From fe5ee0471ba3f2e5645147e98e98959bd5395232 Mon Sep 17 00:00:00 2001
From: To-om <toom@thehive-project.org>
Date: Wed, 8 Jul 2020 10:55:59 +0200
Subject: [PATCH] #1423 Add permissions extraData for cases and observables

---
 .../thehive/controllers/v1/CaseRenderer.scala |  4 +++
 .../controllers/v1/ObservableRenderer.scala   | 12 +++++---
 .../org/thp/thehive/services/CaseSrv.scala    | 28 ++++++++-----------
 .../thp/thehive/services/ObservableSrv.scala  | 24 ++++++++++------
 4 files changed, 38 insertions(+), 30 deletions(-)

diff --git a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
index be95421c94..356e8681a2 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/CaseRenderer.scala
@@ -61,6 +61,9 @@ trait CaseRenderer {
   def shareCountStats(caseSteps: CaseSteps): Traversal[JsValue, JsValue] =
     caseSteps.organisations.count.map(c => JsNumber.apply(c - 1))
 
+  def permissions(caseSteps: CaseSteps)(implicit authContext: AuthContext): Traversal[JsValue, JsValue] =
+    caseSteps.userPermissions.map(permissions => Json.toJson(permissions))
+
   def caseStatsRenderer(extraData: Set[String])(
       implicit authContext: AuthContext,
       db: Database,
@@ -79,6 +82,7 @@ trait CaseRenderer {
           case (f, "alerts")          => f.andThen(addData(alertStats))
           case (f, "isOwner")         => f.andThen(addData(isOwnerStats))
           case (f, "shareCount")      => f.andThen(addData(shareCountStats))
+          case (f, "permissions")     => f.andThen(addData(permissions))
           case (f, _)                 => f.andThen(_.by(__.constant(JsNull).traversal))
         }
         .andThen(f => Traversal(f.map(m => JsObject(m.asScala))))
diff --git a/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala b/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
index 9479f9472c..aa79e44771 100644
--- a/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
+++ b/thehive/app/org/thp/thehive/controllers/v1/ObservableRenderer.scala
@@ -39,6 +39,9 @@ trait ObservableRenderer {
       _.`case`.richCaseWithoutPerms.map(c => Json.obj("case" -> c.toJson))
     )
 
+  def permissions(observableSteps: ObservableSteps)(implicit authContext: AuthContext): Traversal[JsValue, JsValue] =
+    observableSteps.userPermissions.map(permissions => Json.toJson(permissions))
+
   def observableStatsRenderer(extraData: Set[String])(
       implicit authContext: AuthContext,
       db: Database,
@@ -52,10 +55,11 @@ trait ObservableRenderer {
       val dataName = extraData.toSeq
       dataName
         .foldLeft[ObservableSteps => GremlinScala[JMap[String, JsValue]]](_.raw.project(dataName.head, dataName.tail: _*)) {
-          case (f, "seen")   => f.andThen(addData(seenStats))
-          case (f, "shares") => f.andThen(addData(sharesStats))
-          case (f, "links")  => f.andThen(addData(observableLinks))
-          case (f, _)        => f.andThen(_.by(__.constant(JsNull).traversal))
+          case (f, "seen")        => f.andThen(addData(seenStats))
+          case (f, "shares")      => f.andThen(addData(sharesStats))
+          case (f, "links")       => f.andThen(addData(observableLinks))
+          case (f, "permissions") => f.andThen(addData(permissions))
+          case (f, _)             => f.andThen(_.by(__.constant(JsNull).traversal))
         }
         .andThen(f => Traversal(f.map(m => JsObject(m.asScala))))
     }
diff --git a/thehive/app/org/thp/thehive/services/CaseSrv.scala b/thehive/app/org/thp/thehive/services/CaseSrv.scala
index f7f0bf6fa9..84b3c81b8a 100644
--- a/thehive/app/org/thp/thehive/services/CaseSrv.scala
+++ b/thehive/app/org/thp/thehive/services/CaseSrv.scala
@@ -355,15 +355,15 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema"
   def assignee: UserSteps = new UserSteps(raw.outTo[CaseUser])
 
   def can(permission: Permission)(implicit authContext: AuthContext): CaseSteps =
-    this.filter(
-      _.inTo[ShareCase]
-        .filter(_.outTo[ShareProfile].has("permissions", permission))
-        .inTo[OrganisationShare]
-        .inTo[RoleOrganisation]
-        .filter(_.outTo[RoleProfile].has("permissions", permission))
-        .inTo[UserRole]
-        .has("login", authContext.userId)
-    )
+    if (authContext.permissions.contains(permission))
+      this.filter(
+        _.inTo[ShareCase]
+          .filter(_.outTo[ShareProfile].has("permissions", permission))
+          .inTo[OrganisationShare]
+          .has("name", authContext.organisation)
+      )
+    else
+      this.limit(0)
 
   override def newInstance(newRaw: GremlinScala[Vertex]): CaseSteps = new CaseSteps(newRaw)
 
@@ -427,14 +427,8 @@ class CaseSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-schema"
   def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], Set[Permission]] =
     this
       .share(authContext.organisation)
-      .project(
-        _.by(_.profile.permissions.fold)
-          .by(_.organisation.userPermissions(authContext.userId).fold)
-      )
-      .map {
-        case (sharePermissions: JList[String], userPermissions: JList[String]) =>
-          Permission(sharePermissions.asScala.toSet & userPermissions.asScala.toSet)
-      }
+      .profile
+      .map(profile => profile.permissions & authContext.permissions)
 
   def origin: OrganisationSteps = new OrganisationSteps(raw.inTo[ShareCase].has(Key("owner") of true).inTo[OrganisationShare])
 
diff --git a/thehive/app/org/thp/thehive/services/ObservableSrv.scala b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
index f3d6c1025f..993a48c413 100644
--- a/thehive/app/org/thp/thehive/services/ObservableSrv.scala
+++ b/thehive/app/org/thp/thehive/services/ObservableSrv.scala
@@ -214,15 +214,21 @@ class ObservableSteps(raw: GremlinScala[Vertex])(implicit @Named("with-thehive-s
     this.filter(_.inTo[ShareObservable].inTo[OrganisationShare].inTo[RoleOrganisation].inTo[UserRole].has("login", authContext.userId))
 
   def can(permission: Permission)(implicit authContext: AuthContext): ObservableSteps =
-    this.filter(
-      _.inTo[ShareObservable]
-        .filter(_.outTo[ShareProfile].has("permissions", permission))
-        .inTo[OrganisationShare]
-        .inTo[RoleOrganisation]
-        .filter(_.outTo[RoleProfile].has("permissions", permission))
-        .inTo[UserRole]
-        .has("login", authContext.userId)
-    )
+    if (authContext.permissions.contains(permission))
+      this.filter(
+        _.inTo[ShareObservable]
+          .filter(_.outTo[ShareProfile].has("permissions", permission))
+          .inTo[OrganisationShare]
+          .has("name", authContext.organisation)
+      )
+    else
+      this.limit(0)
+
+  def userPermissions(implicit authContext: AuthContext): Traversal[Set[Permission], Set[Permission]] =
+    this
+      .share(authContext.organisation)
+      .profile
+      .map(profile => profile.permissions & authContext.permissions)
 
   def organisations = new OrganisationSteps(raw.inTo[ShareObservable].inTo[OrganisationShare])