Skip to content

Commit

Permalink
[backend] Improve config restrictions / visibility for batch rel load…
Browse files Browse the repository at this point in the history 
…ing (#6473)
  • Loading branch information
@richard-julien
richard-julien committed Mar 30, 2024
1 parent c09c9f5 commit 5ff2123
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 25 deletions.
22 changes: 13 additions & 9 deletions opencti-platform/opencti-front/src/private/components/data/connectors/ConnectorWorks.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ import { useFormatter } from '../../../../components/i18n';
import { FIVE_SECONDS } from '../../../../utils/Time';
import { MESSAGING$ } from '../../../../relay/environment';
import Transition from '../../../../components/Transition';
import { MODULES_MODMANAGE } from '../../../../utils/hooks/useGranted';
import Security from '../../../../utils/Security';

const interval$ = interval(FIVE_SECONDS);

Expand Down Expand Up @@ -224,15 +226,17 @@ const ConnectorWorksComponent: FunctionComponent<ConnectorWorksComponentProps> =
>
{work.errors?.length} {t_i18n('errors')}
</Button>
<Button
variant="outlined"
classes={{ root: classes.deleteButton }}
onClick={() => handleDeleteWork(work.id)}
size="small"
startIcon={<Delete/>}
>
{t_i18n('Delete')}
</Button>
<Security needs={[MODULES_MODMANAGE]}>
<Button
variant="outlined"
classes={{ root: classes.deleteButton }}
onClick={() => handleDeleteWork(work.id)}
size="small"
startIcon={<Delete/>}
>
{t_i18n('Delete')}
</Button>
</Security>
</Grid>
</Paper>
);
Expand Down
1 change: 0 additions & 1 deletion opencti-platform/opencti-front/src/schema/relay.schema.graphql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,6 @@ type ObjectTotals {
}

type OverviewMetrics {
node: String
object_totals: ObjectTotals
queue_totals: QueueTotals
message_stats: MessagesStats
Expand Down
10 changes: 4 additions & 6 deletions opencti-platform/opencti-graphql/config/schema/opencti.graphql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,7 +276,6 @@ type ObjectTotals {
queues: String
}
type OverviewMetrics {
node: String
object_totals: ObjectTotals
queue_totals: QueueTotals
message_stats: MessagesStats
Expand Down Expand Up @@ -10738,7 +10737,7 @@ type Query {

about: AppInfo
aiEndpoints: [String]
logsWorkerConfig: LogsWorkerConfig @auth(for: [MODULES])
logsWorkerConfig: LogsWorkerConfig @auth(for: [CONNECTORAPI])
rabbitMQMetrics(prefix: String): RabbitMQMetrics @auth(for: [MODULES])
elasticSearchMetrics: ElasticSearchMetrics @auth(for: [MODULES])
logs(
Expand Down Expand Up @@ -12360,10 +12359,9 @@ type Mutation {
synchronizerTest(input: SynchronizerAddInput): String @auth(for: [CONNECTORAPI])

### WORK
workAdd(connectorId: String!, friendlyName: String): Work!
@auth(for: [KNOWLEDGE_KNASKIMPORT, KNOWLEDGE_KNGETEXPORT_KNASKEXPORT])
workEdit(id: ID!): WorkEditMutations @auth(for: [KNOWLEDGE_KNASKIMPORT, KNOWLEDGE_KNGETEXPORT_KNASKEXPORT])
workDelete(connectorId: String!): Boolean
workAdd(connectorId: String!, friendlyName: String): Work! @auth(for: [CONNECTORAPI, MODULES_MODMANAGE, KNOWLEDGE_KNASKIMPORT, KNOWLEDGE_KNGETEXPORT_KNASKEXPORT])
workEdit(id: ID!): WorkEditMutations @auth(for: [CONNECTORAPI, MODULES_MODMANAGE])
workDelete(connectorId: String!): Boolean @auth(for: [CONNECTORAPI, MODULES_MODMANAGE])

### TASK
deleteBackgroundTask(id: ID!): ID!
Expand Down
30 changes: 23 additions & 7 deletions opencti-platform/opencti-graphql/src/domain/stixCoreObject.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ import { INSTANCE_REGARDING_OF, specialFilterKeysWhoseValueToResolve } from '../
import { schemaRelationsRefDefinition } from '../schema/schema-relationsRef';
import { ENTITY_TYPE_CONTAINER_GROUPING } from '../modules/grouping/grouping-types';
import { getEntitiesMapFromCache } from '../database/cache';
import { isUserCanAccessStoreElement, SYSTEM_USER } from '../utils/access';

export const findAll = async (context, user, args) => {
let types = [];
Expand Down Expand Up @@ -80,31 +81,46 @@ export const findById = async (context, user, stixCoreObjectId) => {

export const batchInternalRels = async (context, user, elements, opts = {}) => {
const relIds = elements.map(({ element, definition }) => element[definition.databaseName]).flat().filter((id) => isNotEmptyField(id));
const resolvedElements = await internalFindByIds(context, user, relIds, { toMap: true });
return elements.map(({ element, definition }) => {
// Get all rel resolutions with system user
// The visibility will be restricted in the data preparation
const resolvedElements = await internalFindByIds(context, SYSTEM_USER, relIds, { toMap: true });
return await Promise.all(elements.map(async ({ element, definition }) => {
const relId = element[definition.databaseName];
if (definition.multiple) {
const relElements = (relId ?? []).map((id) => {
const relElements = await Promise.all((relId ?? []).map(async (id) => {
const resolve = resolvedElements[id];
// If resolution is empty the database is inconsistent, an error must be thrown
if (isEmptyField(resolve)) {
throw UnsupportedError('Invalid loading of batched elements', { ids: relId });
}
return resolve;
});
// If user have correct access right, return the element
if (await isUserCanAccessStoreElement(context, user, resolve)) {
return resolve;
}
// If access is not possible, return a restricted entity
return { id: resolve.internal_id, name: 'Restricted', entity_type: resolve.entity_type };
}));
// Return sorted elements if needed
if (opts.sortBy) {
return R.sortWith([R.ascend(R.prop(opts.sortBy))])(relElements);
}
return relElements;
}
if (relId) {
const resolve = resolvedElements[relId];
// If resolution is empty the database is inconsistent, an error must be thrown
if (isEmptyField(resolve)) {
throw UnsupportedError('Invalid loading of batched element', { id: relId });
}
return resolve;
// If user have correct access right, return the element
if (await isUserCanAccessStoreElement(context, user, resolve)) {
return resolve;
}
// If access is not possible, return a restricted entity
return { id: resolve.internal_id, name: 'Restricted', entity_type: resolve.entity_type };
}
return undefined;
});
}));
};

export const batchMarkingDefinitions = async (context, user, stixCoreObjects) => {
Expand Down
2 changes: 0 additions & 2 deletions opencti-platform/opencti-graphql/src/generated/graphql.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16337,7 +16337,6 @@ export type OtpElement = {
export type OverviewMetrics = {
__typename?: 'OverviewMetrics';
message_stats?: Maybe<MessagesStats>;
node?: Maybe<Scalars['String']['output']>;
object_totals?: Maybe<ObjectTotals>;
queue_totals?: Maybe<QueueTotals>;
};
Expand Down Expand Up @@ -34401,7 +34400,6 @@ export type OtpElementResolvers<ContextType = any, ParentType extends ResolversP

export type OverviewMetricsResolvers<ContextType = any, ParentType extends ResolversParentTypes['OverviewMetrics'] = ResolversParentTypes['OverviewMetrics']> = ResolversObject<{
message_stats?: Resolver<Maybe<ResolversTypes['MessagesStats']>, ParentType, ContextType>;
node?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
object_totals?: Resolver<Maybe<ResolversTypes['ObjectTotals']>, ParentType, ContextType>;
queue_totals?: Resolver<Maybe<ResolversTypes['QueueTotals']>, ParentType, ContextType>;
__isTypeOf?: IsTypeOfResolverFn<ParentType, ContextType>;
Expand Down

0 comments on commit 5ff2123

Please sign in to comment.