#1432 Check user permission in MISP export

misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala

@@ -7,6 +7,7 @@ import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.steps.StepsOps._
 import org.thp.thehive.connector.misp.services.{MispActor, MispExportSrv}
+import org.thp.thehive.models.Permissions
 import org.thp.thehive.services.{AlertSrv, CaseSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
@@ -26,18 +27,19 @@ class MispCtrl @Inject() (
 
   def sync: Action[AnyContent] =
     entrypoint("sync MISP events")
-      .auth { _ =>
+      .authPermitted(Permissions.manageOrganisation) { _ =>
         mispActor ! MispActor.Synchro
         Success(Results.NoContent)
       }
 
   def exportCase(mispId: String, caseIdOrNumber: String): Action[AnyContent] =
     entrypoint("export case into MISP")
-      .asyncAuth { implicit authContext => // TODO check permission
+      .asyncAuth { implicit authContext =>
         for {
           c <- Future.fromTry(db.roTransaction { implicit graph =>
             caseSrv
               .get(caseIdOrNumber)
+              .can(Permissions.manageShare)
               .getOrFail("Case")
           })
           _ <- mispExportSrv.export(mispId, c)

misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala

@@ -10,8 +10,8 @@ import play.api.routing.sird._
 class Router @Inject() (mispCtrl: MispCtrl) extends SimpleRouter {
 
   override val routes: Routes = {
-    case GET(p"/_syncAlerts")  => mispCtrl.sync
-    case GET(p"/_cleanAlerts") => mispCtrl.cleanMispAlerts
+    case GET(p"/_syncAlerts") => mispCtrl.sync
+//    case GET(p"/_cleanAlerts") => mispCtrl.cleanMispAlerts
 //    case GET(p"/_syncAllAlerts")            => syncAllAlerts
 //    case GET(p"/_syncArtifacts")            => syncArtifacts
     case POST(p"/export/$caseId/$mispName") => mispCtrl.exportCase(mispName, caseId)

misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala

@@ -8,7 +8,7 @@ import org.thp.misp.dto.{Attribute, Tag => MispTag}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.steps.StepsOps._
-import org.thp.scalligraph.{BadRequestError, NotFoundError}
+import org.thp.scalligraph.{AuthorizationError, BadRequestError, NotFoundError}
 import org.thp.thehive.models._
 import org.thp.thehive.services.{AlertSrv, AttachmentSrv, CaseSrv, OrganisationSrv}
 import play.api.Logger
@@ -131,10 +131,16 @@ class MispExportSrv @Inject() (
       _            <- alertSrv.alertCaseSrv.create(AlertCase(), createdAlert.alert, `case`)
     } yield createdAlert
 
+  def canExport(client: TheHiveMispClient)(implicit authContext: AuthContext): Boolean =
+    client.canExport && db.roTransaction { implicit graph =>
+      client.organisationFilter(organisationSrv.current).exists()
+    }
+
   def export(mispId: String, `case`: Case with Entity)(implicit authContext: AuthContext, ec: ExecutionContext): Future[String] = {
     logger.info(s"Exporting case ${`case`.number} to MISP $mispId")
     for {
       client  <- getMispClient(mispId)
+      _       <- if (canExport(client)) Future.successful(()) else Future.failed(AuthorizationError(s"You cannot export case to MISP $mispId"))
       orgName <- Future.fromTry(client.currentOrganisationName)
       maybeAlert = db.roTransaction(implicit graph => getAlert(`case`, orgName))
       _          = logger.debug(maybeAlert.fold("Related MISP event doesn't exist")(a => s"Related MISP event found : ${a.sourceRef}"))