[Bug] TheHive V4 API Errors "Operation Not Permitted" and "Date format"

[graememeyer]

[Bug] TheHive V4 API Errors "Operation Not Permitted" and "Date format"

Request Type

Bug

Work Environment

Question	Answer
OS version (server)	Ubuntu 18 (Training VM)
OS version (client)	Windows 10.
TheHive version / git hash	4.0
Package Type	Training VM
Browser type & version	N/A

Problem Description

"Operation not permitted" and invalid date format errors when posting to TheHive4 "Create Alert" API.

I'm using the training VMs for 3.4 and 4.0. A curl POST to the v4 VM gives me a date format error (below), and when you remove the date parameter you get an "Operation not permitted error".

Steps to Reproduce

TheHive4 Curl:
curl -X POST -H 'Authorization: Bearer 7ywJAe8sk9v0qCPjWF0ysrc7+Q6JouTR' -H 'Content-Type: application/json' http://thehive4.local:9000/api/alert -d '{"title": "Test Alert","description": "Created with curl via the API","type": "CurlTest","source": "API","sourceRef": "TA1","date": "1598453685000"}'
Result:
{"type":"AttributeCheckingError","message":"[Invalid format for date: FString(1598453685000), expected date (date)]","errors":[{"name":"date","format":"date","acceptedInput":["date"],"field":"FString(1598453685000)","type":"InvalidFormatAttributeError"}]}

TheHive4 Curl:
curl -X POST -H 'Authorization: Bearer 7ywJAe8sk9v0qCPjWF0ysrc7+Q6JouTR' -H 'Content-Type: application/json' http://thehive4.local:9000/api/alert -d '{"title": "Test Alert","description": "Created with curl via the API","type": "CurlTest","source": "API","sourceRef": "TA2"}'
Result:
{"type":"AuthorizationError","message":"Operation not permitted"}

TheHive3 Curl:
curl -X POST -H 'Authorization: Bearer SuGd5Aj4NNudH8unh5CpWLm4U/MYDeVc' -H 'Content-Type: application/json' http://thehive3.local:9000/api/alert -d '{"title": "Test Alert","description": "Created with curl via the API","type": "CurlTest","source": "API","sourceRef": "TA1","date": "1598453685000"}'
Result:
{"severity":2,"date":1598453685000,"_routing":"e88708eaf54e196b1826e24ac227bbcd","customFields":{},"_type":"alert","description":"Created with curl via the API","lastSyncDate":1598455169746,"source":"API","type":"CurlTest","follow":true,"title":"Test Alert","createdAt":1598455169743,"_parent":null,"createdBy":"admin","tlp":2,"_id":"e88708eaf54e196b1826e24ac227bbcd","id":"e88708eaf54e196b1826e24ac227bbcd","sourceRef":"TA2","_version":1,"artifacts":[],"status":"New"}

[To-om]

TheHive3 is too tolerant. Date format must be an integer (not a string).
For backward compatibility reason, I'll permit date as string.

Regarding your "Operation not permitted" issue, it occurs when the user doesn't have the "manageAlert" permission. If your user is in several organisations, you need to inform TheHive on which organisation the alert will be created. This can be done using "X-Organisation" HTTP header:

curl -X POST -H 'X-Organisation: MyOrganisationName' -H 'Authorization: Bearer 7ywJAe8sk9v0qCPjWF0ysrc7+Q6JouTR' -H 'Content-Type: application/json' http://thehive4.local:9000/api/alert -d '{"title": "Test Alert","description": "Created with curl via the API","type": "CurlTest","source": "API","sourceRef": "TA2"}'

[graememeyer]

That's great feedback for both errors. Thank you! 🙏