[backend/frontend] Add user and group confidence level (#4304)

[labo-flg]

Proposed changes

This PR addresses the following issues:

• Closes Add Confidence level on Users #4304
• Closes Managing max confidence level at Group level #4901
• Closes Add admin tools for managing Groups and Users max confidence levels #5692

Have a look at each issue description for details.

Code review highlights

The key points to review are backend additions and changes, the model definition.
A lot of stuff in the frontend besides the core job (refactor in TS, solving react warnings) make the review difficult, I'm sorry.

How can you test this PR?

Here are some scenarios to test:

• start the platform on this branch -> you shall see the critical alert dialog, inviting you to edit all your groups

• Create a user without groups -> they should be created with default groups

• Create a user with groups -> they should be created with the specified groups, and not the default group

• Create a user without a confidence level and no group

  • it should be displayed as in error in the various view (list, details, list of users in a group details view) -> icon + tooltip
  • edit the user : the message above the confidence level field shall be explicit (no group to inherit from)
  • edit the user, tab groups : the confidence of each group shall be displayed, with red icon and tooltip if not defined
  • edit the user : set a group in the groups tab, go back to overview -> the message above the confidence level field shall be explicit (inherited value)
  • edit the user : set the user's confidence level -> -> the message above the confidence level field shall be explicit (user value)

• Create a user without a confidence level and no group -> it should be displayed as in error in the various view (list, details, list of users in a group details view)

• Create a user with a confidence level -> it should be displayed in the various view (list, details, list of users in a group details view) -> tooltip shall state it's coming from user

• Create a user without a confidence level but with a group -> it should be displayed in the various view (list, details, list of users in a group details view) -> tooltip shall state it's coming from a specific group - link clickable in tooltip

• Create a group, you must select a confidence level -> value is then displayed correctly in list and details

• Open a group without confidence level -> explicit alert in details -> disappears when edited

• all groups are set with a confidence level -> refresh page -> no more alert dialog

If you wish to artificially nuke your group confidence level for testing purpose, a GQL query on playground is possible (there is no validation implemented yet - see #5696).

mutation GroupEditionOverviewFieldPatchMutation(
  $id: ID!
  $input: [EditInput]!
) {
  groupEdit(id: $id) {
    fieldPatch(input: $input) {
      id
      group_confidence_level {
        max_confidence
      }
    }
  }
}

{
  "id": "4b762ee9-b2da-49fe-99d7-dfd6b9e1fe33",
  "input": {
    "key": "group_confidence_level",
    "value": [null]
  }
}

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant uses case
• I added/update the relevant documentation (either on github or on notion)
• Where necessary I refactored code to improve the overall quality

Further comments

Now that the new schema definition is in place, the job done on the subject of user's confidence level has been fully reworked.
Thus this PR invalidates the previous PR on the subject: #5283 #5292 #5323

[codecov]

Codecov Report

Attention: 31 lines in your changes are missing coverage. Please review.

Comparison is base (61c0432) 66.12% compared to head (1344932) 66.15%.

Files	Patch %	Lines
...ti-platform/opencti-graphql/src/domain/settings.js	15.38%	22 Missing ⚠️
...pencti-platform/opencti-graphql/src/domain/user.js	91.42%	6 Missing ⚠️
...encti-platform/opencti-graphql/src/domain/grant.js	75.00%	2 Missing ⚠️
...cti-platform/opencti-graphql/src/resolvers/user.js	90.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5436      +/-   ##
==========================================
+ Coverage   66.12%   66.15%   +0.03%     
==========================================
  Files         513      513              
  Lines       60641    60793     +152     
  Branches     4434     4448      +14     
==========================================
+ Hits        40097    40218     +121     
- Misses      20544    20575      +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[labo-flg]

I'm able to send through the API a partial update like

{
  "id": "<id>",
  "input": {
  "key": "user_confidence_level",
    "value": {
    "max_confidence": 96
  }
}

Which will update the user_confidence_level with overrides to null, causing GQL error at query time as this field is supposedly never null.
I'll check the model, maybe around bad mandatoryType

[lndrtrbn]

Seems good to me, but I'll let someone else have a look at migration and attributes registrations 😅

[labo-flg]

Seems good to me, but I'll let someone else have a look at migration and attributes registrations 😅

Thanks !

[labo-flg]

back to draft : I need to make sure partial edit payload are not accepted

[labo-flg]

We need to add schema validation when patching a field.
This is significant work that deserve a dedicated branch/PR.

Everything in this PR is ok, but we need this validation before merging to master.
I will use this branch as a feature branch, and merge into it the validation.

EDIT: validation will be done in another issue (#5696) , this branch will still serve as feature branch

[labo-flg]

this align the 2 inputs (input number + scale Selector) to the top, keeping alignments when the input number shows an error label below.

[labo-flg]

New popup dialog for admins when the backend has some "critical alerts" to show.
This is for warning about groups with null confidence levels, but could be extended to other types of alerts

[labo-flg]

alert details shall depends on alert type... current implem is a bit rough on the edges but we had to move quickly about this.

[labo-flg]

old GroupField Select, refactored to typescript, and added opt prop showConfidence to add the group confidence to the label after the name of the group.

[labo-flg]

effective confidence level is a computed value backend side, not an attribute in DB (depends on user's confidence + his groups confidence)

we cannot craft a query to do this computation, so we cannot paginate and sort properly this value.

[labo-flg]

the else statement could work in both cases (existing confidence or not) right now, but we will implement soon the overrides definition and edition (6.1). By then we'll need to patch with object_path anyway.

[labo-flg]

a technical field (not to submit) associated with a when. Very useful for validation conditioned on other values!

[labo-flg]

function split for easy unit tests

[labo-flg]

this is where the critical alert system is a bit limited, not well generalized. details shall depends on type.

I did not have time to overengineer this system, honestly it's a quick bandaid to help admins prepare for 6.0.

[richard-julien]

Not a problem, thats purely dynamic and so easy to change.

[SouadHadjiat]

why has this translation been removed ?

[labo-flg]

In must have executed an extract script in my branch, pre-rebase.
I'll check and restore the missing keys.

[labo-flg]

I've done a review, all keys not related to confidence level have been restored (there was a couple)

[aHenryJard]

I just did a "quick read" review so I share it, I will take take time for a deeper one later.

[lndrtrbn]

FIXME later ?

[labo-flg]

I did not have time to investigate, but it's probably related to how we poorly handle the graphql cache records

Warning: RelayModernRecord: Invalid record update, expected both versions of record 88ec0c6a-13ce-5e39-b486-354fe4a7084f to have the same __typename but got conflicting types MeUser and User. The GraphQL server likely violated the globally unique id requirement by returning the same id for different objects.

Another whole issue to address, certainly not in this PR.

[labo-flg]

I'm editing myself, which collides with MeUser query for instance. The record gets "updated" wrongly somehow.