#1655 Add permission to access TheHiveFS

thehive/app/org/thp/thehive/controllers/dav/Router.scala

@@ -6,6 +6,7 @@ import javax.inject.{Inject, Named, Singleton}
 import org.thp.scalligraph.EntityIdOrName
 import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser}
 import org.thp.scalligraph.models.Database
+import org.thp.thehive.models.Permissions
 import org.thp.thehive.services.AttachmentSrv
 import play.api.Logger
 import play.api.http.{HttpEntity, Status, Writeable}
@@ -65,7 +66,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s
   def dav(path: String): Action[AnyContent] =
     entrypoint("dav")
       .extract("xml", FieldsParser.xml.on("xml"))
-      .authRoTransaction(db) { implicit request => implicit graph =>
+      .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { implicit request => implicit graph =>
         val pathElements = path.split('/').toList.filterNot(_.isEmpty)
         val baseUrl =
           if (request.uri.endsWith("/")) request.uri
@@ -102,7 +103,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s
 
   def downloadFile(id: String): Action[AnyContent] =
     entrypoint("download attachment")
-      .authRoTransaction(db) { request => implicit graph =>
+      .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { request => implicit graph =>
         attachmentSrv.getOrFail(EntityIdOrName(id)).map { attachment =>
           val range = request.headers.get("Range")
           range match {
@@ -129,7 +130,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s
 
   def head(path: String): Action[AnyContent] =
     entrypoint("head")
-      .authRoTransaction(db) { implicit request => implicit graph =>
+      .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { implicit request => implicit graph =>
         val pathElements = path.split('/').toList
         vfs
           .get(pathElements)

thehive/app/org/thp/thehive/models/Permissions.scala

@@ -19,7 +19,8 @@ object Permissions extends Perms {
   lazy val manageShare: PermissionDesc              = PermissionDesc("manageShare", "Manage shares", "organisation")
   lazy val manageAnalyse: PermissionDesc            = PermissionDesc("manageAnalyse", "Run Cortex analyzer", "organisation")
   lazy val managePage: PermissionDesc               = PermissionDesc("managePage", "Manage pages", "organisation")
-  lazy val manageObservableTemplate: PermissionDesc = PermissionDesc("manageObservableTemplate", "Manage observable types ", "admin")
+  lazy val manageObservableTemplate: PermissionDesc = PermissionDesc("manageObservableTemplate", "Manage observable types", "admin")
+  lazy val accessTheHiveFS: PermissionDesc          = PermissionDesc("accessTheHiveFS", "Access to TheHiveFS", "organisation")
 
   lazy val list: Set[PermissionDesc] =
     Set(
@@ -39,7 +40,8 @@ object Permissions extends Perms {
       manageShare,
       manageAnalyse,
       managePage,
-      manageObservableTemplate
+      manageObservableTemplate,
+      accessTheHiveFS
     )
 
   // These permissions are available only if the user is in admin organisation, they are removed for other organisations

thehive/app/org/thp/thehive/models/Role.scala

@@ -26,7 +26,8 @@ object Profile {
       Permissions.manageAction,
       Permissions.manageShare,
       Permissions.manageAnalyse,
-      Permissions.managePage
+      Permissions.managePage,
+      Permissions.accessTheHiveFS
     )
   )
   val readonly: Profile           = Profile("read-only", Set.empty)

thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala

@@ -3,7 +3,9 @@ package org.thp.thehive.models
 import java.lang.reflect.Modifier
 
 import javax.inject.{Inject, Singleton}
+import org.apache.tinkerpop.gremlin.process.traversal.P
 import org.apache.tinkerpop.gremlin.structure.Graph
+import org.apache.tinkerpop.gremlin.structure.VertexProperty.Cardinality
 import org.janusgraph.core.schema.ConsistencyModifier
 import org.janusgraph.graphdb.types.TypeDefinitionCategory
 import org.reflections.Reflections
@@ -68,12 +70,20 @@ class TheHiveSchemaDefinition @Inject() extends Schema with UpdatableSchema {
     .noop // .addIndex("Tag", IndexType.unique, "namespace", "predicate", "value")
     .noop // .addIndex("Audit", IndexType.basic, "requestId", "mainAction")
     .rebuildIndexes
-    // release 4.0.0
+    //=====[release 4.0.0]=====
     .updateGraph("Remove cases with a Deleted status", "Case") { traversal =>
       traversal.unsafeHas("status", "Deleted").remove()
       Success(())
     }
     .addProperty[Option[Boolean]]("Observable", "ignoreSimilarity")
+    //=====[release 4.0.1]=====
+    .updateGraph("Add accessTheHiveFS permission to analyst and org-admin profiles", "Profile") { traversal =>
+      traversal
+        .unsafeHas("name", P.within("org-admin", "analyst"))
+        .onRaw(_.property(Cardinality.set: Cardinality, "permissions", "accessTheHiveFS", Nil: _*)) // Nil is for disambiguate the overloaded methods
+        .iterate()
+      Success(())
+    }
 
   val reflectionClasses = new Reflections(
     new ConfigurationBuilder()