From 9ee3dc07b6604008041ae8bcc6792c0cd93f947d Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Wed, 15 Jul 2020 15:35:50 +0200
Subject: [PATCH] #1432 Check user permission in MISP export

---
 ScalliGraph                                               | 2 +-
 .../thehive/connector/misp/controllers/v0/MispCtrl.scala  | 6 ++++--
 .../thehive/connector/misp/controllers/v0/Router.scala    | 4 ++--
 .../thehive/connector/misp/services/MispExportSrv.scala   | 8 +++++++-
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/ScalliGraph b/ScalliGraph
index fa67bc10a3..832f8c8e21 160000
--- a/ScalliGraph
+++ b/ScalliGraph
@@ -1 +1 @@
-Subproject commit fa67bc10a3a014e78108abd2a82104a6caa3cb4f
+Subproject commit 832f8c8e210ac5dfb83be941e00f209b8a06ef53
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
index 628c294a27..cad0dc5018 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/MispCtrl.scala
@@ -7,6 +7,7 @@ import org.thp.scalligraph.controllers.Entrypoint
 import org.thp.scalligraph.models.Database
 import org.thp.scalligraph.steps.StepsOps._
 import org.thp.thehive.connector.misp.services.{MispActor, MispExportSrv}
+import org.thp.thehive.models.Permissions
 import org.thp.thehive.services.{AlertSrv, CaseSrv}
 import play.api.mvc.{Action, AnyContent, Results}
 
@@ -26,18 +27,19 @@ class MispCtrl @Inject() (
 
   def sync: Action[AnyContent] =
     entrypoint("sync MISP events")
-      .auth { _ =>
+      .authPermitted(Permissions.manageOrganisation) { _ =>
         mispActor ! MispActor.Synchro
         Success(Results.NoContent)
       }
 
   def exportCase(mispId: String, caseIdOrNumber: String): Action[AnyContent] =
     entrypoint("export case into MISP")
-      .asyncAuth { implicit authContext => // TODO check permission
+      .asyncAuth { implicit authContext =>
         for {
           c <- Future.fromTry(db.roTransaction { implicit graph =>
             caseSrv
               .get(caseIdOrNumber)
+              .can(Permissions.manageShare)
               .getOrFail("Case")
           })
           _ <- mispExportSrv.export(mispId, c)
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
index cac4abd380..b952899f6e 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/controllers/v0/Router.scala
@@ -10,8 +10,8 @@ import play.api.routing.sird._
 class Router @Inject() (mispCtrl: MispCtrl) extends SimpleRouter {
 
   override val routes: Routes = {
-    case GET(p"/_syncAlerts")  => mispCtrl.sync
-    case GET(p"/_cleanAlerts") => mispCtrl.cleanMispAlerts
+    case GET(p"/_syncAlerts") => mispCtrl.sync
+//    case GET(p"/_cleanAlerts") => mispCtrl.cleanMispAlerts
 //    case GET(p"/_syncAllAlerts")            => syncAllAlerts
 //    case GET(p"/_syncArtifacts")            => syncArtifacts
     case POST(p"/export/$caseId/$mispName") => mispCtrl.exportCase(mispName, caseId)
diff --git a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
index 561307a5f4..a0c1b03056 100644
--- a/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
+++ b/misp/connector/src/main/scala/org/thp/thehive/connector/misp/services/MispExportSrv.scala
@@ -8,7 +8,7 @@ import org.thp.misp.dto.{Attribute, Tag => MispTag}
 import org.thp.scalligraph.auth.AuthContext
 import org.thp.scalligraph.models.{Database, Entity}
 import org.thp.scalligraph.steps.StepsOps._
-import org.thp.scalligraph.{BadRequestError, NotFoundError}
+import org.thp.scalligraph.{AuthorizationError, BadRequestError, NotFoundError}
 import org.thp.thehive.models._
 import org.thp.thehive.services.{AlertSrv, AttachmentSrv, CaseSrv, OrganisationSrv}
 import play.api.Logger
@@ -131,10 +131,16 @@ class MispExportSrv @Inject() (
       _            <- alertSrv.alertCaseSrv.create(AlertCase(), createdAlert.alert, `case`)
     } yield createdAlert
 
+  def canExport(client: TheHiveMispClient)(implicit authContext: AuthContext): Boolean =
+    client.canExport && db.roTransaction { implicit graph =>
+      client.organisationFilter(organisationSrv.current).exists()
+    }
+
   def export(mispId: String, `case`: Case with Entity)(implicit authContext: AuthContext, ec: ExecutionContext): Future[String] = {
     logger.info(s"Exporting case ${`case`.number} to MISP $mispId")
     for {
       client  <- getMispClient(mispId)
+      _       <- if (canExport(client)) Future.successful(()) else Future.failed(AuthorizationError(s"You cannot export case to MISP $mispId"))
       orgName <- Future.fromTry(client.currentOrganisationName)
       maybeAlert = db.roTransaction(implicit graph => getAlert(`case`, orgName))
       _          = logger.debug(maybeAlert.fold("Related MISP event doesn't exist")(a => s"Related MISP event found : ${a.sourceRef}"))