[backend] add platform data sharing max markings

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -1170,6 +1170,7 @@ type Settings implements InternalObject & BasicObject {
   entity_type: String!
   parent_types: [String!]!
   platform_organization: Organization
+  platform_data_sharing_max_markings: [MarkingDefinition!]
   platform_title: String
   platform_favicon: String
   platform_email: String

opencti-platform/opencti-graphql/config/schema/opencti.graphql

@@ -1109,6 +1109,7 @@ type Settings implements InternalObject & BasicObject {
   parent_types: [String!]! @auth
   # Settings
   platform_organization: Organization
+  platform_data_sharing_max_markings: [MarkingDefinition!]
   platform_title: String
   platform_favicon: String
   platform_email: String @auth

opencti-platform/opencti-graphql/src/domain/settings.js

@@ -8,13 +8,13 @@ import { isRuntimeSortEnable, searchEngineVersion } from '../database/engine';
 import { getRabbitMQVersion } from '../database/rabbitmq';
 import { ENTITY_TYPE_GROUP, ENTITY_TYPE_SETTINGS } from '../schema/internalObject';
 import { isUserHasCapability, SETTINGS_SET_ACCESSES, SYSTEM_USER } from '../utils/access';
-import { storeLoadById } from '../database/middleware-loader';
+import { internalLoadById, storeLoadById } from '../database/middleware-loader';
 import { INTERNAL_SECURITY_PROVIDER, PROVIDERS } from '../config/providers';
 import { publishUserAction } from '../listener/UserActionListener';
 import { getEntityFromCache } from '../database/cache';
 import { now } from '../utils/format';
 import { generateInternalId } from '../schema/identifier';
-import { UnsupportedError } from '../config/errors';
+import { ForbiddenAccess, UnsupportedError } from '../config/errors';
 import { isEmptyField, isNotEmptyField } from '../database/utils';
 
 export const getMemoryStatistics = () => {
@@ -197,3 +197,15 @@ export const getCriticalAlerts = async (context, user) => {
   // no alert
   return [];
 };
+
+export const getMaxMarkings = async (context, user) => {
+  if (!isUserHasCapability(user, SETTINGS_SET_ACCESSES)) {
+    throw ForbiddenAccess();
+  }
+  const settings = await getEntityFromCache(context, user, ENTITY_TYPE_SETTINGS);
+  const { platform_data_sharing_max_markings } = settings;
+  if (!platform_data_sharing_max_markings) {
+    return [];
+  }
+  return await Promise.all(platform_data_sharing_max_markings.map((id) => internalLoadById(context, user, id)));
+};

opencti-platform/opencti-graphql/src/generated/graphql.ts

@@ -21286,6 +21286,7 @@ export type Settings = BasicObject & InternalObject & {
   platform_consent_confirm_text?: Maybe<Scalars['String']['output']>;
   platform_consent_message?: Maybe<Scalars['String']['output']>;
   platform_critical_alerts: Array<PlatformCriticalAlert>;
+  platform_data_sharing_max_markings?: Maybe<Array<MarkingDefinition>>;
   platform_demo?: Maybe<Scalars['Boolean']['output']>;
   platform_email?: Maybe<Scalars['String']['output']>;
   platform_favicon?: Maybe<Scalars['String']['output']>;
@@ -35599,6 +35600,7 @@ export type SettingsResolvers<ContextType = any, ParentType extends ResolversPar
   platform_consent_confirm_text?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   platform_consent_message?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   platform_critical_alerts?: Resolver<Array<ResolversTypes['PlatformCriticalAlert']>, ParentType, ContextType>;
+  platform_data_sharing_max_markings?: Resolver<Maybe<Array<ResolversTypes['MarkingDefinition']>>, ParentType, ContextType>;
   platform_demo?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
   platform_email?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   platform_favicon?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;

opencti-platform/opencti-graphql/src/migrations/1708523502214-add-platform-data-sharing-max-markings.js

@@ -0,0 +1,18 @@
+import { executionContext, SYSTEM_USER } from '../utils/access';
+import { getSettings, settingsEditField } from '../domain/settings';
+import { logApp } from '../config/conf';
+
+export const up = async (next) => {
+  logApp.info('[MIGRATION] Add platform data sharing max markings');
+  const context = executionContext('migration');
+  // ------ Add platform_data_sharing_max_markings
+  const settings = await getSettings(context);
+  const patch = [{ key: 'platform_data_sharing_max_markings', value: [] }];
+  await settingsEditField(context, SYSTEM_USER, settings.id, patch);
+  logApp.info('[MIGRATION] Add platform data sharing max markings done.');
+  next();
+};
+
+export const down = async (next) => {
+  next();
+};

opencti-platform/opencti-graphql/src/modules/attributes/internalObject-registrationAttributes.ts

@@ -160,6 +160,7 @@ const internalObjectsAttributes: { [k: string]: Array<AttributeDefinition> } = {
   [ENTITY_TYPE_SETTINGS]: [
     { name: 'platform_title', label: 'Platform title', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
     { name: 'platform_organization', label: 'Platform organization', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
+    { name: 'platform_data_sharing_max_markings', label: 'Platform data sharing max markings', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: true, upsert: false, isFilterable: false },
     { name: 'platform_favicon', label: 'Platform favicon', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
     { name: 'platform_email', label: 'Platform email', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
     { name: 'platform_theme', label: 'Theme', type: 'string', format: 'short', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },

opencti-platform/opencti-graphql/src/modules/publicDashboard/publicDashboard-domain.ts

@@ -30,7 +30,7 @@ import { SYSTEM_USER } from '../../utils/access';
 import { publishUserAction } from '../../listener/UserActionListener';
 import { initializeAuthorizedMembers } from '../workspace/workspace-domain';
 import { ENTITY_TYPE_MARKING_DEFINITION } from '../../schema/stixMetaObject';
-import { getEntitiesMapFromCache } from '../../database/cache';
+import { getEntitiesListFromCache, getEntitiesMapFromCache } from '../../database/cache';
 import type { BasicStoreRelation, NumberResult, StoreMarkingDefinition, StoreRelationConnection } from '../../types/store';
 import { getWidgetArguments } from './publicDashboard-utils';
 import {
@@ -42,10 +42,11 @@ import {
 } from '../../domain/stixCoreObject';
 import { ABSTRACT_STIX_CORE_OBJECT } from '../../schema/general';
 import { findAll as stixRelationships, stixRelationshipsDistribution, stixRelationshipsMultiTimeSeries, stixRelationshipsNumber } from '../../domain/stixRelationship';
-import { bookmarks } from '../../domain/user';
+import { bookmarks, computeAvailableMarkings } from '../../domain/user';
 import { dayAgo } from '../../utils/format';
 import { isStixCoreObject } from '../../schema/stixCoreObject';
 import { ES_MAX_CONCURRENCY } from '../../database/engine';
+import { getMaxMarkings } from '../../domain/settings';
 
 export const findById = (
   context: AuthContext,
@@ -151,6 +152,16 @@ export const addPublicDashboard = async (
     [{ id: user.id, access_right: 'admin' }, { id: 'ALL', access_right: 'view' }],
     user,
   );
+
+  // check platform data sharing max markings
+  const maxMarkings = await getMaxMarkings(context, user);
+  const allMarkings = await getEntitiesListFromCache<StoreMarkingDefinition>(context, SYSTEM_USER, ENTITY_TYPE_MARKING_DEFINITION);
+  const computedMarkings = computeAvailableMarkings(maxMarkings, allMarkings);
+  const computedMarkingsId = computedMarkings.map((marking) => marking.id);
+  if (input.allowed_markings_ids?.some((id) => !computedMarkingsId.includes(id))) {
+    throw UnsupportedError('Invalid markings');
+  }
+
   // Create publicDashboard
   const publicDashboardToCreate = {
     name: input.name,

opencti-platform/opencti-graphql/src/modules/publicDashboard/publicDashboard-utils.ts

@@ -45,7 +45,7 @@ export const getWidgetArguments = async (
   const user = {
     ...platformUser,
     origin: { user_id: platformUser.id, referer: 'public-dashboard' },
-    allowed_marking: computeAvailableMarkings(allowed_markings, allMarkings), // TODO what if user is downgraded ??
+    allowed_marking: computeAvailableMarkings(allowed_markings, allMarkings),
     capabilities: [accessKnowledgeCapability]
   };
 

opencti-platform/opencti-graphql/src/resolvers/settings.js

@@ -6,6 +6,7 @@ import {
   getApplicationDependencies,
   getApplicationInfo,
   getCriticalAlerts,
+  getMaxMarkings,
   getMemoryStatistics,
   getMessagesFilteredByRecipients,
   getSettings,
@@ -38,6 +39,7 @@ const settingsResolvers = {
     platform_session_idle_timeout: () => Number(nconf.get('app:session_idle_timeout')),
     platform_session_timeout: () => Number(nconf.get('app:session_timeout')),
     platform_organization: (settings, __, context) => findById(context, context.user, settings.platform_organization),
+    platform_data_sharing_max_markings: (settings, __, context) => getMaxMarkings(context, context.user),
     platform_critical_alerts: (_, __, context) => getCriticalAlerts(context, context.user),
     activity_listeners: (settings, __, context) => internalFindByIds(context, context.user, settings.activity_listeners_ids),
     otp_mandatory: (settings) => settings.otp_mandatory ?? false,