#1427 Check visibility according to organisation instead of user

TheHive-Project · Jul 9, 2020 · 6867871 · 6867871
1 parent 0c14a0f
commit 6867871
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 61 deletions.
diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala
@@ -274,16 +274,13 @@ class JobSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema")
     * @param authContext the auth context to check login against
     * @return
     */
-  def visible(implicit authContext: AuthContext): JobSteps = newInstance(
-    raw.filter(
+  def visible(implicit authContext: AuthContext): JobSteps =
+    this.filter(
       _.inTo[ObservableJob]
         .inTo[ShareObservable]
         .inTo[OrganisationShare]
-        .inTo[RoleOrganisation]
-        .inTo[UserRole]
-        .has(Key("login") of authContext.userId)
+        .has("name", authContext.organisation)
     )
-  )
 
   /**
     * Checks if a job is accessible if the user and
@@ -293,18 +290,15 @@ class JobSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema")
     * @return
     */
   def can(permission: Permission)(implicit authContext: AuthContext): JobSteps =
-    newInstance(
-      raw.filter(
+    if (authContext.permissions.contains(permission))
+      this.filter(
         _.inTo[ObservableJob]
           .inTo[ShareObservable]
-          .filter(_.outTo[ShareProfile].has(Key("permissions") of permission))
+          .filter(_.outTo[ShareProfile].has("permissions", permission))
           .inTo[OrganisationShare]
-          .inTo[RoleOrganisation]
-          .filter(_.outTo[RoleProfile].has(Key("permissions") of permission))
-          .inTo[UserRole]
-          .has(Key("login") of authContext.userId)
+          .has("name", authContext.organisation)
       )
-    )
+    else this.limit(0)
 
   override def newInstance(newRaw: GremlinScala[Vertex]): JobSteps = new JobSteps(newRaw)
   override def newInstance(): JobSteps                             = new JobSteps(raw.clone())

diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala
@@ -329,14 +329,12 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema
     )
 
   def can(permission: Permission)(implicit authContext: AuthContext): AlertSteps =
-    this.filter(
-      _.outTo[AlertOrganisation]
-        .has("name", authContext.organisation)
-        .inTo[RoleOrganisation]
-        .filter(_.outTo[RoleProfile].has("permissions", permission))
-        .inTo[UserRole]
-        .has("login", authContext.userId)
-    )
+    if (authContext.permissions.contains(permission))
+      this.filter(
+        _.outTo[AlertOrganisation]
+          .has("name", authContext.organisation)
+      )
+    else this.limit(0)
 
   def imported: Traversal[Boolean, Boolean] = this.outToE[AlertCase].count.map(_ > 0)
 
@@ -350,16 +348,11 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema
     val caseIdLabel           = StepLabel[JList[AnyRef]]()
     val caseTemplateNameLabel = StepLabel[JList[String]]()
     val observableCountLabel  = StepLabel[JLong]()
-    Traversal(
+    val result = Traversal(
       raw
         .`match`(
           _.as(alertLabel).out("AlertOrganisation").has(Key("name") of authContext.organisation).as(organisationLabel),
           _.as(alertLabel).out("AlertTag").fold().as(tagLabel),
-          _.as(organisationLabel)
-            .inTo[RoleOrganisation]
-            .filter(_.outTo[RoleProfile].has(Key("permissions") of permission))
-            .inTo[UserRole]
-            .has(Key("login") of authContext.userId),
           _.as(alertLabel).outToE[AlertCustomField].inV().path.fold.as(customFieldLabel),
           _.as(alertLabel).outTo[AlertCase].id().fold.as(caseIdLabel),
           _.as(alertLabel).outTo[AlertCaseTemplate].values[String]("name").fold.as(caseTemplateNameLabel),
@@ -397,6 +390,10 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema
           ) -> organisation
         }
     )
+    if (authContext.permissions.contains(permission))
+      result
+    else
+      result.limit(0)
   }
 
   def customFields(name: String): CustomFieldValueSteps =

diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -475,9 +475,7 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema"
             .in("ShareCase")
             .filter(
               _.inTo[OrganisationShare]
-                .inTo[RoleOrganisation]
-                .inTo[UserRole]
-                .has(Key("login") of authContext.userId)
+                .has(Key("name") of authContext.organisation)
             )
             .out("ShareObservable")
             .as(observableLabel.name),
@@ -487,9 +485,7 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema"
             .in("ShareObservable")
             .filter(
               _.inTo[OrganisationShare]
-                .inTo[RoleOrganisation]
-                .inTo[UserRole]
-                .has(Key("login") of authContext.userId)
+                .has(Key("name") of authContext.organisation)
             )
             .out("ShareCase")
             .where(JP.neq(originCaseLabel.name))

diff --git a/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala b/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala
@@ -191,20 +191,19 @@ class CaseTemplateSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive
   override def newInstance(newRaw: GremlinScala[Vertex]): CaseTemplateSteps = new CaseTemplateSteps(newRaw)
 
   def visible(implicit authContext: AuthContext): CaseTemplateSteps =
-    newInstance(raw.filter(_.outTo[CaseTemplateOrganisation].inTo[RoleOrganisation].inTo[UserRole].has(Key("login") of authContext.userId)))
+    this.filter(_.outTo[CaseTemplateOrganisation].has("name", authContext.organisation))
 
   override def newInstance(): CaseTemplateSteps = new CaseTemplateSteps(raw.clone())
 
   def can(permission: Permission)(implicit authContext: AuthContext): CaseTemplateSteps =
-    newInstance(
-      raw.filter(
+    if (authContext.permissions.contains(permission))
+      this.filter(
         _.outTo[CaseTemplateOrganisation]
           .inTo[RoleOrganisation]
-          .filter(_.outTo[RoleProfile].has(Key("permissions") of permission))
-          .inTo[UserRole]
-          .has(Key("login") of authContext.userId)
+          .has("name", authContext.organisation)
       )
-    )
+    else
+      this.limit(0)
 
   def richCaseTemplate: Traversal[RichCaseTemplate, RichCaseTemplate] =
     Traversal(

diff --git a/thehive/app/org/thp/thehive/services/LogSrv.scala b/thehive/app/org/thp/thehive/services/LogSrv.scala
@@ -96,18 +96,16 @@ class LogSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema")
   )
 
   def can(permission: Permission)(implicit authContext: AuthContext): LogSteps =
-    newInstance(
-      raw.filter(
-        _.in("TaskLog")
-          .in("ShareTask")
-          .filter(_.out("ShareProfile").has(Key("permissions") of permission))
-          .in("OrganisationShare")
-          .in("RoleOrganisation")
-          .filter(_.out("RoleProfile").has(Key("permissions") of permission))
-          .in("UserRole")
-          .has(Key("login") of authContext.userId)
+    if (authContext.permissions.contains(permission))
+      this.filter(
+        _.inTo[TaskLog]
+          .inTo[ShareTask]
+          .filter(_.outTo[ShareProfile].has("permissions", permission))
+          .inTo[OrganisationShare]
+          .has("name", authContext.organisation)
       )
-    )
+    else
+      this.limit(0)
 
   override def newInstance(newRaw: GremlinScala[Vertex]): LogSteps = new LogSteps(newRaw)
   override def newInstance(): LogSteps                             = new LogSteps(raw.clone())

diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
@@ -211,7 +211,7 @@ class ObservableSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-s
     this.filter(_.outTo[ObservableAttachment].has("hashes", hash))
 
   def visible(implicit authContext: AuthContext): ObservableSteps =
-    this.filter(_.inTo[ShareObservable].inTo[OrganisationShare].inTo[RoleOrganisation].inTo[UserRole].has("login", authContext.userId))
+    this.filter(_.inTo[ShareObservable].inTo[OrganisationShare].has("name", authContext.organisation))
 
   def can(permission: Permission)(implicit authContext: AuthContext): ObservableSteps =
     if (authContext.permissions.contains(permission))

diff --git a/thehive/app/org/thp/thehive/services/TaskSrv.scala b/thehive/app/org/thp/thehive/services/TaskSrv.scala
@@ -131,17 +131,15 @@ class TaskSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph: Graph)
   def active: TaskSteps = newInstance(raw.filterNot(_.has(Key("status") of "Cancel")))
 
   def can(permission: Permission)(implicit authContext: AuthContext): TaskSteps =
-    newInstance(
-      raw.filter(
+    if (authContext.permissions.contains(permission))
+      this.filter(
         _.inTo[ShareTask]
-          .filter(_.outTo[ShareProfile].has(Key("permissions") of permission))
+          .filter(_.outTo[ShareProfile].has("permissions", permission))
           .inTo[OrganisationShare]
-          .inTo[RoleOrganisation]
-          .filter(_.outTo[RoleProfile].has(Key("permissions") of permission))
-          .inTo[UserRole]
-          .has(Key("login") of authContext.userId)
+          .has("name", authContext.organisation)
       )
-    )
+    else
+      this.limit(0)
 
   def `case`: CaseSteps = new CaseSteps(raw.inTo[ShareTask].outTo[ShareCase].dedup)