diff --git a/thehive-backend/app/controllers/AlertCtrl.scala b/thehive-backend/app/controllers/AlertCtrl.scala index e29e67fc1c..322f90f3dd 100644 --- a/thehive-backend/app/controllers/AlertCtrl.scala +++ b/thehive-backend/app/controllers/AlertCtrl.scala @@ -11,6 +11,7 @@ import play.api.libs.json.{ JsArray, JsObject, Json } import play.api.mvc._ import akka.stream.Materializer +import models.Roles import services.JsonFormat.caseSimilarityWrites import services.{ AlertSrv, CaseSrv } @@ -35,7 +36,7 @@ class AlertCtrl @Inject() ( private[AlertCtrl] lazy val logger = Logger(getClass) @Timed - def create(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def create(): Action[Fields] = authenticated(Roles.alert).async(fieldsBodyParser) { implicit request ⇒ alertSrv.create(request.body .unset("lastSyncDate") .unset("case") @@ -45,7 +46,7 @@ class AlertCtrl @Inject() ( } @Timed - def mergeWithCase(alertId: String, caseId: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def mergeWithCase(alertId: String, caseId: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ for { alert ← alertSrv.get(alertId) caze ← caseSrv.get(caseId) @@ -54,7 +55,7 @@ class AlertCtrl @Inject() ( } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ val withStats = request .queryString .get("nstats") @@ -80,26 +81,26 @@ class AlertCtrl @Inject() ( } @Timed - def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ alertSrv.update(id, request.body) .map { alert ⇒ renderer.toOutput(OK, alert) } } @Timed - def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒ alertSrv.bulkUpdate(ids, request.body.unset("ids")).map(multiResult ⇒ renderer.toMultiOutput(OK, multiResult)) } } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ alertSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -112,7 +113,7 @@ class AlertCtrl @Inject() ( } @Timed - def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query") .fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val aggs = request.body.getValue("stats") @@ -121,7 +122,7 @@ class AlertCtrl @Inject() ( } @Timed - def markAsRead(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def markAsRead(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ for { alert ← alertSrv.get(id) updatedAlert ← alertSrv.markAsRead(alert) @@ -129,7 +130,7 @@ class AlertCtrl @Inject() ( } @Timed - def markAsUnread(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def markAsUnread(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ for { alert ← alertSrv.get(id) updatedAlert ← alertSrv.markAsUnread(alert) @@ -137,7 +138,7 @@ class AlertCtrl @Inject() ( } @Timed - def createCase(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def createCase(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ for { alert ← alertSrv.get(id) customCaseTemplate = request.body.getString("caseTemplate") @@ -146,19 +147,19 @@ class AlertCtrl @Inject() ( } @Timed - def followAlert(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def followAlert(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ alertSrv.setFollowAlert(id, follow = true) .map { alert ⇒ renderer.toOutput(OK, alert) } } @Timed - def unfollowAlert(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def unfollowAlert(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ alertSrv.setFollowAlert(id, follow = false) .map { alert ⇒ renderer.toOutput(OK, alert) } } @Timed - def fixStatus(): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def fixStatus(): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ alertSrv.fixStatus() .map(_ ⇒ NoContent) } diff --git a/thehive-backend/app/controllers/ArtifactCtrl.scala b/thehive-backend/app/controllers/ArtifactCtrl.scala index 9f8873a0e8..7d6908a84a 100644 --- a/thehive-backend/app/controllers/ArtifactCtrl.scala +++ b/thehive-backend/app/controllers/ArtifactCtrl.scala @@ -8,6 +8,7 @@ import play.api.http.Status import play.api.libs.json.JsArray import play.api.mvc._ +import models.Roles import services.ArtifactSrv import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } @@ -27,7 +28,7 @@ class ArtifactCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) with Status { @Timed - def create(caseId: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def create(caseId: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ val fields = request.body val data = fields.getStrings("data") .getOrElse(fields.getString("data").toSeq) @@ -50,32 +51,32 @@ class ArtifactCtrl @Inject() ( } @Timed - def get(id: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def get(id: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ artifactSrv.get(id) .map(artifact ⇒ renderer.toOutput(OK, artifact)) } @Timed - def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ artifactSrv.update(id, request.body) .map(artifact ⇒ renderer.toOutput(OK, artifact)) } @Timed - def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒ artifactSrv.bulkUpdate(ids, request.body.unset("ids")).map(multiResult ⇒ renderer.toMultiOutput(OK, multiResult)) } } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ artifactSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def findInCase(caseId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def findInCase(caseId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ import org.elastic4play.services.QueryDSL._ val childQuery = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val query = and(childQuery, "_parent" ~= caseId) @@ -87,7 +88,7 @@ class ArtifactCtrl @Inject() ( } @Timed - def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -100,7 +101,7 @@ class ArtifactCtrl @Inject() ( } @Timed - def findSimilar(artifactId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def findSimilar(artifactId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ artifactSrv.get(artifactId).flatMap { artifact ⇒ val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -112,7 +113,7 @@ class ArtifactCtrl @Inject() ( } @Timed - def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val aggs = request.body.getValue("stats").getOrElse(throw BadRequestError("Parameter \"stats\" is missing")).as[Seq[Agg]] artifactSrv.stats(query, aggs).map(s ⇒ Ok(s)) diff --git a/thehive-backend/app/controllers/AttachmentCtrl.scala b/thehive-backend/app/controllers/AttachmentCtrl.scala index 2b9b9faae1..5f21a41696 100644 --- a/thehive-backend/app/controllers/AttachmentCtrl.scala +++ b/thehive-backend/app/controllers/AttachmentCtrl.scala @@ -12,11 +12,12 @@ import akka.stream.scaladsl.FileIO import net.lingala.zip4j.core.ZipFile import net.lingala.zip4j.model.ZipParameters import net.lingala.zip4j.util.Zip4jConstants +import models.Roles import org.elastic4play.Timed import org.elastic4play.controllers.{ Authenticated, Renderer } import org.elastic4play.models.AttachmentAttributeFormat -import org.elastic4play.services.{ AttachmentSrv, Role } +import org.elastic4play.services.AttachmentSrv /** * Controller used to access stored attachments (plain or zipped) @@ -51,7 +52,7 @@ class AttachmentCtrl( * open the document directly. It must be used only for safe file */ @Timed("controllers.AttachmentCtrl.download") - def download(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Role.read) { implicit request ⇒ + def download(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Roles.read) { implicit request ⇒ if (hash.startsWith("{{")) // angularjs hack NoContent else if (!name.getOrElse("").intersect(AttachmentAttributeFormat.forbiddenChar).isEmpty) @@ -72,7 +73,7 @@ class AttachmentCtrl( * File name can be specified (zip extension is append) */ @Timed("controllers.AttachmentCtrl.downloadZip") - def downloadZip(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Role.read) { implicit request ⇒ + def downloadZip(hash: String, name: Option[String]): Action[AnyContent] = authenticated(Roles.read) { implicit request ⇒ if (!name.getOrElse("").intersect(AttachmentAttributeFormat.forbiddenChar).isEmpty) BadRequest("File name is invalid") else { diff --git a/thehive-backend/app/controllers/CaseCtrl.scala b/thehive-backend/app/controllers/CaseCtrl.scala index 791144947f..5ba40b741c 100644 --- a/thehive-backend/app/controllers/CaseCtrl.scala +++ b/thehive-backend/app/controllers/CaseCtrl.scala @@ -12,7 +12,7 @@ import play.api.mvc._ import akka.stream.Materializer import akka.stream.scaladsl.Sink -import models.CaseStatus +import models.{ CaseStatus, Roles } import services.{ CaseMergeSrv, CaseSrv, CaseTemplateSrv, TaskSrv } import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } @@ -38,7 +38,7 @@ class CaseCtrl @Inject() ( private[CaseCtrl] lazy val logger = Logger(getClass) @Timed - def create(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def create(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ request.body .getString("template") .map { templateName ⇒ @@ -54,7 +54,7 @@ class CaseCtrl @Inject() ( } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ val withStats = for { statsValues ← request.queryString.get("nstats") firstValue ← statsValues.headOption @@ -67,7 +67,7 @@ class CaseCtrl @Inject() ( } @Timed - def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ val isCaseClosing = request.body.getString("status").contains(CaseStatus.Resolved.toString) for { @@ -78,7 +78,7 @@ class CaseCtrl @Inject() ( } @Timed - def bulkUpdate(): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def bulkUpdate(): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ val isCaseClosing = request.body.getString("status").contains(CaseStatus.Resolved.toString) request.body.getStrings("ids").fold(Future.successful(Ok(JsArray()))) { ids ⇒ @@ -88,13 +88,13 @@ class CaseCtrl @Inject() ( } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ caseSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -107,14 +107,14 @@ class CaseCtrl @Inject() ( } @Timed - def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val aggs = request.body.getValue("stats").getOrElse(throw BadRequestError("Parameter \"stats\" is missing")).as[Seq[Agg]] caseSrv.stats(query, aggs).map(s ⇒ Ok(s)) } @Timed - def linkedCases(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def linkedCases(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ caseSrv.linkedCases(id) .runWith(Sink.seq) .map { cases ⇒ @@ -131,7 +131,7 @@ class CaseCtrl @Inject() ( } @Timed - def merge(caseId1: String, caseId2: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def merge(caseId1: String, caseId2: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ caseMergeSrv.merge(caseId1, caseId2).map { caze ⇒ renderer.toOutput(OK, caze) } diff --git a/thehive-backend/app/controllers/CaseTemplateCtrl.scala b/thehive-backend/app/controllers/CaseTemplateCtrl.scala index 13d8d83b82..662e76d8fc 100644 --- a/thehive-backend/app/controllers/CaseTemplateCtrl.scala +++ b/thehive-backend/app/controllers/CaseTemplateCtrl.scala @@ -7,13 +7,14 @@ import scala.concurrent.ExecutionContext import play.api.http.Status import play.api.mvc._ +import models.Roles import services.CaseTemplateSrv import org.elastic4play.Timed import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.models.JsonFormat.baseModelEntityWrites import org.elastic4play.services.JsonFormat.queryReads -import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef, Role } +import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef } @Singleton class CaseTemplateCtrl @Inject() ( @@ -26,31 +27,31 @@ class CaseTemplateCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) with Status { @Timed - def create: Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def create: Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ caseTemplateSrv.create(request.body) .map(caze ⇒ renderer.toOutput(CREATED, caze)) } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ caseTemplateSrv.get(id) .map(caze ⇒ renderer.toOutput(OK, caze)) } @Timed - def update(id: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ caseTemplateSrv.update(id, request.body) .map(caze ⇒ renderer.toOutput(OK, caze)) } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ caseTemplateSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) diff --git a/thehive-backend/app/controllers/DBListCtrl.scala b/thehive-backend/app/controllers/DBListCtrl.scala index 45597537ce..870ce43f05 100644 --- a/thehive-backend/app/controllers/DBListCtrl.scala +++ b/thehive-backend/app/controllers/DBListCtrl.scala @@ -7,7 +7,9 @@ import scala.concurrent.{ ExecutionContext, Future } import play.api.libs.json.{ JsValue, Json } import play.api.mvc._ -import org.elastic4play.services.{ DBLists, Role } +import models.Roles + +import org.elastic4play.services.DBLists import org.elastic4play.{ MissingAttributeError, Timed } @Singleton @@ -20,14 +22,14 @@ class DBListCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) { @Timed("controllers.DBListCtrl.list") - def list: Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def list: Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ dblists.listAll.map { listNames ⇒ renderer.toOutput(OK, listNames) } } @Timed("controllers.DBListCtrl.listItems") - def listItems(listName: String): Action[AnyContent] = authenticated(Role.read) { implicit request ⇒ + def listItems(listName: String): Action[AnyContent] = authenticated(Roles.read) { implicit request ⇒ val (src, _) = dblists(listName).getItems[JsValue] val items = src.map { case (id, value) ⇒ s""""$id":$value""" } .intersperse("{", ",", "}") @@ -35,7 +37,7 @@ class DBListCtrl @Inject() ( } @Timed("controllers.DBListCtrl.addItem") - def addItem(listName: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def addItem(listName: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ request.body.getValue("value").fold(Future.successful(NoContent)) { value ⇒ dblists(listName).addItem(value).map { item ⇒ renderer.toOutput(OK, item.id) @@ -44,14 +46,14 @@ class DBListCtrl @Inject() ( } @Timed("controllers.DBListCtrl.deleteItem") - def deleteItem(itemId: String): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def deleteItem(itemId: String): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ dblists.deleteItem(itemId).map { _ ⇒ NoContent } } @Timed("controllers.DBListCtrl.udpateItem") - def updateItem(itemId: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def updateItem(itemId: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ request.body.getValue("value") .map { value ⇒ for { @@ -64,7 +66,7 @@ class DBListCtrl @Inject() ( } @Timed("controllers.DBListCtrl.itemExists") - def itemExists(listName: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def itemExists(listName: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val itemKey = request.body.getString("key").getOrElse(throw MissingAttributeError("Parameter key is missing")) val itemValue = request.body.getValue("value").getOrElse(throw MissingAttributeError("Parameter value is missing")) dblists(listName).exists(itemKey, itemValue).map(r ⇒ Ok(Json.obj("found" → r))) diff --git a/thehive-backend/app/controllers/FlowCtrl.scala b/thehive-backend/app/controllers/FlowCtrl.scala index 92d89ac164..315ce1f452 100644 --- a/thehive-backend/app/controllers/FlowCtrl.scala +++ b/thehive-backend/app/controllers/FlowCtrl.scala @@ -7,11 +7,12 @@ import scala.concurrent.ExecutionContext import play.api.http.Status import play.api.mvc._ +import models.Roles import services.FlowSrv import org.elastic4play.Timed import org.elastic4play.controllers.{ Authenticated, Renderer } -import org.elastic4play.services.{ AuxSrv, Role } +import org.elastic4play.services.AuxSrv @Singleton class FlowCtrl @Inject() ( @@ -26,7 +27,7 @@ class FlowCtrl @Inject() ( * Return audit logs. For each item, include ancestor entities */ @Timed - def flow(rootId: Option[String], count: Option[Int]): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def flow(rootId: Option[String], count: Option[Int]): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ val (audits, total) = flowSrv(rootId.filterNot(_ == "any"), count.getOrElse(10)) renderer.toOutput(OK, audits, total) } diff --git a/thehive-backend/app/controllers/LogCtrl.scala b/thehive-backend/app/controllers/LogCtrl.scala index 3ddbbe3a7e..038224eaa5 100644 --- a/thehive-backend/app/controllers/LogCtrl.scala +++ b/thehive-backend/app/controllers/LogCtrl.scala @@ -7,13 +7,14 @@ import scala.concurrent.ExecutionContext import play.api.http.Status import play.api.mvc._ +import models.Roles import services.LogSrv import org.elastic4play.Timed import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.models.JsonFormat.baseModelEntityWrites import org.elastic4play.services.JsonFormat.queryReads -import org.elastic4play.services.{ QueryDSL, QueryDef, Role } +import org.elastic4play.services.{ QueryDSL, QueryDef } @Singleton class LogCtrl @Inject() ( @@ -25,31 +26,31 @@ class LogCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) with Status { @Timed - def create(taskId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def create(taskId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ logSrv.create(taskId, request.body) .map(log ⇒ renderer.toOutput(CREATED, log)) } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ logSrv.get(id) .map(log ⇒ renderer.toOutput(OK, log)) } @Timed - def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ logSrv.update(id, request.body) .map(log ⇒ renderer.toOutput(OK, log)) } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ logSrv.delete(id) .map(_ ⇒ Ok("")) } @Timed - def findInTask(taskId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def findInTask(taskId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ import org.elastic4play.services.QueryDSL._ val childQuery = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val query = and(childQuery, parent("case_task", withId(taskId))) @@ -61,7 +62,7 @@ class LogCtrl @Inject() ( } @Timed - def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) diff --git a/thehive-backend/app/controllers/SearchCtrl.scala b/thehive-backend/app/controllers/SearchCtrl.scala index 539fa90400..96322b23e6 100644 --- a/thehive-backend/app/controllers/SearchCtrl.scala +++ b/thehive-backend/app/controllers/SearchCtrl.scala @@ -7,6 +7,8 @@ import scala.concurrent.ExecutionContext import play.api.http.Status import play.api.mvc.{ AbstractController, Action, ControllerComponents } +import models.Roles + import org.elastic4play.Timed import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.services.JsonFormat.queryReads @@ -23,7 +25,7 @@ class SearchCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) with Status { @Timed - def find(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ import org.elastic4play.services.QueryDSL._ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") diff --git a/thehive-backend/app/controllers/StreamCtrl.scala b/thehive-backend/app/controllers/StreamCtrl.scala index b2a109244c..28a19c7695 100644 --- a/thehive-backend/app/controllers/StreamCtrl.scala +++ b/thehive-backend/app/controllers/StreamCtrl.scala @@ -16,11 +16,12 @@ import play.api.{ Configuration, Logger } import akka.actor.{ ActorSystem, Props } import akka.pattern.ask import akka.util.Timeout +import models.Roles import services.StreamActor import services.StreamActor.StreamMessages import org.elastic4play.controllers._ -import org.elastic4play.services.{ AuxSrv, EventSrv, MigrationSrv, Role } +import org.elastic4play.services.{ AuxSrv, EventSrv, MigrationSrv } import org.elastic4play.Timed @Singleton @@ -67,7 +68,7 @@ class StreamCtrl( * Create a new stream entry with the event head */ @Timed("controllers.StreamCtrl.create") - def create: Action[AnyContent] = authenticated(Role.read) { + def create: Action[AnyContent] = authenticated(Roles.read) { val id = generateStreamId() system.actorOf(Props( classOf[StreamActor], diff --git a/thehive-backend/app/controllers/TaskCtrl.scala b/thehive-backend/app/controllers/TaskCtrl.scala index 6362db045c..ddadd22ffe 100644 --- a/thehive-backend/app/controllers/TaskCtrl.scala +++ b/thehive-backend/app/controllers/TaskCtrl.scala @@ -7,6 +7,7 @@ import scala.concurrent.ExecutionContext import play.api.http.Status import play.api.mvc._ +import models.Roles import services.TaskSrv import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } @@ -26,31 +27,31 @@ class TaskCtrl @Inject() ( implicit val ec: ExecutionContext) extends AbstractController(components) with Status { @Timed - def create(caseId: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def create(caseId: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ taskSrv.create(caseId, request.body) .map(task ⇒ renderer.toOutput(CREATED, task)) } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ taskSrv.get(id) .map(task ⇒ renderer.toOutput(OK, task)) } @Timed - def update(id: String): Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ taskSrv.update(id, request.body) .map(task ⇒ renderer.toOutput(OK, task)) } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ taskSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def findInCase(caseId: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def findInCase(caseId: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ import org.elastic4play.services.QueryDSL._ val childQuery = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val query = and(childQuery, "_parent" ~= caseId) @@ -62,7 +63,7 @@ class TaskCtrl @Inject() ( } @Timed - def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -75,7 +76,7 @@ class TaskCtrl @Inject() ( } @Timed - def stats(): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def stats(): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val aggs = request.body.getValue("stats").getOrElse(throw BadRequestError("Parameter \"stats\" is missing")).as[Seq[Agg]] taskSrv.stats(query, aggs).map(s ⇒ Ok(s)) diff --git a/thehive-backend/app/controllers/UserCtrl.scala b/thehive-backend/app/controllers/UserCtrl.scala index 98e833757d..63d99fc4c8 100644 --- a/thehive-backend/app/controllers/UserCtrl.scala +++ b/thehive-backend/app/controllers/UserCtrl.scala @@ -10,12 +10,13 @@ import play.api.http.Status import play.api.libs.json.{ JsObject, Json } import play.api.mvc._ +import models.Roles import services.UserSrv import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.models.JsonFormat.baseModelEntityWrites import org.elastic4play.services.JsonFormat.queryReads -import org.elastic4play.services.{ AuthSrv, QueryDSL, QueryDef, Role } +import org.elastic4play.services.{ AuthSrv, QueryDSL, QueryDef } import org.elastic4play.{ AuthorizationError, MissingAttributeError, Timed } @Singleton @@ -31,23 +32,23 @@ class UserCtrl @Inject() ( private[UserCtrl] lazy val logger = Logger(getClass) @Timed - def create: Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def create: Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ userSrv.create(request.body) .map(user ⇒ renderer.toOutput(CREATED, user)) } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ userSrv.get(id) .map { user ⇒ - val json = if (request.roles.contains(Role.admin)) user.toAdminJson else user.toJson + val json = if (request.roles.contains(Roles.admin)) user.toAdminJson else user.toJson renderer.toOutput(OK, json) } } @Timed - def update(id: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ - if (id == request.authContext.userId || request.authContext.roles.contains(Role.admin)) { + def update(id: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ + if (id == request.authContext.userId || request.authContext.roles.contains(Roles.admin)) { if (request.body.contains("password")) logger.warn("Change password attribute using update operation is deprecated. Please use dedicated API (setPassword and changePassword)") userSrv.update(id, request.body.unset("password")).map { user ⇒ @@ -60,7 +61,7 @@ class UserCtrl @Inject() ( } @Timed - def setPassword(login: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def setPassword(login: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ request.body.getString("password") .fold(Future.failed[Result](MissingAttributeError("password"))) { password ⇒ authSrv.setPassword(login, password).map(_ ⇒ NoContent) @@ -68,7 +69,7 @@ class UserCtrl @Inject() ( } @Timed - def changePassword(login: String): Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def changePassword(login: String): Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ if (login == request.authContext.userId) { val fields = request.body fields.getString("password").fold(Future.failed[Result](MissingAttributeError("password"))) { password ⇒ @@ -83,7 +84,7 @@ class UserCtrl @Inject() ( } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ userSrv.delete(id) .map(_ ⇒ NoContent) } @@ -105,7 +106,7 @@ class UserCtrl @Inject() ( } @Timed - def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) diff --git a/thehive-backend/app/models/JsonFormat.scala b/thehive-backend/app/models/JsonFormat.scala index 6c46292e5c..12d753ec51 100644 --- a/thehive-backend/app/models/JsonFormat.scala +++ b/thehive-backend/app/models/JsonFormat.scala @@ -2,9 +2,10 @@ package models import java.nio.file.Path -import play.api.libs.json.{ Format, JsString, Writes } +import play.api.libs.json._ import org.elastic4play.models.JsonFormat.enumFormat +import org.elastic4play.services.Role object JsonFormat { implicit val userStatusFormat: Format[UserStatus.Type] = enumFormat(UserStatus) @@ -18,4 +19,11 @@ object JsonFormat { implicit val alertStatusFormat: Format[AlertStatus.Type] = enumFormat(AlertStatus) implicit val pathWrites: Writes[Path] = Writes((value: Path) ⇒ JsString(value.toString)) + + private val roleWrites: Writes[Role] = Writes((role: Role) ⇒ JsString(role.name)) + private val roleReads: Reads[Role] = Reads { + case JsString(s) if Roles.isValid(s) ⇒ JsSuccess(Roles.withName(s).get) + case _ ⇒ JsError(Seq(JsPath → Seq(JsonValidationError(s"error.expected.role(${Roles.roleNames}")))) + } + implicit val roleFormat: Format[Role] = Format[Role](roleReads, roleWrites) } \ No newline at end of file diff --git a/thehive-backend/app/models/Roles.scala b/thehive-backend/app/models/Roles.scala new file mode 100644 index 0000000000..f613b11f93 --- /dev/null +++ b/thehive-backend/app/models/Roles.scala @@ -0,0 +1,47 @@ +package models + +import play.api.libs.json.{ JsString, JsValue } + +import com.sksamuel.elastic4s.ElasticDsl.keywordField +import com.sksamuel.elastic4s.mappings.KeywordFieldDefinition +import org.scalactic.{ Every, Good, One, Or } +import models.JsonFormat.roleFormat + +import org.elastic4play.{ AttributeError, InvalidFormatAttributeError } +import org.elastic4play.controllers.{ InputValue, JsonInputValue, StringInputValue } +import org.elastic4play.models.AttributeFormat +import org.elastic4play.services.Role + +object Roles { + object read extends Role("read") + object write extends Role("write") + object admin extends Role("admin") + object alert extends Role("alert") + val roles = read :: write :: admin :: alert :: Nil + + val roleNames = roles.map(_.name) + def isValid(roleName: String) = roleNames.contains(roleName) + def withName(roleName: String) = roles.find(_.name == roleName) +} + +object RoleAttributeFormat extends AttributeFormat[Role]("role") { + + override def checkJson(subNames: Seq[String], value: JsValue): Or[JsValue, One[InvalidFormatAttributeError]] = value match { + case JsString(v) if subNames.isEmpty && Roles.isValid(v) ⇒ Good(value) + case _ ⇒ formatError(JsonInputValue(value)) + } + + override def fromInputValue(subNames: Seq[String], value: InputValue): Role Or Every[AttributeError] = { + if (subNames.nonEmpty) + formatError(value) + else + (value match { + case StringInputValue(Seq(v)) ⇒ Good(v) + case JsonInputValue(JsString(v)) ⇒ Good(v) + case _ ⇒ formatError(value) + }).flatMap(v ⇒ Roles.withName(v).fold[Role Or Every[AttributeError]](formatError(value))(role ⇒ Good(role))) + + } + + override def elasticType(attributeName: String): KeywordFieldDefinition = keywordField(attributeName) +} \ No newline at end of file diff --git a/thehive-backend/app/models/User.scala b/thehive-backend/app/models/User.scala index 9df4658c4d..635b35c19f 100644 --- a/thehive-backend/app/models/User.scala +++ b/thehive-backend/app/models/User.scala @@ -11,8 +11,6 @@ import models.JsonFormat.userStatusFormat import services.AuditedModel import org.elastic4play.models.{ AttributeDef, BaseEntity, EntityDef, HiveEnumeration, ModelDef, AttributeFormat ⇒ F, AttributeOption ⇒ O } -import org.elastic4play.services.JsonFormat.roleFormat -import org.elastic4play.services.Role object UserStatus extends Enumeration with HiveEnumeration { type Type = Value @@ -25,7 +23,7 @@ trait UserAttributes { _: AttributeDef ⇒ val withKey = optionalAttribute("with-key", F.booleanFmt, "Generate an API key", O.form) val key = optionalAttribute("key", F.uuidFmt, "API key", O.model, O.sensitive, O.unaudited) val userName = attribute("name", F.stringFmt, "Full name (Firstname Lastname)") - val roles = multiAttribute("roles", F.enumFmt(Role), "Comma separated role list (READ, WRITE and ADMIN)") + val roles = multiAttribute("roles", RoleAttributeFormat, "Comma separated role list (READ, WRITE and ADMIN)") val status = attribute("status", F.enumFmt(UserStatus), "Status of the user", UserStatus.Ok) val password = optionalAttribute("password", F.stringFmt, "Password", O.sensitive, O.unaudited) val avatar = optionalAttribute("avatar", F.stringFmt, "Base64 representation of user avatar image", O.unaudited) diff --git a/thehive-backend/app/services/UserSrv.scala b/thehive-backend/app/services/UserSrv.scala index 02c2b2f270..cad528765f 100644 --- a/thehive-backend/app/services/UserSrv.scala +++ b/thehive-backend/app/services/UserSrv.scala @@ -1,26 +1,20 @@ package services -import javax.inject.{Inject, Provider, Singleton} +import javax.inject.{ Inject, Provider, Singleton } -import scala.concurrent.{ExecutionContext, Future} +import scala.concurrent.{ ExecutionContext, Future } import play.api.mvc.RequestHeader import akka.NotUsed import akka.stream.scaladsl.Source -import models.{User, UserModel, UserStatus} +import models.{ Roles, User, UserModel, UserStatus } import org.elastic4play.controllers.Fields import org.elastic4play.database.DBIndex import org.elastic4play.services._ import org.elastic4play.utils.Instance -import org.elastic4play.{AuthenticationError, AuthorizationError} - -object Roles { - object read extends Role - object write extends Role - object admin extends Role -} +import org.elastic4play.{ AuthenticationError, AuthorizationError } @Singleton class UserSrv @Inject() ( @@ -53,11 +47,11 @@ class UserSrv @Inject() ( override def getInitialUser(request: RequestHeader): Future[AuthContext] = dbIndex.getSize(userModel.name).map { case size if size > 0 ⇒ throw AuthenticationError(s"Use of initial user is forbidden because users exist in database") - case _ ⇒ AuthContextImpl("init", "", Instance.getRequestId(request), Seq(Role.admin, Role.read)) + case _ ⇒ AuthContextImpl("init", "", Instance.getRequestId(request), Seq(Roles.admin, Roles.read, Roles.alert)) } override def inInitAuthContext[A](block: AuthContext ⇒ Future[A]): Future[A] = { - val authContext = AuthContextImpl("init", "", Instance.getInternalId, Seq(Role.admin, Role.read)) + val authContext = AuthContextImpl("init", "", Instance.getInternalId, Seq(Roles.admin, Roles.read, Roles.alert)) eventSrv.publish(StreamActor.Initialize(authContext.requestId)) block(authContext).andThen { case _ ⇒ eventSrv.publish(StreamActor.Commit(authContext.requestId)) diff --git a/thehive-cortex/app/connectors/cortex/controllers/CortexCtrl.scala b/thehive-cortex/app/connectors/cortex/controllers/CortexCtrl.scala index 96e8037309..a11bb6e7a7 100644 --- a/thehive-cortex/app/connectors/cortex/controllers/CortexCtrl.scala +++ b/thehive-cortex/app/connectors/cortex/controllers/CortexCtrl.scala @@ -14,11 +14,12 @@ import play.api.routing.sird.{ DELETE, GET, PATCH, POST, UrlContext } import org.elastic4play.{ BadRequestError, NotFoundError, Timed } import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } import org.elastic4play.models.JsonFormat.baseModelEntityWrites -import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef, Role } +import org.elastic4play.services.{ AuxSrv, QueryDSL, QueryDef } import org.elastic4play.services.JsonFormat.queryReads import connectors.Connector import connectors.cortex.models.JsonFormat.analyzerFormats import connectors.cortex.services.{ CortexConfig, CortexSrv } +import models.Roles @Singleton class CortexCtrl @Inject() ( @@ -55,7 +56,7 @@ class CortexCtrl @Inject() ( } @Timed - def createJob: Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def createJob: Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ val analyzerId = request.body.getString("analyzerId").getOrElse(throw BadRequestError(s"analyzerId is missing")) val artifactId = request.body.getString("artifactId").getOrElse(throw BadRequestError(s"artifactId is missing")) val cortexId = request.body.getString("cortexId") @@ -65,14 +66,14 @@ class CortexCtrl @Inject() ( } @Timed - def getJob(jobId: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def getJob(jobId: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ cortexSrv.getJob(jobId).map { job ⇒ renderer.toOutput(OK, job) } } @Timed - def findJob: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def findJob: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -83,21 +84,21 @@ class CortexCtrl @Inject() ( } @Timed - def getAnalyzer(analyzerId: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def getAnalyzer(analyzerId: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ cortexSrv.getAnalyzer(analyzerId).map { analyzer ⇒ renderer.toOutput(OK, analyzer) } } @Timed - def getAnalyzerFor(dataType: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def getAnalyzerFor(dataType: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ cortexSrv.getAnalyzersFor(dataType).map { analyzers ⇒ renderer.toOutput(OK, analyzers) } } @Timed - def listAnalyzer: Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def listAnalyzer: Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ cortexSrv.listAnalyzer.map { analyzers ⇒ renderer.toOutput(OK, analyzers) } diff --git a/thehive-cortex/app/connectors/cortex/controllers/ReportTemplateCtrl.scala b/thehive-cortex/app/connectors/cortex/controllers/ReportTemplateCtrl.scala index 90797523fc..c669933998 100644 --- a/thehive-cortex/app/connectors/cortex/controllers/ReportTemplateCtrl.scala +++ b/thehive-cortex/app/connectors/cortex/controllers/ReportTemplateCtrl.scala @@ -17,10 +17,11 @@ import play.api.mvc._ import org.elastic4play.{ BadRequestError, Timed } import org.elastic4play.controllers._ import org.elastic4play.models.JsonFormat.baseModelEntityWrites -import org.elastic4play.services.{ QueryDSL, QueryDef, Role } +import org.elastic4play.services.{ QueryDSL, QueryDef } import org.elastic4play.services.AuxSrv import org.elastic4play.services.JsonFormat.queryReads import connectors.cortex.services.ReportTemplateSrv +import models.Roles import net.lingala.zip4j.core.ZipFile import net.lingala.zip4j.model.FileHeader @@ -38,19 +39,19 @@ class ReportTemplateCtrl @Inject() ( private[ReportTemplateCtrl] lazy val logger = Logger(getClass) @Timed - def create: Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def create: Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ reportTemplateSrv.create(request.body) .map(reportTemplate ⇒ renderer.toOutput(CREATED, reportTemplate)) } @Timed - def get(id: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def get(id: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ reportTemplateSrv.get(id) .map(reportTemplate ⇒ renderer.toOutput(OK, reportTemplate)) } @Timed - def getContent(analyzerId: String, reportType: String): Action[AnyContent] = authenticated(Role.read).async { implicit request ⇒ + def getContent(analyzerId: String, reportType: String): Action[AnyContent] = authenticated(Roles.read).async { implicit request ⇒ import org.elastic4play.services.QueryDSL._ val (reportTemplates, total) = reportTemplateSrv.find(and("analyzerId" ~= analyzerId, "reportType" ~= reportType), Some("0-1"), Nil) total.foreach { t ⇒ @@ -65,19 +66,19 @@ class ReportTemplateCtrl @Inject() ( } @Timed - def update(id: String): Action[Fields] = authenticated(Role.admin).async(fieldsBodyParser) { implicit request ⇒ + def update(id: String): Action[Fields] = authenticated(Roles.admin).async(fieldsBodyParser) { implicit request ⇒ reportTemplateSrv.update(id, request.body) .map(reportTemplate ⇒ renderer.toOutput(OK, reportTemplate)) } @Timed - def delete(id: String): Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def delete(id: String): Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ reportTemplateSrv.delete(id) .map(_ ⇒ NoContent) } @Timed - def find: Action[Fields] = authenticated(Role.read).async(fieldsBodyParser) { implicit request ⇒ + def find: Action[Fields] = authenticated(Roles.read).async(fieldsBodyParser) { implicit request ⇒ val query = request.body.getValue("query").fold[QueryDef](QueryDSL.any)(_.as[QueryDef]) val range = request.body.getString("range") val sort = request.body.getStrings("sort").getOrElse(Nil) @@ -90,7 +91,7 @@ class ReportTemplateCtrl @Inject() ( } @Timed - def importTemplatePackage: Action[Fields] = authenticated(Role.write).async(fieldsBodyParser) { implicit request ⇒ + def importTemplatePackage: Action[Fields] = authenticated(Roles.write).async(fieldsBodyParser) { implicit request ⇒ val zipFile = request.body.get("templates") match { case Some(FileInputValue(_, filepath, _)) ⇒ new ZipFile(filepath.toFile) case _ ⇒ throw BadRequestError("") diff --git a/thehive-misp/app/connectors/misp/MispCtrl.scala b/thehive-misp/app/connectors/misp/MispCtrl.scala index e1d624ce3f..060749e0d5 100644 --- a/thehive-misp/app/connectors/misp/MispCtrl.scala +++ b/thehive-misp/app/connectors/misp/MispCtrl.scala @@ -12,7 +12,7 @@ import play.api.routing.SimpleRouter import play.api.routing.sird.{ GET, UrlContext } import connectors.Connector -import models.{ Alert, Case, UpdateMispAlertArtifact } +import models.{ Alert, Case, Roles, UpdateMispAlertArtifact } import services.{ AlertTransformer, CaseSrv } import org.elastic4play.JsonFormat.tryWrites @@ -48,25 +48,25 @@ class MispCtrl @Inject() ( } @Timed - def syncAlerts: Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def syncAlerts: Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ mispSynchro.synchronize() .map { m ⇒ Ok(Json.toJson(m)) } } @Timed - def syncAllAlerts: Action[AnyContent] = authenticated(Role.admin).async { implicit request ⇒ + def syncAllAlerts: Action[AnyContent] = authenticated(Roles.admin).async { implicit request ⇒ mispSynchro.fullSynchronize() .map { m ⇒ Ok(Json.toJson(m)) } } @Timed - def syncArtifacts: Action[AnyContent] = authenticated(Role.admin) { + def syncArtifacts: Action[AnyContent] = authenticated(Roles.admin) { eventSrv.publish(UpdateMispAlertArtifact()) Ok("") } @Timed - def exportCase(mispName: String, caseId: String): Action[AnyContent] = authenticated(Role.write).async { implicit request ⇒ + def exportCase(mispName: String, caseId: String): Action[AnyContent] = authenticated(Roles.write).async { implicit request ⇒ caseSrv .get(caseId) .flatMap { caze ⇒ mispExport.export(mispName, caze) } diff --git a/thehive-misp/app/connectors/misp/MispExport.scala b/thehive-misp/app/connectors/misp/MispExport.scala index 44bcc7508f..d6d4060cfe 100644 --- a/thehive-misp/app/connectors/misp/MispExport.scala +++ b/thehive-misp/app/connectors/misp/MispExport.scala @@ -17,7 +17,6 @@ import akka.stream.Materializer import org.elastic4play.InternalError import org.elastic4play.controllers.Fields -import org.elastic4play.models.JsonFormat.baseModelEntityWrites import org.elastic4play.services.{ Attachment, AttachmentSrv, AuthContext } import org.elastic4play.services.JsonFormat.attachmentFormat import org.elastic4play.utils.RichFuture