TheHive-Project · bullerdude · Apr 7, 2017 · Apr 18, 2017 · Apr 18, 2017 · Apr 19, 2017
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,16 +1,37 @@
 # Change Log
 
-## [2.10.1](https://github.com/CERT-BDF/TheHive/tree/2.10.0) (2017-03-08)
-[Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.10.0...2.10.0)
+## [2.10.2](https://github.com/CERT-BDF/TheHive/tree/2.10.2) (2017-04-18)
+[Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.10.1...2.10.2)
 
 **Implemented enhancements:**
 
+- Run all analyzers on multiple observables from observables view [\#174](https://github.com/CERT-BDF/TheHive/issues/174)
+- Add CSRF protection [\#158](https://github.com/CERT-BDF/TheHive/issues/158)
+- Persistence for task viewing options [\#157](https://github.com/CERT-BDF/TheHive/issues/157)
+
+**Fixed bugs:**
+
+- MISP import fails [\#169](https://github.com/CERT-BDF/TheHive/issues/169)
+- Unauthenticated access to some pages doesn't redirect to login page [\#161](https://github.com/CERT-BDF/TheHive/issues/161)
+- Disable readonly access to admin pages, for users without 'admin' role [\#160](https://github.com/CERT-BDF/TheHive/issues/160)
+- Secure the usage of angular-ui-notification library [\#159](https://github.com/CERT-BDF/TheHive/issues/159)
+- Pagination does not work with 100 results per page [\#152](https://github.com/CERT-BDF/TheHive/issues/152)
+
+**Closed issues:**
+
+- Observable Tags not displayed in 2.10.1 [\#155](https://github.com/CERT-BDF/TheHive/issues/155)
+
+## [2.10.1](https://github.com/CERT-BDF/TheHive/tree/2.10.1) (2017-03-08)
+[Full Changelog](https://github.com/CERT-BDF/TheHive/compare/2.10.0...2.10.1)
+
+**Implemented enhancements:**
+
+- Feature Request: Ansible build scripts [\#124](https://github.com/CERT-BDF/TheHive/issues/124)
 - Remove the "Run all analyzers" option from observables list [\#141](https://github.com/CERT-BDF/TheHive/issues/141)
 - Remove duplicate stream callbacks registration [\#138](https://github.com/CERT-BDF/TheHive/issues/138)
 - Typo in quick filters [\#134](https://github.com/CERT-BDF/TheHive/issues/134)
 - Display a warning when trying to merge an already merged case [\#129](https://github.com/CERT-BDF/TheHive/issues/129)
 - Restyle avatar's upload button [\#126](https://github.com/CERT-BDF/TheHive/issues/126)
-- Feature Request: Ansible build scripts [\#124](https://github.com/CERT-BDF/TheHive/issues/124)
 - Add pagination component at the top of the task log [\#116](https://github.com/CERT-BDF/TheHive/issues/116)
 - Disable buttons in MISP event's preview dialog [\#115](https://github.com/CERT-BDF/TheHive/issues/115)
 - Make The Hive working on any URL path and not only / [\#114](https://github.com/CERT-BDF/TheHive/issues/114)

diff --git a/README.md b/README.md
@@ -1,5 +1,9 @@
 ![](images/thehive-logo.png)
 
+
+[![Join the chat at https://gitter.im/TheHive-Project/TheHive](https://badges.gitter.im/TheHive-Project/TheHive.svg)](https://gitter.im/TheHive-Project/TheHive?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+
 [TheHive](https://thehive-project.org/) is a scalable 3-in-1 open source and free security incident response platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
 
 ![Current Cases View](images/Current_cases.png)

diff --git a/thehive-cortex/app/connectors/cortex/services/CortexClient.scala b/thehive-cortex/app/connectors/cortex/services/CortexClient.scala
@@ -6,7 +6,7 @@ import scala.concurrent.duration.Duration
 import akka.stream.scaladsl.Source
 
 import play.api.libs.json.{ JsObject, Json }
-import play.api.libs.ws.{ WSClient, WSRequest, WSResponse }
+import play.api.libs.ws.{ WSClient, WSRequest, WSResponse, WSAuthScheme }
 import play.api.mvc.MultipartFormData.{ DataPart, FilePart }
 
 import org.elastic4play.NotFoundError
@@ -15,15 +15,21 @@ import connectors.cortex.models.{ Analyzer, CortexArtifact, DataArtifact, FileAr
 import connectors.cortex.models.JsonFormat._
 import play.api.Logger
 
-class CortexClient(val name: String, baseUrl: String, key: String) {
+class CortexClient(val name: String, baseUrl: String, key: String, username: String, password: String, basicEnabled: String) {
 
   lazy val logger = Logger(getClass)
 
-  logger.info(s"new Cortex($name, $baseUrl, $key)")
+  logger.info(s"new Cortex($name, $baseUrl, $key) Basic Auth enabled: $basicEnabled")
   def request[A](uri: String, f: WSRequest ⇒ Future[WSResponse], t: WSResponse ⇒ A)(implicit ws: WSClient, ec: ExecutionContext): Future[A] = {
     val url = (baseUrl + uri)
     logger.info(s"Requesting Cortex $url")
-    f(ws.url(url).withHeaders("auth" → key)).map {
+    var requestBuilder = ws.url(url).withHeaders("auth" → key)
+    if (basicEnabled.toLowerCase() == "true") {
+      logger.info(s"Basic Auth is enabled")
+      requestBuilder = ws.url(url).withHeaders("auth" → key).withAuth(username, password, WSAuthScheme.BASIC)
+    }
+
+    f(requestBuilder).map {
       case response if response.status / 100 == 2 ⇒ t(response)
       case error ⇒
         logger.error(s"Cortex error on $url (${error.status}) \n${error.body}")
@@ -74,4 +80,4 @@ class CortexClient(val name: String, baseUrl: String, key: String) {
   def waitReport(jobId: String, atMost: Duration)(implicit ws: WSClient, ec: ExecutionContext) = {
     request(s"/api/job/$jobId/waitreport", _.withQueryString("atMost" → atMost.toString).get, r ⇒ r.json.as[JsObject])
   }
-}
+}
diff --git a/thehive-cortex/app/connectors/cortex/services/CortexSrv.scala b/thehive-cortex/app/connectors/cortex/services/CortexSrv.scala
@@ -35,7 +35,14 @@ object CortexConfig {
     try {
       val url = configuration.getString("url").getOrElse(sys.error("url is missing")).replaceFirst("/*$", "")
       val key = "" // configuration.getString("key").getOrElse(sys.error("key is missing"))
-      Some(new CortexClient(name, url, key))
+      val basicEnabled = configuration.getString("basicAuth").getOrElse("false")
+      var username = ""
+      var password = ""
+      if (basicEnabled.toLowerCase() == "true") {
+        username = configuration.getString("username").getOrElse(sys.error("Basic Auth username is missing"))
+        password = configuration.getString("password").getOrElse(sys.error("Basic Auth password is missing"))
+      }
+      Some(new CortexClient(name, url, key, username, password, basicEnabled))
     }
     catch {
       case NonFatal(e) ⇒
@@ -240,4 +247,4 @@ class CortexSrv @Inject() (
       case None ⇒ Future.failed(NotFoundError(s"Cortex $cortexId not found"))
     }
   }
-}
+}
diff --git a/thehive-cortex/conf/reference.conf b/thehive-cortex/conf/reference.conf
@@ -6,5 +6,9 @@ cortex {
   #"CORTEX-SERVER-ID" {
   #  # URL of MISP server
   #  url = ""
+  #  # If Cortex instance behind Basic Auth, set it here
+  #  basicAuth = "true"
+  #  username = ""
+  #  password = ""
   #}
 }
diff --git a/ui/app/scripts/app.js b/ui/app/scripts/app.js
@@ -48,13 +48,13 @@ angular.module('thehive', ['ngAnimate', 'ngMessages', 'ngSanitize', 'ui.bootstra
                 templateUrl: 'views/app.html',
                 controller: 'RootCtrl',
                 resolve: {
-                    currentUser: function($q, AuthenticationSrv) {
+                    currentUser: function($q, $state, AuthenticationSrv) {
                         var deferred = $q.defer();
 
                         AuthenticationSrv.current(function(userData) {
                             return deferred.resolve(userData);
-                        }, function( /*err, status*/ ) {
-                            return deferred.resolve(null);
+                        }, function(err, status) {
+                            return deferred.resolve(status === 520 ? status : null);
                         });
 
                         return deferred.promise;

diff --git a/ui/app/scripts/controllers/RootCtrl.js b/ui/app/scripts/controllers/RootCtrl.js
@@ -5,7 +5,10 @@ angular.module('theHiveControllers').controller('RootCtrl',
     function($scope, $uibModal, $location, $state, $base64, AuthenticationSrv, MispSrv, StreamSrv, StreamStatSrv, TemplateSrv, MetricsCacheSrv, AlertSrv, currentUser) {
         'use strict';
 
-        if(!currentUser || !currentUser.id) {
+        if(currentUser === 520) {
+            $state.go('maintenance');
+            return;
+        }else if(!currentUser || !currentUser.id) {
             $state.go('login');
             return;
         }