From 8d7aa1ff8fe3527e7bc7213ccad079ee22ca1bd3 Mon Sep 17 00:00:00 2001 From: To-om Date: Tue, 17 Nov 2020 18:02:35 +0100 Subject: [PATCH] #1655 Add permission to access TheHiveFS --- ScalliGraph | 2 +- .../app/org/thp/thehive/controllers/dav/Router.scala | 7 ++++--- thehive/app/org/thp/thehive/models/Permissions.scala | 6 ++++-- thehive/app/org/thp/thehive/models/Role.scala | 3 ++- .../thp/thehive/models/TheHiveSchemaDefinition.scala | 12 +++++++++++- 5 files changed, 22 insertions(+), 8 deletions(-) diff --git a/ScalliGraph b/ScalliGraph index 8566855f29..96c0bc6494 160000 --- a/ScalliGraph +++ b/ScalliGraph @@ -1 +1 @@ -Subproject commit 8566855f2909b5aef31f77be47aadfddf64c3f46 +Subproject commit 96c0bc6494d29146c69b62da62f685b2c7b247a5 diff --git a/thehive/app/org/thp/thehive/controllers/dav/Router.scala b/thehive/app/org/thp/thehive/controllers/dav/Router.scala index dbe2c6930b..b746ba3ab7 100644 --- a/thehive/app/org/thp/thehive/controllers/dav/Router.scala +++ b/thehive/app/org/thp/thehive/controllers/dav/Router.scala @@ -6,6 +6,7 @@ import javax.inject.{Inject, Named, Singleton} import org.thp.scalligraph.EntityIdOrName import org.thp.scalligraph.controllers.{Entrypoint, FieldsParser} import org.thp.scalligraph.models.Database +import org.thp.thehive.models.Permissions import org.thp.thehive.services.AttachmentSrv import play.api.Logger import play.api.http.{HttpEntity, Status, Writeable} @@ -65,7 +66,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s def dav(path: String): Action[AnyContent] = entrypoint("dav") .extract("xml", FieldsParser.xml.on("xml")) - .authRoTransaction(db) { implicit request => implicit graph => + .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { implicit request => implicit graph => val pathElements = path.split('/').toList.filterNot(_.isEmpty) val baseUrl = if (request.uri.endsWith("/")) request.uri @@ -102,7 +103,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s def downloadFile(id: String): Action[AnyContent] = entrypoint("download attachment") - .authRoTransaction(db) { request => implicit graph => + .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { request => implicit graph => attachmentSrv.getOrFail(EntityIdOrName(id)).map { attachment => val range = request.headers.get("Range") range match { @@ -129,7 +130,7 @@ class Router @Inject() (entrypoint: Entrypoint, vfs: VFS, @Named("with-thehive-s def head(path: String): Action[AnyContent] = entrypoint("head") - .authRoTransaction(db) { implicit request => implicit graph => + .authPermittedRoTransaction(db, Permissions.accessTheHiveFS) { implicit request => implicit graph => val pathElements = path.split('/').toList vfs .get(pathElements) diff --git a/thehive/app/org/thp/thehive/models/Permissions.scala b/thehive/app/org/thp/thehive/models/Permissions.scala index bf10a22dde..14b45cf5fc 100644 --- a/thehive/app/org/thp/thehive/models/Permissions.scala +++ b/thehive/app/org/thp/thehive/models/Permissions.scala @@ -19,7 +19,8 @@ object Permissions extends Perms { lazy val manageShare: PermissionDesc = PermissionDesc("manageShare", "Manage shares", "organisation") lazy val manageAnalyse: PermissionDesc = PermissionDesc("manageAnalyse", "Run Cortex analyzer", "organisation") lazy val managePage: PermissionDesc = PermissionDesc("managePage", "Manage pages", "organisation") - lazy val manageObservableTemplate: PermissionDesc = PermissionDesc("manageObservableTemplate", "Manage observable types ", "admin") + lazy val manageObservableTemplate: PermissionDesc = PermissionDesc("manageObservableTemplate", "Manage observable types", "admin") + lazy val accessTheHiveFS: PermissionDesc = PermissionDesc("accessTheHiveFS", "Access to TheHiveFS", "organisation") lazy val list: Set[PermissionDesc] = Set( @@ -39,7 +40,8 @@ object Permissions extends Perms { manageShare, manageAnalyse, managePage, - manageObservableTemplate + manageObservableTemplate, + accessTheHiveFS ) // These permissions are available only if the user is in admin organisation, they are removed for other organisations diff --git a/thehive/app/org/thp/thehive/models/Role.scala b/thehive/app/org/thp/thehive/models/Role.scala index 51a2bc80cd..996b9709bd 100644 --- a/thehive/app/org/thp/thehive/models/Role.scala +++ b/thehive/app/org/thp/thehive/models/Role.scala @@ -26,7 +26,8 @@ object Profile { Permissions.manageAction, Permissions.manageShare, Permissions.manageAnalyse, - Permissions.managePage + Permissions.managePage, + Permissions.accessTheHiveFS ) ) val readonly: Profile = Profile("read-only", Set.empty) diff --git a/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala b/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala index 62683434d6..eeab7f15fd 100644 --- a/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala +++ b/thehive/app/org/thp/thehive/models/TheHiveSchemaDefinition.scala @@ -3,7 +3,9 @@ package org.thp.thehive.models import java.lang.reflect.Modifier import javax.inject.{Inject, Singleton} +import org.apache.tinkerpop.gremlin.process.traversal.P import org.apache.tinkerpop.gremlin.structure.Graph +import org.apache.tinkerpop.gremlin.structure.VertexProperty.Cardinality import org.janusgraph.core.schema.ConsistencyModifier import org.janusgraph.graphdb.types.TypeDefinitionCategory import org.reflections.Reflections @@ -68,12 +70,20 @@ class TheHiveSchemaDefinition @Inject() extends Schema with UpdatableSchema { .noop // .addIndex("Tag", IndexType.unique, "namespace", "predicate", "value") .noop // .addIndex("Audit", IndexType.basic, "requestId", "mainAction") .rebuildIndexes - // release 4.0.0 + //=====[release 4.0.0]===== .updateGraph("Remove cases with a Deleted status", "Case") { traversal => traversal.unsafeHas("status", "Deleted").remove() Success(()) } .addProperty[Option[Boolean]]("Observable", "ignoreSimilarity") + //=====[release 4.0.1]===== + .updateGraph("Add accessTheHiveFS permission to analyst and org-admin profiles", "Profile") { traversal => + traversal + .unsafeHas("name", P.within("org-admin", "analyst")) + .onRaw(_.property(Cardinality.set: Cardinality, "permissions", "accessTheHiveFS", Nil: _*)) // Nil is for disambiguate the overloaded methods + .iterate() + Success(()) + } val reflectionClasses = new Reflections( new ConfigurationBuilder()