[backend] add remove auth members

OpenCTI-Platform · Dec 17, 2024 · abbe600 · abbe600
1 parent 1922d77
commit abbe600
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 5 deletions.
diff --git a/opencti-platform/opencti-front/src/schema/relay.schema.graphql b/opencti-platform/opencti-front/src/schema/relay.schema.graphql
@@ -1061,6 +1061,7 @@ enum BackgroundTaskActionType {
   UNSHARE
   SHARE_MULTIPLE
   UNSHARE_MULTIPLE
+  REMOVE_AUTH_MEMBERS
 }
 
 enum BackgroundTaskContextType {

diff --git a/opencti-platform/opencti-graphql/config/schema/opencti.graphql b/opencti-platform/opencti-graphql/config/schema/opencti.graphql
@@ -999,6 +999,7 @@ enum BackgroundTaskActionType {
   UNSHARE
   SHARE_MULTIPLE
   UNSHARE_MULTIPLE
+  REMOVE_AUTH_MEMBERS
 }
 enum BackgroundTaskContextType {
   ATTRIBUTE

diff --git a/opencti-platform/opencti-graphql/src/domain/backgroundTask-common.js b/opencti-platform/opencti-graphql/src/domain/backgroundTask-common.js
@@ -4,7 +4,7 @@ import { ENTITY_TYPE_PUBLIC_DASHBOARD } from '../modules/publicDashboard/publicD
 import { generateInternalId, generateStandardId } from '../schema/identifier';
 import { ENTITY_TYPE_BACKGROUND_TASK } from '../schema/internalObject';
 import { now } from '../utils/format';
-import { isUserHasCapability, MEMBER_ACCESS_RIGHT_ADMIN, SETTINGS_SET_ACCESSES, KNOWLEDGE_KNASKIMPORT, SETTINGS_SETLABELS, KNOWLEDGE_KNUPDATE } from '../utils/access';
+import { isUserHasCapability, KNOWLEDGE_KNASKIMPORT, KNOWLEDGE_KNUPDATE, MEMBER_ACCESS_RIGHT_ADMIN, SETTINGS_SET_ACCESSES, SETTINGS_SETLABELS } from '../utils/access';
 import { isKnowledge, KNOWLEDGE_DELETE, KNOWLEDGE_UPDATE } from '../schema/general';
 import { ForbiddenAccess, UnsupportedError } from '../config/errors';
 import { elIndex } from '../database/engine';
@@ -30,6 +30,7 @@ export const ACTION_TYPE_SHARE = 'SHARE';
 export const ACTION_TYPE_UNSHARE = 'UNSHARE';
 export const ACTION_TYPE_SHARE_MULTIPLE = 'SHARE_MULTIPLE';
 export const ACTION_TYPE_UNSHARE_MULTIPLE = 'UNSHARE_MULTIPLE';
+export const ACTION_TYPE_REMOVE_AUTH_MEMBERS = 'REMOVE_AUTH_MEMBERS';
 
 const isDeleteRestrictedAction = ({ type }) => {
   return type === ACTION_TYPE_DELETE || type === ACTION_TYPE_RESTORE || type === ACTION_TYPE_COMPLETE_DELETE;

diff --git a/opencti-platform/opencti-graphql/src/generated/graphql.ts b/opencti-platform/opencti-graphql/src/generated/graphql.ts
@@ -23,7 +23,7 @@ import type { BasicStoreEntityMalwareAnalysis } from '../modules/malwareAnalysis
 import type { BasicStoreEntityManagerConfiguration } from '../modules/managerConfiguration/managerConfiguration-types';
 import type { BasicStoreEntityNotifier } from '../modules/notifier/notifier-types';
 import type { BasicStoreEntityThreatActorIndividual } from '../modules/threatActorIndividual/threatActorIndividual-types';
-import type { BasicStoreEntityIngestionRss, BasicStoreEntityIngestionTaxii, BasicStoreEntityIngestionCsv } from '../modules/ingestion/ingestion-types';
+import type { BasicStoreEntityIngestionCsv, BasicStoreEntityIngestionRss, BasicStoreEntityIngestionTaxii } from '../modules/ingestion/ingestion-types';
 import type { BasicStoreEntityIndicator } from '../modules/indicator/indicator-types';
 import type { BasicStoreEntityDecayRule } from '../modules/decayRule/decayRule-types';
 import type { BasicStoreEntityOrganization } from '../modules/organization/organization-types';
@@ -34,6 +34,7 @@ import type { BasicStoreEntityDeleteOperation } from '../modules/deleteOperation
 import type { BasicStoreEntitySupportPackage } from '../modules/support/support-types';
 import type { BasicStoreEntityDraftWorkspace } from '../modules/draftWorkspace/draftWorkspace-types';
 import type { BasicStoreEntityExclusionList } from '../modules/exclusionList/exclusionList-types';
+
 export type Maybe<T> = T | null | undefined;
 export type InputMaybe<T> = T | null;
 export type Exact<T extends { [key: string]: unknown }> = { [K in keyof T]: T[K] };
@@ -1268,6 +1269,7 @@ export enum BackgroundTaskActionType {
   Merge = 'MERGE',
   Promote = 'PROMOTE',
   Remove = 'REMOVE',
+  RemoveAuthMembers = 'REMOVE_AUTH_MEMBERS',
   Replace = 'REPLACE',
   Restore = 'RESTORE',
   RuleElementRescan = 'RULE_ELEMENT_RESCAN',

diff --git a/opencti-platform/opencti-graphql/src/manager/taskManager.js b/opencti-platform/opencti-graphql/src/manager/taskManager.js
@@ -2,6 +2,7 @@
 import { clearIntervalAsync, setIntervalAsync } from 'set-interval-async/dynamic';
 import * as R from 'ramda';
 import { Promise as BluePromise } from 'bluebird';
+import { editAuthorizedMembers } from '../utils/authorizedMembers';
 import { ENTITY_TYPE_WORKSPACE } from '../modules/workspace/workspace-types';
 import { ENTITY_TYPE_PUBLIC_DASHBOARD } from '../modules/publicDashboard/publicDashboard-types';
 import { buildCreateEvent, lockResource } from '../database/redis';
@@ -46,7 +47,7 @@ import {
   INPUT_OBJECTS,
   RULE_PREFIX
 } from '../schema/general';
-import { executionContext, getUserAccessRight, MEMBER_ACCESS_RIGHT_ADMIN, RULE_MANAGER_USER, SYSTEM_USER } from '../utils/access';
+import { BYPASS, executionContext, getUserAccessRight, MEMBER_ACCESS_RIGHT_ADMIN, RULE_MANAGER_USER, SYSTEM_USER } from '../utils/access';
 import { buildInternalEvent, rulesApplyHandler, rulesCleanHandler } from './ruleManager';
 import { buildEntityFilters, internalFindByIds, listAllRelations } from '../database/middleware-loader';
 import { getActivatedRules, getRule } from '../domain/rules';
@@ -61,6 +62,7 @@ import { objectOrganization, RELATION_GRANTED_TO, RELATION_OBJECT } from '../sch
 import {
   ACTION_TYPE_COMPLETE_DELETE,
   ACTION_TYPE_DELETE,
+  ACTION_TYPE_REMOVE_AUTH_MEMBERS,
   ACTION_TYPE_RESTORE,
   ACTION_TYPE_SHARE,
   ACTION_TYPE_SHARE_MULTIPLE,
@@ -438,6 +440,15 @@ const executeShareMultiple = async (context, user, actionContext, element) => {
 const executeUnshareMultiple = async (context, user, actionContext, element) => {
   await Promise.all(actionContext.values.map((organizationId) => removeOrganizationRestriction(context, user, element.id, organizationId)));
 };
+const executeRemoveAuthMembers = async (context, user, element) => {
+  await editAuthorizedMembers(context, user, {
+    entityId: element.id,
+    entityType: element.entity_type,
+    requiredCapabilities: [BYPASS],
+    input: null
+  });
+};
+
 const executeProcessing = async (context, user, job, scope) => {
   const errors = [];
   for (let index = 0; index < job.actions.length; index += 1) {
@@ -538,6 +549,9 @@ const executeProcessing = async (context, user, job, scope) => {
           if (type === ACTION_TYPE_UNSHARE_MULTIPLE) {
             await executeUnshareMultiple(context, user, actionContext, element);
           }
+          if (type === ACTION_TYPE_REMOVE_AUTH_MEMBERS) {
+            await executeRemoveAuthMembers(context, user, element);
+          }
         } catch (err) {
           logApp.error(err);
           if (errors.length < MAX_TASK_ERRORS) {

diff --git a/opencti-platform/opencti-graphql/src/utils/authorizedMembers.ts b/opencti-platform/opencti-graphql/src/utils/authorizedMembers.ts
@@ -98,7 +98,7 @@ export const editAuthorizedMembers = async (
     input: MemberAccessInput[] | undefined | null,
     requiredCapabilities: string[],
     entityType: string,
-    busTopicKey: keyof typeof BUS_TOPICS, // TODO improve busTopicKey types
+    busTopicKey?: keyof typeof BUS_TOPICS, // TODO improve busTopicKey types
   },
 ) => {
   if (getDraftContext(context, user)) throw UnsupportedError('Cannot edit authorized members in draft');
@@ -130,5 +130,8 @@ export const editAuthorizedMembers = async (
 
   const patch = { authorized_members };
   const { element } = await patchAttribute(context, user, entityId, entityType, patch);
-  return notify(BUS_TOPICS[busTopicKey].EDIT_TOPIC, element, user);
+  if (busTopicKey) {
+    return notify(BUS_TOPICS[busTopicKey].EDIT_TOPIC, element, user);
+  }
+  return element;
 };