDF/TheHive/issues/263)
+- Alert Pane: Catch Incorrect Keywords [\#241](https://github.com/CERT-BDF/TheHive/issues/241)
+- Specify multiple AD servers in TheHive configuration [\#231](https://github.com/CERT-BDF/TheHive/issues/231)
+- Export cases in MISP events [\#52](https://github.com/CERT-BDF/TheHive/issues/52)
+
+**Fixed bugs:**
 
+- Download attachment with non-latin filename [\#302](https://github.com/CERT-BDF/TheHive/issues/302)
+- Undefined threat level from MISP events becomes severity "4" [\#300](https://github.com/CERT-BDF/TheHive/issues/300)
+- File name is not displayed in observable conflict dialog [\#295](https://github.com/CERT-BDF/TheHive/issues/295)
+- A colon punctuation mark in a search query results in 500 [\#285](https://github.com/CERT-BDF/TheHive/issues/285)
+- Previewing alerts fails with "too many substreams open" due to case similarity process [\#280](https://github.com/CERT-BDF/TheHive/issues/280)
+
+**Closed issues:**
+
+- Threat level/severity code inverted between The Hive and MISP [\#292](https://github.com/CERT-BDF/TheHive/issues/292)
+
+## [2.12.1](https://github.com/CERT-BDF/TheHive/tree/2.12.1) (2017-08-01)
 [Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.12.0...2.12.1)
 
 **Implemented enhancements:**
@@ -11,12 +38,12 @@
 
 **Fixed bugs:**
 
+- Cortex Connector Not Found [\#256](https://github.com/CERT-BDF/TheHive/issues/256)
 - Case similarity reports merged cases [\#272](https://github.com/CERT-BDF/TheHive/issues/272)
 - Closing a case with an open task does not dismiss task in "My tasks" [\#269](https://github.com/CERT-BDF/TheHive/issues/269)
 - API: cannot create alert if one alert artifact contains the IOC field set [\#268](https://github.com/CERT-BDF/TheHive/issues/268)
 - Can't get logs of a task via API [\#259](https://github.com/CERT-BDF/TheHive/issues/259)
 - Add multiple attachments in a single task log doesn't work [\#257](https://github.com/CERT-BDF/TheHive/issues/257)
-- Cortex Connector Not Found [\#256](https://github.com/CERT-BDF/TheHive/issues/256)
 - TheHive doesn't send the file name to Cortex [\#254](https://github.com/CERT-BDF/TheHive/issues/254)
 - Renaming of users does not work [\#249](https://github.com/CERT-BDF/TheHive/issues/249)
 

build.sbt

@@ -42,7 +42,7 @@ lazy val rpmPackageRelease = (project in file("package/rpm-release"))
     maintainer := "TheHive Project <[email protected]>",
     version := "1.0.0",
     rpmRelease := "3",
-    rpmVendor in Rpm := "TheHive Project",
+    rpmVendor := "TheHive Project",
     rpmUrl := Some("http://thehive-project.org/"),
     rpmLicense := Some("AGPL"),
     maintainerScripts in Rpm := Map.empty,
@@ -134,7 +134,7 @@ linuxMakeStartScript in Debian := None
 
 // RPM //
 rpmRelease := "1"
-rpmVendor in Rpm := "TheHive Project"
+rpmVendor := "TheHive Project"
 rpmUrl := Some("http://thehive-project.org/")
 rpmLicense := Some("AGPL")
 rpmRequirements += "java-1.8.0-openjdk-headless"
@@ -172,12 +172,18 @@ mappings in Docker ~= (_.filterNot {
   case (_, filepath) => filepath == "/opt/thehive/conf/application.conf"
 })
 dockerCommands ~= { dc =>
-  val (dockerInitCmds, dockerTailCmds) = dc.splitAt(4)
+  val (dockerInitCmds, dockerTailCmds) = dc
+    .collect {
+      case ExecCmd("RUN", "chown", _*) => ExecCmd("RUN", "chown", "-R", "daemon:root", ".")
+      case other => other
+    }
+    .splitAt(4)
   dockerInitCmds ++
     Seq(
-      Cmd("ADD", "var", "/var"),
+        Cmd("ADD", "var", "/var"),
       Cmd("ADD", "etc", "/etc"),
-      ExecCmd("RUN", "chown", "-R", "daemon:daemon", "/var/log/thehive")) ++
+      ExecCmd("RUN", "chown", "-R", "daemon:root", "/var/log/thehive"),
+      ExecCmd("RUN", "chmod", "+x", "/opt/thehive/bin/thehive", "/opt/thehive/entrypoint")) ++
     dockerTailCmds
 }
 

package/docker/entrypoint

@@ -59,7 +59,7 @@ then
 			SECRET=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)
 		fi
 		echo Using secret: $SECRET
-		echo play.crypto.secret=\"$SECRET\" >> $CONFIG_FILE
+		echo play.http.secret.key=\"$SECRET\" >> $CONFIG_FILE
 	fi
 
 	if test $CONFIG_ES = 1

project/Dependencies.scala

@@ -32,6 +32,6 @@ object Dependencies {
     val reflections = "org.reflections" % "reflections" % "0.9.11"
     val zip4j = "net.lingala.zip4j" % "zip4j" % "1.3.2"
     val akkaTest = "com.typesafe.akka" %% "akka-stream-testkit" % "2.5.4"
-    val elastic4play = "org.cert-bdf" %% "elastic4play" % "1.3-SNAPSHOT"
+    val elastic4play = "org.cert-bdf" %% "elastic4play" % "1.3.0"
   }
 }

thehive-backend/conf/reference.conf

@@ -56,7 +56,7 @@ auth {
 	# services.LocalAuthSrv : passwords are stored in user entity (in ElasticSearch). No configuration are required.
 	# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
 	# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
-	type = [local]
+	provider = [local]
 
 	ad {
 		# Domain Windows name using DNS format. This parameter is required.

thehive-misp/app/connectors/misp/MispSrv.scala

@@ -80,7 +80,7 @@ class MispSrv @Inject() (
   def getAttributesFromCase(caze: Case): Future[Seq[ExportedMispAttribute]] = {
     import org.elastic4play.services.QueryDSL._
     artifactSrv
-      .find(and(withParent(caze), "status" ~= "Ok"), Some("all"), Nil)
+      .find(and(withParent(caze), "status" ~= "Ok", "ioc" ~= true), Some("all"), Nil)
       ._1
       .map { artifact ⇒
         val (category, tpe) = fromArtifact(artifact.dataType(), artifact.data())

thehive-misp/app/connectors/misp/MispSynchro.scala

@@ -143,7 +143,6 @@ class MispSynchro @Inject() (
         case (event, None, attrs) ⇒
           logger.info(s"MISP event ${event.source}:${event.sourceRef} has no related alert, create it with ${attrs.size} observable(s)")
           val alertJson = Json.toJson(event).as[JsObject] +
-            ("title" → JsString(s"#${event.sourceRef} ${event.title}")) +
             ("type" → JsString("misp")) +
             ("caseTemplate" → mispConnection.caseTemplate.fold[JsValue](JsNull)(JsString)) +
             ("artifacts" → Json.toJson(attrs))

ui/app/index.html

@@ -148,6 +148,7 @@
     <script src="scripts/controllers/case/CaseCloseModalCtrl.js"></script>
     <script src="scripts/controllers/case/CaseCreationCtrl.js"></script>
     <script src="scripts/controllers/case/CaseDetailsCtrl.js"></script>
+    <script src="scripts/controllers/case/CaseExportDialogCtrl.js"></script>
     <script src="scripts/controllers/case/CaseLinksCtrl.js"></script>
     <script src="scripts/controllers/case/CaseListCtrl.js"></script>
     <script src="scripts/controllers/case/CaseMainCtrl.js"></script>

ui/app/scripts/controllers/admin/AdminUserDialogCtrl.js

@@ -7,13 +7,16 @@
         self.user = user;
         self.isEdit = user.id;
 
-        self.formData = _.defaults(_.pick(self.user, 'id', 'name', 'roles'), {
+        var formData = _.defaults(_.pick(self.user, 'id', 'name', 'roles'), {
             id: null,
             name: null,
             roles: [],
             alert: false
         });
-        self.formData.alert = self.formData.roles.indexOf('alert') !== -1;
+        formData.alert = formData.roles.indexOf('alert') !== -1;
+        formData.roles = _.without(formData.roles, 'alert');
+
+        self.formData = formData;
 
         var onSuccess = function(data) {
             $uibModalInstance.close(data);

ui/app/scripts/controllers/alert/AlertListCtrl.js

@@ -1,7 +1,7 @@
 (function() {
     'use strict';
     angular.module('theHiveControllers')
-        .controller('AlertListCtrl', function($scope, $q, $state, $uibModal, TemplateSrv, AlertingSrv, NotificationSrv, FilteringSrv, Severity) {
+        .controller('AlertListCtrl', function($scope, $q, $state, $uibModal, TagSrv, TemplateSrv, AlertingSrv, NotificationSrv, FilteringSrv, Severity) {
             var self = this;
 
             self.list = [];
@@ -93,6 +93,7 @@
             self.searchForm = {
                 searchQuery: self.filtering.buildQuery() || ''
             };
+            self.lastSearch = null;
 
             $scope.$watch('$vm.list.pageSize', function (newValue) {
                 self.filtering.setPageSize(newValue);
@@ -275,7 +276,11 @@
 
             this.applyFilters = function () {
                 self.searchForm.searchQuery = self.filtering.buildQuery();
-                self.search();
+
+                if(self.lastSearch !== self.searchForm.searchQuery) {
+                    self.lastSearch = self.searchForm.searchQuery;
+                    self.search();
+                }
             };
 
             this.clearFilters = function () {
@@ -372,6 +377,10 @@
                 return AlertingSrv.sources(query);
             };
 
+            this.getTags = function(query) {
+                return TagSrv.fromAlerts(query);
+            };
+
             self.load();
         });
 })();

ui/app/scripts/controllers/case/CaseExportDialogCtrl.js

@@ -0,0 +1,88 @@
+(function() {
+    'use strict';
+
+    angular
+        .module('theHiveControllers')
+        .controller('CaseExportDialogCtrl', function(MispSrv, NotificationSrv, clipboard, $uibModalInstance, caze, config) {
+            var self = this;
+
+            this.caze = caze;
+            this.mode = '';
+            this.servers = config.servers;
+            this.failures = [];
+
+            this.existingExports = {};
+            this.loading = false;
+
+            _.each(_.filter(this.caze.stats.alerts || [], function(item) {
+                return item.type === 'misp';
+            }), function(item) {
+                self.existingExports[item.source] = true;
+            });
+
+            var extractExportErrors = function (errors) {
+                var result = [];
+
+                result = errors.map(function(item) {
+                    return {
+                        data: item.object.dataType === 'file' ? item.object.attachment.name : item.object.data,
+                        message: item.message
+                    };
+                });
+
+                return result;
+            }
+
+            this.copyToClipboard = function() {
+                clipboard.copyText(_.pluck(self.failures, 'data').join('\n'));
+                $uibModalInstance.dismiss();
+            }
+
+            this.cancel = function() {
+                $uibModalInstance.dismiss();
+            };
+
+            this.confirm = function() {
+                $uibModalInstance.close();
+            };
+
+            this.export = function(server) {
+                self.loading = true;
+                self.failures = [];
+
+                MispSrv.export(self.caze.id, server)
+                .then(function(response){
+                    var success = 0,
+                        failure = 0;
+
+                    if (response.status === 207) {
+                        success = response.data.success.length;
+                        failure = response.data.failure.length;
+
+                        self.mode = 'error';
+                        self.failures = extractExportErrors(response.data.failure);
+
+                        NotificationSrv.log('The case has been successfully exported, but '+ failure +' observable(s) failed', 'warning');
+                    } else {
+                        success = angular.isObject(response.data) ? 1 : response.data.length;
+                        NotificationSrv.log('The case has been successfully exported with ' + success+ ' observable(s)', 'success');
+                        $uibModalInstance.close();
+                    }
+                    self.loading = false;
+
+                }, function(err) {
+                    if(!err) {
+                        return;
+                    }
+
+                    if (err.status === 400) {
+                        self.mode = 'error';
+                        self.failures = extractExportErrors(err.data);
+                    } else {
+                        NotificationSrv.error('CaseExportCtrl', 'An unexpected error occurred while exporting case', err.status);
+                    }
+                    self.loading = false;
+                });
+            }
+        });
+})();

ui/app/scripts/controllers/case/CaseListCtrl.js

@@ -15,6 +15,7 @@
         this.searchForm = {
             searchQuery: this.uiSrv.buildQuery() || ''
         };
+        this.lastQuery = null;
 
         this.list = PSearchSrv(undefined, 'case', {
             scope: $scope,
@@ -36,7 +37,6 @@
             field: 'status'
         });
 
-
         $scope.$watch('$vm.list.pageSize', function (newValue) {
             self.uiSrv.setPageSize(newValue);
         });
@@ -55,7 +55,12 @@
 
         this.applyFilters = function () {
             self.searchForm.searchQuery = self.uiSrv.buildQuery();
-            self.search();
+
+            if(self.lastQuery !== self.searchForm.searchQuery) {
+                self.lastQuery = self.searchForm.searchQuery;
+                self.search();
+            }
+
         };
 
         this.clearFilters = function () {