From 686787189c3d549947c8db491732d2e8d55c27d3 Mon Sep 17 00:00:00 2001 From: To-om Date: Thu, 9 Jul 2020 15:13:29 +0200 Subject: [PATCH] #1427 Check visibility according to organisation instead of user --- .../connector/cortex/services/JobSrv.scala | 22 ++++++---------- .../org/thp/thehive/services/AlertSrv.scala | 25 ++++++++----------- .../org/thp/thehive/services/CaseSrv.scala | 8 ++---- .../thehive/services/CaseTemplateSrv.scala | 13 +++++----- .../app/org/thp/thehive/services/LogSrv.scala | 20 +++++++-------- .../thp/thehive/services/ObservableSrv.scala | 2 +- .../org/thp/thehive/services/TaskSrv.scala | 14 +++++------ 7 files changed, 43 insertions(+), 61 deletions(-) diff --git a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala index 3468d2f3e2..b2f7f3f64a 100644 --- a/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala +++ b/cortex/connector/src/main/scala/org/thp/thehive/connector/cortex/services/JobSrv.scala @@ -274,16 +274,13 @@ class JobSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema") * @param authContext the auth context to check login against * @return */ - def visible(implicit authContext: AuthContext): JobSteps = newInstance( - raw.filter( + def visible(implicit authContext: AuthContext): JobSteps = + this.filter( _.inTo[ObservableJob] .inTo[ShareObservable] .inTo[OrganisationShare] - .inTo[RoleOrganisation] - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has("name", authContext.organisation) ) - ) /** * Checks if a job is accessible if the user and @@ -293,18 +290,15 @@ class JobSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema") * @return */ def can(permission: Permission)(implicit authContext: AuthContext): JobSteps = - newInstance( - raw.filter( + if (authContext.permissions.contains(permission)) + this.filter( _.inTo[ObservableJob] .inTo[ShareObservable] - .filter(_.outTo[ShareProfile].has(Key("permissions") of permission)) + .filter(_.outTo[ShareProfile].has("permissions", permission)) .inTo[OrganisationShare] - .inTo[RoleOrganisation] - .filter(_.outTo[RoleProfile].has(Key("permissions") of permission)) - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has("name", authContext.organisation) ) - ) + else this.limit(0) override def newInstance(newRaw: GremlinScala[Vertex]): JobSteps = new JobSteps(newRaw) override def newInstance(): JobSteps = new JobSteps(raw.clone()) diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala index b6200e457a..a75fa04352 100644 --- a/thehive/app/org/thp/thehive/services/AlertSrv.scala +++ b/thehive/app/org/thp/thehive/services/AlertSrv.scala @@ -329,14 +329,12 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema ) def can(permission: Permission)(implicit authContext: AuthContext): AlertSteps = - this.filter( - _.outTo[AlertOrganisation] - .has("name", authContext.organisation) - .inTo[RoleOrganisation] - .filter(_.outTo[RoleProfile].has("permissions", permission)) - .inTo[UserRole] - .has("login", authContext.userId) - ) + if (authContext.permissions.contains(permission)) + this.filter( + _.outTo[AlertOrganisation] + .has("name", authContext.organisation) + ) + else this.limit(0) def imported: Traversal[Boolean, Boolean] = this.outToE[AlertCase].count.map(_ > 0) @@ -350,16 +348,11 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema val caseIdLabel = StepLabel[JList[AnyRef]]() val caseTemplateNameLabel = StepLabel[JList[String]]() val observableCountLabel = StepLabel[JLong]() - Traversal( + val result = Traversal( raw .`match`( _.as(alertLabel).out("AlertOrganisation").has(Key("name") of authContext.organisation).as(organisationLabel), _.as(alertLabel).out("AlertTag").fold().as(tagLabel), - _.as(organisationLabel) - .inTo[RoleOrganisation] - .filter(_.outTo[RoleProfile].has(Key("permissions") of permission)) - .inTo[UserRole] - .has(Key("login") of authContext.userId), _.as(alertLabel).outToE[AlertCustomField].inV().path.fold.as(customFieldLabel), _.as(alertLabel).outTo[AlertCase].id().fold.as(caseIdLabel), _.as(alertLabel).outTo[AlertCaseTemplate].values[String]("name").fold.as(caseTemplateNameLabel), @@ -397,6 +390,10 @@ class AlertSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema ) -> organisation } ) + if (authContext.permissions.contains(permission)) + result + else + result.limit(0) } def customFields(name: String): CustomFieldValueSteps = diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala index 84b3c81b8a..b6aae42ec5 100644 --- a/thehive/app/org/thp/thehive/services/CaseSrv.scala +++ b/thehive/app/org/thp/thehive/services/CaseSrv.scala @@ -475,9 +475,7 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema" .in("ShareCase") .filter( _.inTo[OrganisationShare] - .inTo[RoleOrganisation] - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has(Key("name") of authContext.organisation) ) .out("ShareObservable") .as(observableLabel.name), @@ -487,9 +485,7 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema" .in("ShareObservable") .filter( _.inTo[OrganisationShare] - .inTo[RoleOrganisation] - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has(Key("name") of authContext.organisation) ) .out("ShareCase") .where(JP.neq(originCaseLabel.name)) diff --git a/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala b/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala index 51875428a4..6d660b8b01 100644 --- a/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala +++ b/thehive/app/org/thp/thehive/services/CaseTemplateSrv.scala @@ -191,20 +191,19 @@ class CaseTemplateSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive override def newInstance(newRaw: GremlinScala[Vertex]): CaseTemplateSteps = new CaseTemplateSteps(newRaw) def visible(implicit authContext: AuthContext): CaseTemplateSteps = - newInstance(raw.filter(_.outTo[CaseTemplateOrganisation].inTo[RoleOrganisation].inTo[UserRole].has(Key("login") of authContext.userId))) + this.filter(_.outTo[CaseTemplateOrganisation].has("name", authContext.organisation)) override def newInstance(): CaseTemplateSteps = new CaseTemplateSteps(raw.clone()) def can(permission: Permission)(implicit authContext: AuthContext): CaseTemplateSteps = - newInstance( - raw.filter( + if (authContext.permissions.contains(permission)) + this.filter( _.outTo[CaseTemplateOrganisation] .inTo[RoleOrganisation] - .filter(_.outTo[RoleProfile].has(Key("permissions") of permission)) - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has("name", authContext.organisation) ) - ) + else + this.limit(0) def richCaseTemplate: Traversal[RichCaseTemplate, RichCaseTemplate] = Traversal( diff --git a/thehive/app/org/thp/thehive/services/LogSrv.scala b/thehive/app/org/thp/thehive/services/LogSrv.scala index 5667fee8a6..0551246d86 100644 --- a/thehive/app/org/thp/thehive/services/LogSrv.scala +++ b/thehive/app/org/thp/thehive/services/LogSrv.scala @@ -96,18 +96,16 @@ class LogSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema") ) def can(permission: Permission)(implicit authContext: AuthContext): LogSteps = - newInstance( - raw.filter( - _.in("TaskLog") - .in("ShareTask") - .filter(_.out("ShareProfile").has(Key("permissions") of permission)) - .in("OrganisationShare") - .in("RoleOrganisation") - .filter(_.out("RoleProfile").has(Key("permissions") of permission)) - .in("UserRole") - .has(Key("login") of authContext.userId) + if (authContext.permissions.contains(permission)) + this.filter( + _.inTo[TaskLog] + .inTo[ShareTask] + .filter(_.outTo[ShareProfile].has("permissions", permission)) + .inTo[OrganisationShare] + .has("name", authContext.organisation) ) - ) + else + this.limit(0) override def newInstance(newRaw: GremlinScala[Vertex]): LogSteps = new LogSteps(newRaw) override def newInstance(): LogSteps = new LogSteps(raw.clone()) diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala index 993a48c413..073feaf936 100644 --- a/thehive/app/org/thp/thehive/services/ObservableSrv.scala +++ b/thehive/app/org/thp/thehive/services/ObservableSrv.scala @@ -211,7 +211,7 @@ class ObservableSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-s this.filter(_.outTo[ObservableAttachment].has("hashes", hash)) def visible(implicit authContext: AuthContext): ObservableSteps = - this.filter(_.inTo[ShareObservable].inTo[OrganisationShare].inTo[RoleOrganisation].inTo[UserRole].has("login", authContext.userId)) + this.filter(_.inTo[ShareObservable].inTo[OrganisationShare].has("name", authContext.organisation)) def can(permission: Permission)(implicit authContext: AuthContext): ObservableSteps = if (authContext.permissions.contains(permission)) diff --git a/thehive/app/org/thp/thehive/services/TaskSrv.scala b/thehive/app/org/thp/thehive/services/TaskSrv.scala index 56d26460d6..43e735fcbb 100644 --- a/thehive/app/org/thp/thehive/services/TaskSrv.scala +++ b/thehive/app/org/thp/thehive/services/TaskSrv.scala @@ -131,17 +131,15 @@ class TaskSteps(raw: GremlinScala[Vertex])(implicit db: Database, graph: Graph) def active: TaskSteps = newInstance(raw.filterNot(_.has(Key("status") of "Cancel"))) def can(permission: Permission)(implicit authContext: AuthContext): TaskSteps = - newInstance( - raw.filter( + if (authContext.permissions.contains(permission)) + this.filter( _.inTo[ShareTask] - .filter(_.outTo[ShareProfile].has(Key("permissions") of permission)) + .filter(_.outTo[ShareProfile].has("permissions", permission)) .inTo[OrganisationShare] - .inTo[RoleOrganisation] - .filter(_.outTo[RoleProfile].has(Key("permissions") of permission)) - .inTo[UserRole] - .has(Key("login") of authContext.userId) + .has("name", authContext.organisation) ) - ) + else + this.limit(0) def `case`: CaseSteps = new CaseSteps(raw.inTo[ShareTask].outTo[ShareCase].dedup)