#263 Add "alert" user role

TheHive-Project · Sep 1, 2017 · cfcd7f5 · cfcd7f5
1 parent 0ab9537
commit cfcd7f5
Show file tree

Hide file tree

Showing 20 changed files with 176 additions and 115 deletions.
diff --git a/thehive-backend/app/controllers/AlertCtrl.scala b/thehive-backend/app/controllers/AlertCtrl.scala
@@ -11,6 +11,7 @@ import play.api.libs.json.{ JsArray, JsObject, Json }
 import play.api.mvc._
 
 import akka.stream.Materializer
+import models.Roles
 import services.JsonFormat.caseSimilarityWrites
 import services.{ AlertSrv, CaseSrv }
 
@@ -35,7 +36,7 @@ class AlertCtrl @Inject() (
   private[AlertCtrl] lazy val logger = Logger(getClass)
 
   @Timed
-  def create(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def create(): Action[Fields] = authenticated(Roles.alert).async(fieldsBodyParser) { implicit request ⇒
     alertSrv.create(request.body
       .unset("lastSyncDate")
       .unset("case")
@@ -45,7 +46,7 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def mergeWithCase(alertId: String, caseId: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def mergeWithCase(alertId: String, caseId: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     for {
       alert ← alertSrv.get(alertId)
       caze ← caseSrv.get(caseId)
@@ -54,7 +55,7 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒
+  def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒
     val withStats = request
       .queryString
       .get("nstats")
@@ -80,26 +81,26 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     alertSrv.update(id, request.body)
       .map { alert ⇒ renderer.toOutput(OK, alert) }
   }
 
   @Timed
-  def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒
       alertSrv.bulkUpdate(ids, request.body.unset("ids")).map(multiResult ⇒ renderer.toMultiOutput(OK, multiResult))
     }
   }
 
   @Timed
-  def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     alertSrv.delete(id)
       .map(_ ⇒ NoContent)
   }
 
   @Timed
-  def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val range = request.body.getString("range")
     val sort = request.body.getStrings("sort").getOrElse(Nil)
@@ -112,7 +113,7 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query")
       .fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val aggs = request.body.getValue("stats")
@@ -121,23 +122,23 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def markAsRead(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def markAsRead(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     for {
       alert ← alertSrv.get(id)
       updatedAlert ← alertSrv.markAsRead(alert)
     } yield renderer.toOutput(OK, updatedAlert)
   }
 
   @Timed
-  def markAsUnread(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def markAsUnread(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     for {
       alert ← alertSrv.get(id)
       updatedAlert ← alertSrv.markAsUnread(alert)
     } yield renderer.toOutput(OK, updatedAlert)
   }
 
   @Timed
-  def createCase(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def createCase(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     for {
       alert ← alertSrv.get(id)
       customCaseTemplate = request.body.getString("caseTemplate")
@@ -146,19 +147,19 @@ class AlertCtrl @Inject() (
   }
 
   @Timed
-  def followAlert(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def followAlert(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     alertSrv.setFollowAlert(id, follow = true)
       .map { alert ⇒ renderer.toOutput(OK, alert) }
   }
 
   @Timed
-  def unfollowAlert(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def unfollowAlert(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     alertSrv.setFollowAlert(id, follow = false)
       .map { alert ⇒ renderer.toOutput(OK, alert) }
   }
 
   @Timed
-  def fixStatus(): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒
+  def fixStatus(): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒
     alertSrv.fixStatus()
       .map(_ ⇒ NoContent)
   }

diff --git a/thehive-backend/app/controllers/ArtifactCtrl.scala b/thehive-backend/app/controllers/ArtifactCtrl.scala
@@ -8,6 +8,7 @@ import play.api.http.Status
 import play.api.libs.json.JsArray
 import play.api.mvc._
 
+import models.Roles
 import services.ArtifactSrv
 
 import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer }
@@ -27,7 +28,7 @@ class ArtifactCtrl @Inject() (
     implicit val ec: ExecutionContext) extends AbstractController(components) with Status {
 
   @Timed
-  def create(caseId: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def create(caseId: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     val fields = request.body
     val data = fields.getStrings("data")
       .getOrElse(fields.getString("data").toSeq)
@@ -50,32 +51,32 @@ class ArtifactCtrl @Inject() (
   }
 
   @Timed
-  def get(id: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def get(id: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     artifactSrv.get(id)
       .map(artifact ⇒ renderer.toOutput(OK, artifact))
   }
 
   @Timed
-  def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     artifactSrv.update(id, request.body)
       .map(artifact ⇒ renderer.toOutput(OK, artifact))
   }
 
   @Timed
-  def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒
       artifactSrv.bulkUpdate(ids, request.body.unset("ids")).map(multiResult ⇒ renderer.toMultiOutput(OK, multiResult))
     }
   }
 
   @Timed
-  def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     artifactSrv.delete(id)
       .map(_ ⇒ NoContent)
   }
 
   @Timed
-  def findInCase(caseId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def findInCase(caseId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     import org.elastic4play.services.QueryDSL._
     val childQuery = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val query = and(childQuery, "_parent" ~= caseId)
@@ -87,7 +88,7 @@ class ArtifactCtrl @Inject() (
   }
 
   @Timed
-  def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val range = request.body.getString("range")
     val sort = request.body.getStrings("sort").getOrElse(Nil)
@@ -100,7 +101,7 @@ class ArtifactCtrl @Inject() (
   }
 
   @Timed
-  def findSimilar(artifactId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def findSimilar(artifactId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     artifactSrv.get(artifactId).flatMap { artifact ⇒
       val range = request.body.getString("range")
       val sort = request.body.getStrings("sort").getOrElse(Nil)
@@ -112,7 +113,7 @@ class ArtifactCtrl @Inject() (
   }
 
   @Timed
-  def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val aggs = request.body.getValue("stats").getOrElse(throw BadRequestError("Parameter \"stats\" is missing")).as[Seq[Agg]]
     artifactSrv.stats(query, aggs).map(s ⇒ Ok(s))

diff --git a/thehive-backend/app/controllers/AttachmentCtrl.scala b/thehive-backend/app/controllers/AttachmentCtrl.scala
@@ -12,11 +12,12 @@ import akka.stream.scaladsl.FileIO
 import net.lingala.zip4j.core.ZipFile
 import net.lingala.zip4j.model.ZipParameters
 import net.lingala.zip4j.util.Zip4jConstants
+import models.Roles
 
 import org.elastic4play.Timed
 import org.elastic4play.controllers.{ Authenticated, Renderer }
 import org.elastic4play.models.AttachmentAttributeFormat
-import org.elastic4play.services.{ AttachmentSrv, Role }
+import org.elastic4play.services.AttachmentSrv
 
 /**
  * Controller used to access stored attachments (plain or zipped)
@@ -51,7 +52,7 @@ class AttachmentCtrl(
    * open the document directly. It must be used only for safe file
    */
   @Timed("controllers.AttachmentCtrl.download")
-  def download(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Role.read) { implicit request ⇒
+  def download(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Roles.read) { implicit request ⇒
     if (hash.startsWith("{{")) // angularjs hack
       NoContent
     else if (!name.getOrElse("").intersect(AttachmentAttributeFormat.forbiddenChar).isEmpty)
@@ -72,7 +73,7 @@ class AttachmentCtrl(
    * File name can be specified (zip extension is append)
    */
   @Timed("controllers.AttachmentCtrl.downloadZip")
-  def downloadZip(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Role.read) { implicit request ⇒
+  def downloadZip(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Roles.read) { implicit request ⇒
     if (!name.getOrElse("").intersect(AttachmentAttributeFormat.forbiddenChar).isEmpty)
       BadRequest("File name is invalid")
     else {

diff --git a/thehive-backend/app/controllers/CaseCtrl.scala b/thehive-backend/app/controllers/CaseCtrl.scala
@@ -12,7 +12,7 @@ import play.api.mvc._
 
 import akka.stream.Materializer
 import akka.stream.scaladsl.Sink
-import models.CaseStatus
+import models.{ CaseStatus, Roles }
 import services.{ CaseMergeSrv, CaseSrv, CaseTemplateSrv, TaskSrv }
 
 import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer }
@@ -38,7 +38,7 @@ class CaseCtrl @Inject() (
   private[CaseCtrl] lazy val logger = Logger(getClass)
 
   @Timed
-  def create(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def create(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     request.body
       .getString("template")
       .map { templateName ⇒
@@ -54,7 +54,7 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒
+  def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒
     val withStats = for {
       statsValues ← request.queryString.get("nstats")
       firstValue ← statsValues.headOption
@@ -67,7 +67,7 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     val isCaseClosing = request.body.getString("status").contains(CaseStatus.Resolved.toString)
 
     for {
@@ -78,7 +78,7 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒
+  def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒
     val isCaseClosing = request.body.getString("status").contains(CaseStatus.Resolved.toString)
 
     request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒
@@ -88,13 +88,13 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒
+  def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒
     caseSrv.delete(id)
       .map(_ ⇒ NoContent)
   }
 
   @Timed
-  def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val range = request.body.getString("range")
     val sort = request.body.getStrings("sort").getOrElse(Nil)
@@ -107,14 +107,14 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val aggs = request.body.getValue("stats").getOrElse(throw BadRequestError("Parameter \"stats\" is missing")).as[Seq[Agg]]
     caseSrv.stats(query, aggs).map(s ⇒ Ok(s))
   }
 
   @Timed
-  def linkedCases(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒
+  def linkedCases(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒
     caseSrv.linkedCases(id)
       .runWith(Sink.seq)
       .map { cases ⇒
@@ -131,7 +131,7 @@ class CaseCtrl @Inject() (
   }
 
   @Timed
-  def merge(caseId1: String, caseId2: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒
+  def merge(caseId1: String, caseId2: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒
     caseMergeSrv.merge(caseId1, caseId2).map { caze ⇒
       renderer.toOutput(OK, caze)
     }

diff --git a/thehive-backend/app/controllers/CaseTemplateCtrl.scala b/thehive-backend/app/controllers/CaseTemplateCtrl.scala
@@ -7,13 +7,14 @@ import scala.concurrent.ExecutionContext
 import play.api.http.Status
 import play.api.mvc._
 
+import models.Roles
 import services.CaseTemplateSrv
 
 import org.elastic4play.Timed
 import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer }
 import org.elastic4play.models.JsonFormat.baseModelEntityWrites
 import org.elastic4play.services.JsonFormat.queryReads
-import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef, Role }
+import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef }
 
 @Singleton
 class CaseTemplateCtrl @Inject() (
@@ -26,31 +27,31 @@ class CaseTemplateCtrl @Inject() (
     implicit val ec: ExecutionContext) extends AbstractController(components) with Status {
 
   @Timed
-  def create: Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒
+  def create: Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒
     caseTemplateSrv.create(request.body)
       .map(caze ⇒ renderer.toOutput(CREATED, caze))
   }
 
   @Timed
-  def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒
+  def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒
     caseTemplateSrv.get(id)
       .map(caze ⇒ renderer.toOutput(OK, caze))
   }
 
   @Timed
-  def update(id: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒
+  def update(id: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒
     caseTemplateSrv.update(id, request.body)
       .map(caze ⇒ renderer.toOutput(OK, caze))
   }
 
   @Timed
-  def delete(id: String): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒
+  def delete(id: String): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒
     caseTemplateSrv.delete(id)
       .map(_ ⇒ NoContent)
   }
 
   @Timed
-  def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒
+  def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒
     val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef])
     val range = request.body.getString("range")
     val sort = request.body.getStrings("sort").getOrElse(Nil)