MISP/app/Controller/Component/ACLComponent.php

1223 lines
51 KiB
PHP
Raw Normal View History

2016-04-17 23:13:39 +02:00
<?php
App::uses('Component', 'Controller');
class ACLComponent extends Component
{
2016-04-17 23:13:39 +02:00
// syntax:
// $__aclList[$controller][$action] = $permission_rules
// $controller == '*' - any controller can have this action
// $action == array() - site admin only has access
// $action == '*' - any role has access
// $action == array('OR' => array()) - any role in the array has access
// $action == array('AND' => array()) - roles with all permissions in the array have access
// If we add any new functionality to MISP and we don't add it to this list, it will only be visible to site admins.
const ACL_LIST = array(
'*' => array(
2022-03-02 02:10:52 +01:00
'blackhole' => array(),
'debugACL' => array(),
'queryACL' => array(),
'restSearch' => array('*'),
),
'api' => [
'rest' => ['perm_auth'],
'viewDeprecatedFunctionUse' => [],
'openapi' => ['*'],
'getApiInfo' => ['*'],
'getAllApis' => ['*'],
],
'attributes' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_add'),
'add_attachment' => array('perm_add'),
'add_threatconnect' => array('perm_add'),
'addTag' => array('perm_tagger'),
'attributeReplace' => array('perm_add'),
'attributeStatistics' => array('*'),
'bro' => array('*'),
'checkAttachments' => array(),
'checkComposites' => array('perm_admin'),
'checkOrphanedAttributes' => array(),
'delete' => array('perm_add'),
'deleteSelected' => array('perm_add'),
'describeTypes' => array('*'),
'download' => array('*'),
'downloadAttachment' => array('*'),
'downloadSample' => array('*'),
'edit' => array('perm_add'),
'editField' => array('perm_add'),
'editSelected' => array('perm_add'),
'exportSearch' => array('*'),
'fetchEditForm' => array('perm_add'),
'fetchViewValue' => array('*'),
'generateCorrelation' => array(),
'getMassEditForm' => array('perm_add'),
'hoverEnrichment' => array('perm_add'),
'index' => array('*'),
'pruneOrphanedAttributes' => array(),
'removeTag' => array('perm_tagger'),
'reportValidationIssuesAttributes' => array(),
'restore' => array('perm_add'),
'restSearch' => array('*'),
'returnAttributes' => array('*'),
'rpz' => array('*'),
'search' => array('*'),
'toggleCorrelation' => array('perm_add'),
'text' => array('*'),
'toggleToIDS' => array('perm_add'),
'updateAttributeValues' => array('perm_add'),
'view' => array('*'),
'viewPicture' => array('*'),
),
2020-11-11 10:46:38 +01:00
'authKeys' => [
2021-06-08 15:19:49 +02:00
'add' => ['AND' => ['perm_auth', 'not_read_only_authkey']],
'delete' => ['AND' => ['perm_auth', 'not_read_only_authkey']],
'edit' => ['AND' => ['perm_auth', 'not_read_only_authkey']],
2020-11-11 10:46:38 +01:00
'index' => ['perm_auth'],
'view' => ['perm_auth']
],
2020-11-30 23:48:20 +01:00
'cerebrates' => [
'add' => [],
'delete' => [],
'download_org' => [],
2021-09-07 08:04:02 +02:00
'download_sg' => [],
2020-11-30 23:48:20 +01:00
'edit' => [],
'index' => [],
'preview_orgs' => [],
2021-09-07 08:04:02 +02:00
'preview_sharing_groups' => [],
2020-11-30 23:48:20 +01:00
'pull_orgs' => [],
2021-09-07 08:04:02 +02:00
'pull_sgs' => [],
2020-11-30 23:48:20 +01:00
'view' => []
],
'correlationExclusions' => [
'add' => [],
'edit' => [],
'clean' => [],
'delete' => [],
'index' => [],
'view' => []
],
'correlations' => [
'generateOccurrences' => [],
'generateTopCorrelations' => [],
2022-08-01 10:09:22 +02:00
'overCorrelations' => [],
2022-08-04 19:05:10 +02:00
'switchEngine' => [],
'top' => [],
'truncate' => []
],
'cryptographicKeys' => [
'add' => ['perm_add'],
'delete' => ['perm_add'],
'index' => ['*'],
'view' => ['*']
],
'dashboards' => array(
'getForm' => array('*'),
'index' => array('*'),
'updateSettings' => array('*'),
'getEmptyWidget' => array('*'),
'renderWidget' => array('*'),
'listTemplates' => array('*'),
'saveTemplate' => array('*'),
'export' => array('*'),
2020-03-10 15:11:13 +01:00
'import' => array('*'),
'deleteTemplate' => array('*')
),
2019-08-19 15:19:01 +02:00
'decayingModel' => array(
"update" => array(),
"export" => array('*'),
"import" => array('*'),
"view" => array('*'),
"index" => array('*'),
"add" => array( 'OR' => array('perm_admin', 'perm_decaying')),
"edit" => array( 'OR' => array('perm_admin', 'perm_decaying')),
"delete" => array( 'OR' => array('perm_admin', 'perm_decaying')),
"enable" => array( 'OR' => array('perm_admin', 'perm_decaying')),
"disable" => array( 'OR' => array('perm_admin', 'perm_decaying')),
"decayingTool" => array( 'OR' => array('perm_admin', 'perm_decaying')),
2019-08-19 15:19:01 +02:00
"getAllDecayingModels" => array('*'),
"decayingToolBasescore" => array('*'),
"decayingToolSimulation" => array('*'),
"decayingToolRestSearch" => array('*'),
"decayingToolComputeSimulation" => array('*')
),
'decayingModelMapping' => array(
"viewAssociatedTypes" => array('*'),
"linkAttributeTypeToModel" => array( 'OR' => array('perm_admin', 'perm_decaying'))
2019-08-19 15:19:01 +02:00
),
'communities' => array(
2022-03-02 02:10:52 +01:00
'index' => array(),
'requestAccess' => array(),
'view' => array()
),
'eventBlocklists' => array(
2022-03-02 02:10:52 +01:00
'add' => [
'AND' => [
'host_org_user',
'perm_add'
]
],
'delete' => [
'AND' => [
'host_org_user',
'perm_add'
]
2022-03-02 02:10:52 +01:00
],
'edit' => [
'AND' => [
'host_org_user',
'perm_add'
]
],
'index' => [
'AND' => [
'host_org_user',
'perm_add'
]
],
'massDelete' => [
'AND' => [
'host_org_user',
'perm_add'
]
]
),
'eventDelegations' => array(
'acceptDelegation' => array('AND' => ['delegation_enabled', 'perm_add']),
'delegateEvent' => array('AND' => ['delegation_enabled', 'perm_delegate']),
'deleteDelegation' => array('AND' => ['delegation_enabled', 'perm_add']),
'index' => array('delegation_enabled'),
'view' => array('delegation_enabled'),
),
'eventReports' => array(
'add' => array('perm_add'),
'view' => array('*'),
'viewSummary' => array('*'),
'edit' => array('perm_add'),
'delete' => array('perm_add'),
'reportFromEvent' => array('perm_add'),
'restore' => array('perm_add'),
'index' => array('*'),
'getProxyMISPElements' => array('*'),
'extractAllFromReport' => array('*'),
'extractFromReport' => array('*'),
'replaceSuggestionInReport' => array('*'),
'importReportFromUrl' => array('*'),
),
'events' => array(
'add' => array('perm_add'),
'addIOC' => array('perm_add'),
'addTag' => array('perm_tagger'),
'add_misp_export' => array('perm_modify'),
'alert' => array('perm_publish'),
'automation' => array('perm_auth'),
'checkLocks' => array('perm_add'),
'checkPublishedStatus' => array('*'),
'checkuuid' => array('perm_sync'),
'contact' => array('*'),
'csv' => array('*'),
'cullEmptyEvents' => array(),
'delegation_index' => array('*'),
'delete' => array('perm_add'),
'deleteNode' => array('*'),
'dot' => array(),
'downloadExport' => array('*'),
'downloadOpenIOCEvent' => array('*'),
'edit' => array('perm_add'),
'enrichEvent' => array('perm_add'),
'export' => array('*'),
'exportChoice' => array('*'),
'exportModule' => array('*'),
'filterEventIdsForPush' => array('perm_sync'),
'filterEventIndex' => array('*'),
'freeTextImport' => array('perm_add'),
'getEditStrategy' => array('perm_add'),
'getEventInfoById' => array('*'),
'getEventGraphReferences' => array('*'),
'getEventGraphTags' => array('*'),
'getEventGraphGeneric' => array('*'),
'getEventTimeline' => array('*'),
'getDistributionGraph' => array('*'),
'getReferenceData' => array('*'),
'getReferences' => array('*'),
'getObjectTemplate' => array('*'),
'handleModuleResults' => array('*'),
'hids' => array('*'),
'index' => array('*'),
'importChoice' => array('*'),
'importModule' => array('*'),
'massDelete' => array(),
'merge' => array('perm_modify'),
'nids' => array('*'),
2022-02-11 19:05:35 +01:00
'populate' => array('perm_add'),
'proposalEventIndex' => array('*'),
'protect' => ['perm_add'],
'publish' => array('perm_publish'),
'publishSightings' => array('perm_sighting'),
'pushEventToZMQ' => array('perm_publish_zmq'),
'pushEventToKafka' => array('perm_publish_kafka'),
'pushProposals' => array('perm_sync'),
'queryEnrichment' => array('perm_add'),
'recoverEvent' => array(),
'removePivot' => array('*'),
'removeTag' => array('perm_tagger'),
'reportValidationIssuesEvents' => array(),
'restoreDeletedEvents' => array(),
'restSearch' => array('*'),
'restSearchExport' => array('*'),
'runTaxonomyExclusivityCheck' => array('*'),
'saveFreeText' => array('perm_add'),
'stix' => array('*'),
'stix2' => array('*'),
'strposarray' => array(),
'toggleCorrelation' => array('perm_add'),
'unprotect' => ['perm_add'],
'unpublish' => array('perm_modify'),
'updateGraph' => array('*'),
'upload_analysis_file' => array('perm_add'),
'upload_sample' => array('AND' => array('perm_auth', 'perm_add')),
'upload_stix' => array('perm_modify'),
'view' => array('*'),
'viewClusterRelations' => array('*'),
'viewEventAttributes' => array('*'),
'viewGraph' => array('*'),
'viewGalaxyMatrix' => array('*'),
'xml' => array('*'),
'addEventLock' => ['perm_auth'],
'removeEventLock' => ['perm_auth'],
'generateCount' => array(),
),
'favouriteTags' => array(
'toggle' => array('*'),
'getToggleField' => array('*')
),
'feeds' => array(
2022-10-22 13:24:28 +02:00
'add' => array(),
'cacheFeeds' => array(),
'compareFeeds' => ['host_org_user'],
'delete' => array(),
'disable' => array(),
'edit' => array(),
'enable' => array(),
'feedCoverage' => ['host_org_user'],
'fetchFromAllFeeds' => array(),
'fetchFromFeed' => array(),
'fetchSelectedFromFreetextIndex' => array(),
'getEvent' => array(),
'importFeeds' => array(),
'index' => ['host_org_user'],
'loadDefaultFeeds' => array(),
'previewEvent' => ['host_org_user'],
'previewIndex' => ['host_org_user'],
'searchCaches' => ['host_org_user'],
'toggleSelected' => array(),
'view' => ['host_org_user'],
),
'galaxies' => array(
'attachCluster' => array('perm_tagger'),
'attachMultipleClusters' => array('perm_tagger'),
'delete' => array(),
'disable' => array(),
'enable' => array(),
'export' => array('*'),
'forkTree' => array('*'),
'index' => array('*'),
'import' => array('perm_galaxy_editor'),
'pushCluster' => array('perm_sync'),
'relationsGraph' => array('*'),
'selectGalaxy' => array('perm_tagger'),
'selectGalaxyNamespace' => array('perm_tagger'),
'selectCluster' => array('perm_tagger'),
2019-01-06 17:37:13 +01:00
'showGalaxies' => array('*'),
'toggle' => array(),
'update' => array(),
'view' => array('*'),
'viewGraph' => array('*'),
'wipe_default' => array(),
),
'galaxyClusterBlocklists' => array(
'add' => array(),
'delete' => array(),
'edit' => array(),
'index' => array(),
'massDelete' => array(),
),
'galaxyClusters' => array(
'add' => array('perm_galaxy_editor'),
'delete' => array('perm_galaxy_editor'),
'detach' => array('perm_tagger'),
'edit' => array('perm_galaxy_editor'),
'index' => array('*'),
'publish' => array('perm_galaxy_editor'),
'restore' => array('perm_galaxy_editor'),
'restSearch' => array('*'),
'unpublish' => array('perm_galaxy_editor'),
'updateCluster' => array('perm_galaxy_editor'),
'view' => array('*'),
'viewCyCatRelations' => array('*'),
'viewGalaxyMatrix' => array('*'),
'viewRelations' => array('*'),
'viewRelationTree' => array('*'),
),
'galaxyClusterRelations' => array(
'add' => array('perm_galaxy_editor'),
'delete' => array('perm_galaxy_editor'),
'edit' => array('perm_galaxy_editor'),
'index' => array('*'),
'view' => array('*'),
),
'galaxyElements' => array(
'delete' => array('perm_galaxy_editor'),
'flattenJson' => array('perm_galaxy_editor'),
'index' => array('*'),
),
'jobs' => array(
'cache' => array('*'),
'getError' => array(),
'getGenerateCorrelationProgress' => array(),
'getProgress' => array('*'),
'index' => array(),
'clearJobs' => array()
),
'logs' => array(
'admin_index' => array('perm_audit'),
'admin_search' => array('perm_audit'),
'event_index' => array('*'),
'returnDates' => array('*'),
'testForStolenAttributes' => array(),
'pruneUpdateLogs' => array()
),
2021-01-22 13:01:23 +01:00
'auditLogs' => [
'admin_index' => ['perm_audit'],
2021-01-31 13:43:38 +01:00
'fullChange' => ['perm_audit'],
2021-01-22 13:01:23 +01:00
'eventIndex' => ['*'],
2021-01-30 10:04:44 +01:00
'returnDates' => ['*'],
2021-01-22 13:01:23 +01:00
],
'modules' => array(
'index' => array('perm_auth'),
'queryEnrichment' => array('perm_auth'),
),
'news' => array(
'add' => array(),
'edit' => array(),
'delete' => array(),
'index' => array('*'),
),
'noticelists' => array(
'delete' => array(),
'enableNoticelist' => array(),
'getToggleField' => array(),
'index' => array('*'),
'toggleEnable' => array(),
'update' => array(),
2021-04-20 17:41:08 +02:00
'view' => array('*'),
'preview_entries' => array('*')
),
'objects' => array(
2020-05-06 13:25:08 +02:00
'add' => array('perm_add'),
'addValueField' => array('perm_add'),
'delete' => array('perm_add'),
'edit' => array('perm_add'),
'get_row' => array('perm_add'),
'orphanedObjectDiagnostics' => array(),
'editField' => array('perm_add'),
'fetchEditForm' => array('perm_add'),
'fetchViewValue' => array('*'),
'quickAddAttributeForm' => array('perm_add'),
'quickFetchTemplateWithValidObjectAttributes' => array('perm_add'),
'restSearch' => array('*'),
'proposeObjectsFromAttributes' => array('*'),
'groupAttributesIntoObject' => array('perm_add'),
'revise_object' => array('perm_add'),
'view' => array('*'),
),
'objectReferences' => array(
'add' => array('perm_add'),
'bulkAdd' => array('perm_add'),
'delete' => array('perm_add'),
'view' => array('*'),
),
'objectTemplates' => array(
'activate' => array(),
'add' => array('perm_object_template'),
'edit' => array('perm_object_template'),
'delete' => array('perm_object_template'),
'getToggleField' => array(),
'getRaw' => array('perm_object_template'),
'objectChoice' => array('*'),
2019-01-18 16:18:23 +01:00
'objectMetaChoice' => array('perm_add'),
'view' => array('*'),
'viewElements' => array('*'),
'index' => array('*'),
'update' => array()
),
'objectTemplateElements' => array(
'viewElements' => array('*')
),
'orgBlocklists' => array(
2022-03-02 02:10:52 +01:00
'add' => array(),
'delete' => array(),
'edit' => array(),
'index' => array(),
),
'organisations' => array(
2022-03-02 02:10:52 +01:00
'admin_add' => array(),
'admin_delete' => array(),
'admin_edit' => array(),
'admin_generateuuid' => array(),
'admin_merge' => array(),
'fetchOrgsForSG' => array('perm_sharing_group'),
'fetchSGOrgRow' => array('*'),
'getUUIDs' => array('perm_sync'),
'index' => ['organisation_index'],
2022-03-02 02:10:52 +01:00
'view' => array('*'),
),
'pages' => array(
2022-03-02 02:10:52 +01:00
'display' => array('*'),
),
'posts' => array(
2022-03-02 02:10:52 +01:00
'add' => array('not_read_only_authkey'),
'delete' => array('not_read_only_authkey'),
'edit' => array('not_read_only_authkey'),
'pushMessageToZMQ' => array()
),
'regexp' => array(
2022-03-02 02:10:52 +01:00
'admin_add' => array('perm_regexp_access'),
'admin_clean' => array(),
2022-03-02 02:10:52 +01:00
'admin_delete' => array('perm_regexp_access'),
'admin_edit' => array('perm_regexp_access'),
'admin_index' => array('perm_regexp_access'),
'cleanRegexModifiers' => array(),
2022-03-02 02:10:52 +01:00
'index' => array('*'),
),
2019-03-19 11:18:12 +01:00
'restClientHistory' => array(
2022-03-02 02:10:52 +01:00
'delete' => array('not_read_only_authkey'),
'index' => array('*')
),
'roles' => array(
2022-03-02 02:10:52 +01:00
'admin_add' => array(),
'admin_delete' => array(),
'admin_edit' => array(),
'admin_set_default' => array(),
'index' => array('*'),
'view' => array('*'),
),
'servers' => array(
2022-03-02 02:10:52 +01:00
'add' => array(),
'dbSchemaDiagnostic' => array(),
2022-07-19 14:05:52 +02:00
'dbConfiguration' => array(),
2022-03-02 02:10:52 +01:00
'cache' => array(),
'changePriority' => array(),
'checkout' => array(),
'clearWorkerQueue' => array(),
'createSync' => array('perm_sync'),
'delete' => array(),
'deleteFile' => array(),
'edit' => array(),
'eventBlockRule' => array(),
'fetchServersForSG' => array('perm_sharing_group'),
'filterEventIndex' => array(),
'getAvailableSyncFilteringRules' => array('*'),
'getInstanceUUID' => array('perm_sync'),
'getPyMISPVersion' => array('*'),
'getRemoteUser' => array(),
'getSetting' => array(),
'getSubmodulesStatus' => array(),
'getSubmoduleQuickUpdateForm' => array(),
'getWorkers' => array(),
'getVersion' => array('perm_auth'),
'idTranslator' => ['host_org_user'],
'import' => array(),
'index' => array(),
'ipUser' => ['perm_site_admin'],
2022-03-02 02:10:52 +01:00
'ondemandAction' => array(),
'postTest' => array('*'),
'previewEvent' => array(),
'previewIndex' => array(),
'compareServers' => [],
'pull' => array(),
'purgeSessions' => array(),
'push' => array(),
'queryAvailableSyncFilteringRules' => array(),
'releaseUpdateLock' => array(),
'resetRemoteAuthKey' => array(),
'removeOrphanedCorrelations' => array(),
'restartDeadWorkers' => array(),
'restartWorkers' => array(),
'serverSettings' => array(),
'serverSettingsEdit' => array(),
'serverSettingsReloadSetting' => array(),
'startWorker' => array(),
'startZeroMQServer' => array(),
'statusZeroMQServer' => array(),
'stopWorker' => array(),
'stopZeroMQServer' => array(),
'testConnection' => array(),
'update' => array(),
'updateJSON' => array(),
'updateProgress' => array(),
'updateSubmodule' => array(),
'uploadFile' => array(),
'killAllWorkers' => [],
'cspReport' => ['*'],
'pruneDuplicateUUIDs' => array(),
'removeDuplicateEvents' => array(),
'upgrade2324' => array(),
'cleanModelCaches' => array(),
'updateDatabase' => array(),
2022-04-10 12:50:38 +02:00
'rest' => ['perm_auth'],
),
'shadowAttributes' => array(
2022-03-02 02:10:52 +01:00
'accept' => array('perm_add'),
'acceptSelected' => array('perm_add'),
'add' => array('perm_add'),
'add_attachment' => array('perm_add'),
'delete' => array('perm_add'),
'discard' => array('perm_add'),
'discardSelected' => array('perm_add'),
'download' => array('*'),
'edit' => array('perm_add'),
'generateCorrelation' => array(),
'index' => array('*'),
'view' => array('*'),
'viewPicture' => array('*'),
),
'sharingGroupBlueprints' => array(
'add' => array('perm_sharing_group'),
'delete' => array('perm_sharing_group'),
'detach' => array('perm_sharing_group'),
'edit' => array('perm_sharing_group'),
'execute' => array('perm_sharing_group'),
'index' => array('perm_sharing_group'),
'view' => array('perm_sharing_group'),
'viewOrgs' => array('perm_sharing_group'),
),
'sharingGroups' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_sharing_group'),
'addServer' => array('perm_sharing_group'),
'addOrg' => array('perm_sharing_group'),
'delete' => array('perm_sharing_group'),
'edit' => array('perm_sharing_group'),
'index' => array('*'),
'removeServer' => array('perm_sharing_group'),
'removeOrg' => array('perm_sharing_group'),
'view' => array('*'),
),
'sightings' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_sighting'),
'restSearch' => array('perm_sighting'),
'advanced' => array('perm_sighting'),
'delete' => array('perm_sighting'),
'index' => array('*'),
'listSightings' => array('*'),
'quickDelete' => array('perm_sighting'),
'viewSightings' => array('*'),
'bulkSaveSightings' => array('OR' => array('perm_sync', 'perm_sighting')),
'filterSightingUuidsForPush' => ['perm_sync'],
'quickAdd' => array('perm_sighting')
),
'sightingdb' => array(
2022-03-02 02:10:52 +01:00
'add' => array(),
'edit' => array(),
'delete' => array(),
'index' => array(),
'requestStatus' => array(),
'search' => array()
),
'tagCollections' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_tag_editor'),
'addTag' => array('perm_tag_editor'),
'delete' => array('perm_tag_editor'),
'edit' => array('perm_tag_editor'),
'getRow' => array('perm_tag_editor'),
'import' => array('perm_tag_editor'),
'index' => array('*'),
'removeTag' => array('perm_tag_editor'),
'view' => array('*')
),
'tags' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_tag_editor'),
'attachTagToObject' => array('perm_tagger'),
'delete' => array(),
'edit' => array(),
'index' => array('*'),
2022-10-03 12:29:37 +02:00
'modifyTagRelationship' => ['perm_tagger'],
2022-03-02 02:10:52 +01:00
'quickAdd' => array('perm_tag_editor'),
'removeTagFromObject' => array('perm_tagger'),
'search' => array('*'),
'selectTag' => array('perm_tagger'),
'selectTaxonomy' => array('perm_tagger'),
'showEventTag' => array('*'),
'showAttributeTag' => array('*'),
'tagStatistics' => array('*'),
'view' => array('*'),
'viewGraph' => array('*'),
'viewTag' => array('*')
),
'tasks' => array(
2022-03-02 02:10:52 +01:00
'index' => array(),
'setTask' => array(),
),
'taxonomies' => array(
2022-03-02 02:10:52 +01:00
'addTag' => array(),
'delete' => array(),
'disable' => array(),
'disableTag' => array(),
'enable' => array(),
'index' => array('*'),
'taxonomy_tags' => array('*'),
'taxonomyMassConfirmation' => array('perm_tagger'),
'taxonomyMassHide' => array('perm_tagger'),
'taxonomyMassUnhide' => array('perm_tagger'),
'toggleRequired' => array(),
'update' => array(),
'import' => [],
'export' => ['*'],
'view' => array('*'),
'unhideTag' => array('perm_tagger'),
'hideTag' => array('perm_tagger'),
'normalizeCustomTagsToTaxonomyFormat' => [],
),
'templateElements' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_template'),
'delete' => array('perm_template'),
'edit' => array('perm_template'),
'index' => array('*'),
'templateElementAddChoices' => array('perm_template'),
),
'templates' => array(
2022-03-02 02:10:52 +01:00
'add' => array('perm_template'),
'delete' => array('perm_template'),
'deleteTemporaryFile' => array('perm_add'),
'edit' => array('perm_template'),
'index' => array('*'),
'populateEventFromTemplate' => array('perm_add'),
'saveElementSorting' => array('perm_template'),
'submitEventPopulation' => array('perm_add'),
'templateChoices' => array('*'),
'uploadFile' => array('*'),
'view' => array('*'),
),
'threads' => array(
2022-03-02 02:10:52 +01:00
'index' => array('*'),
'view' => array('*'),
'viewEvent' => array('*'),
),
'users' => array(
2022-03-02 02:10:52 +01:00
'acceptRegistrations' => array(),
'admin_add' => ['AND' => ['perm_admin', 'add_user_enabled']],
'admin_delete' => array('perm_admin'),
'admin_edit' => array('perm_admin'),
'admin_email' => array('perm_admin'),
'admin_filterUserIndex' => array('perm_admin'),
'admin_index' => array('perm_admin'),
'admin_massToggleField' => array('perm_admin'),
'admin_monitor' => array(),
'admin_quickEmail' => array('perm_admin'),
'admin_view' => array('perm_admin'),
'attributehistogram' => array('*'),
'change_pw' => ['AND' => ['self_management_enabled', 'password_change_enabled', 'not_read_only_authkey']],
'checkAndCorrectPgps' => array(),
'checkIfLoggedIn' => array('*'),
'dashboard' => array('*'),
'delete' => array('perm_admin'),
'discardRegistrations' => array(),
'downloadTerms' => array('*'),
'edit' => array('self_management_enabled'),
'email_otp' => array('*'),
'searchGpgKey' => array('*'),
'fetchGpgKey' => array('*'),
'histogram' => array('*'),
'initiatePasswordReset' => ['AND' => ['perm_admin', 'password_change_enabled']],
'login' => array('*'),
'logout' => array('*'),
'notificationSettings' => ['*'],
2022-03-02 02:10:52 +01:00
'register' => array('*'),
'registrations' => array(),
'resetAllSyncAuthKeys' => array(),
'resetauthkey' => ['AND' => ['self_management_enabled', 'perm_auth', 'not_read_only_authkey']],
'request_API' => array('*'),
'routeafterlogin' => array('*'),
'statistics' => array('*'),
'tagStatisticsGraph' => array('*'),
'terms' => array('*'),
'updateLoginTime' => array('*'),
'updateToAdvancedAuthKeys' => array(),
'verifyCertificate' => array(),
'verifyGPG' => array(),
'view' => array('*'),
'viewPeriodicSummary' => ['*'],
2022-03-02 02:10:52 +01:00
'getGpgPublicKey' => array('*'),
2022-06-06 18:09:07 +02:00
'unsubscribe' => ['*'],
),
'userSettings' => array(
2022-03-02 02:10:52 +01:00
'index' => array('*'),
'view' => array('*'),
'setSetting' => array('not_read_only_authkey'),
'getSetting' => array('*'),
'delete' => array('not_read_only_authkey'),
'setHomePage' => array('not_read_only_authkey'),
2021-03-20 13:35:58 +01:00
'eventIndexColumnToggle' => ['*'],
),
'warninglists' => array(
2021-06-01 17:49:45 +02:00
'checkValue' => array('perm_auth'),
'delete' => ['perm_warninglist'],
'enableWarninglist' => ['perm_warninglist'],
'getToggleField' => ['perm_warninglist'],
'index' => array('*'),
'toggleEnable' => ['perm_warninglist'],
'update' => array(),
'view' => array('*'),
'edit' => ['perm_warninglist'],
'add' => ['perm_warninglist'],
2021-06-02 14:54:29 +02:00
'export' => ['*'],
2021-06-12 17:59:17 +02:00
'import' => ['perm_warninglist'],
),
2022-06-24 17:45:47 +02:00
'workflows' => [
'index'=> [],
'rebuildRedis'=> [],
'edit'=> [],
'delete'=> [],
'view'=> [],
'editor'=> [],
'triggers'=> [],
'moduleIndex'=> [],
'moduleView'=> [],
'toggleModule'=> [],
'checkGraph'=> [],
'executeWorkflow'=> [],
'debugToggleField'=> [],
'massToggleField'=> [],
'moduleStatelessExecution'=> [],
2022-06-24 17:45:47 +02:00
],
'workflowBlueprints' => [
'add' => [],
'delete' => [],
2022-07-25 11:40:09 +02:00
'edit' => [],
2022-06-24 17:45:47 +02:00
'export' => [],
2022-07-25 11:40:09 +02:00
'import' => [],
'index' => [],
'update' => [],
'view' => [],
2022-06-24 17:45:47 +02:00
],
'allowedlists' => array(
2022-03-02 02:10:52 +01:00
'admin_add' => array('perm_regexp_access'),
'admin_delete' => array('perm_regexp_access'),
'admin_edit' => array('perm_regexp_access'),
'admin_index' => array('perm_regexp_access'),
'index' => array('*'),
),
'eventGraph' => array(
2022-03-02 02:10:52 +01:00
'view' => array('*'),
'viewPicture' => array('*'),
'add' => array('perm_add'),
'delete' => array('perm_modify'),
)
);
private $dynamicChecks = [];
2020-11-30 23:48:20 +01:00
2022-10-23 21:50:16 +02:00
/** @var int */
private $hostOrgId;
public function __construct(ComponentCollection $collection, $settings = array())
{
parent::__construct($collection, $settings);
2022-10-23 21:50:16 +02:00
$this->hostOrgId = (int)Configure::read('MISP.host_org_id');
$this->dynamicChecks['host_org_user'] = function (array $user) {
2022-10-23 21:50:16 +02:00
return (int)$user['org_id'] === $this->hostOrgId;
};
$this->dynamicChecks['self_management_enabled'] = function (array $user) {
if (Configure::read('MISP.disableUserSelfManagement') && !$user['Role']['perm_admin']) {
throw new MethodNotAllowedException('User self-management has been disabled on this instance.');
}
return true;
};
$this->dynamicChecks['password_change_enabled'] = function (array $user) {
if (Configure::read('MISP.disable_user_password_change')) {
throw new MethodNotAllowedException('User password change has been disabled on this instance.');
}
return true;
};
$this->dynamicChecks['add_user_enabled'] = function (array $user) {
if (Configure::read('MISP.disable_user_add')) {
throw new MethodNotAllowedException('Adding users has been disabled on this instance.');
}
return true;
};
$this->dynamicChecks['delegation_enabled'] = function (array $user) {
return (bool)Configure::read('MISP.delegation');
};
2021-06-08 15:19:49 +02:00
// Returns true if current user is not using advanced auth key or if authkey is not read only
$this->dynamicChecks['not_read_only_authkey'] = function (array $user) {
return !isset($user['authkey_read_only']) || !$user['authkey_read_only'];
};
// If `Security.hide_organisation_index_from_users` is enabled, only user with sharing group permission can see org index
$this->dynamicChecks['organisation_index'] = function (array $user) {
if (Configure::read('Security.hide_organisation_index_from_users')) {
return $user['Role']['perm_sharing_group'];
}
return true;
};
}
/**
* Returns true if user can modify given event.
*
* @param array $event
* @param array $user
* @return bool
*/
public function canModifyEvent(array $user, array $event)
{
if (!isset($event['Event'])) {
throw new InvalidArgumentException('Passed object does not contain an Event.');
}
if ($user['Role']['perm_site_admin']) {
return true;
}
if ($user['Role']['perm_modify_org'] && $event['Event']['orgc_id'] == $user['org_id']) {
return true;
}
if ($user['Role']['perm_modify'] && $event['Event']['user_id'] == $user['id']) {
return true;
}
return false;
}
/**
* Returns true if user can publish the given event.
*
* @param array $user
* @param array $event
* @return bool
*/
public function canPublishEvent(array $user, array $event)
{
if (!isset($event['Event'])) {
throw new InvalidArgumentException('Passed object does not contain an Event.');
}
if ($user['Role']['perm_site_admin']) {
return true;
}
if ($user['Role']['perm_publish'] && $event['Event']['orgc_id'] == $user['org_id']) {
return true;
}
return false;
}
/**
* Returns true if user can add or remove tags for given event.
*
* @param array $user
* @param array $event
* @param bool $isTagLocal
* @return bool
*/
public function canModifyTag(array $user, array $event, $isTagLocal = false)
{
if (!isset($event['Event'])) {
throw new InvalidArgumentException('Passed object does not contain an Event.');
}
// Site admin can add any tag
if ($user['Role']['perm_site_admin']) {
return true;
}
// User must have tagger or sync permission
if (!$user['Role']['perm_tagger'] && !$user['Role']['perm_sync']) {
return false;
}
if ($this->canModifyEvent($user, $event)) {
return true; // full access
}
2022-10-23 21:50:16 +02:00
if ($isTagLocal && $this->hostOrgId === (int)$user['org_id']) {
return true;
}
return false;
}
/**
* @param array $user
* @param array $event
* @return bool
*/
public function canDisableCorrelation(array $user, array $event)
{
if (Configure::read('MISP.completely_disable_correlation')) {
return false; // correlations are completely disabled
}
if ($user['Role']['perm_site_admin']) {
return true;
}
return Configure::read('MISP.allow_disabling_correlation') && $this->canModifyEvent($user, $event);
}
/**
* @param array $user
* @param array $tagCollection
* @return bool
*/
public function canModifyTagCollection(array $user, array $tagCollection)
{
if (!isset($tagCollection['TagCollection'])) {
throw new InvalidArgumentException('Passed object does not contain a TagCollection.');
}
if (!empty($user['Role']['perm_site_admin'])) {
return true;
}
return $user['org_id'] == $tagCollection['TagCollection']['org_id'];
}
private function __checkLoggedActions($user, $controller, $action)
{
$loggedActions = array(
'servers' => array(
'index' => array(
'role' => array(
'NOT' => array(
'perm_site_admin'
)
),
'message' => __('This could be an indication of an attempted privilege escalation on older vulnerable versions of MISP (<2.4.115)')
)
)
);
foreach ($loggedActions as $k => $v) {
$loggedActions[$k] = array_change_key_case($v);
}
if (!empty($loggedActions[$controller])) {
if (!empty($loggedActions[$controller][$action])) {
$message = $loggedActions[$controller][$action]['message'];
$hit = false;
if (empty($loggedActions[$controller][$action]['role'])) {
$hit = true;
} else {
$role_req = $loggedActions[$controller][$action]['role'];
if (empty($role_req['OR']) && empty($role_req['AND']) && empty($role_req['NOT'])) {
$role_req = array('OR' => $role_req);
}
if (!empty($role_req['NOT'])) {
foreach ($role_req['NOT'] as $k => $v) {
if (!$user['Role'][$v]) {
$hit = true;
continue;
}
}
}
if (!$hit && !empty($role_req['AND'])) {
$subhit = true;
foreach ($role_req['AND'] as $k => $v) {
$subhit = $subhit && $user['Role'][$v];
}
if ($subhit) {
$hit = true;
}
}
if (!$hit && !empty($role_req['OR'])) {
foreach ($role_req['OR'] as $k => $v) {
if ($user['Role'][$v]) {
$hit = true;
continue;
}
}
}
if ($hit) {
$this->Log = ClassRegistry::init('Log');
$this->Log->create();
$this->Log->save(array(
'org' => 'SYSTEM',
'model' => 'User',
'model_id' => $user['id'],
'email' => $user['email'],
'action' => 'security',
'user_id' => $user['id'],
'title' => __('User triggered security alert by attempting to access /%s/%s. Reason why this endpoint is of interest: %s', $controller, $action, $message),
));
}
}
}
}
}
/**
* @param array $user
* @param string $controller
* @param string $action
* @return bool
*/
public function canUserAccess($user, $controller, $action)
{
try {
$this->checkAccess($user, $controller, $action, false);
} catch (NotFoundException $e) {
throw new RuntimeException("Invalid controller '$controller' specified.", 0, $e);
} catch (MethodNotAllowedException $e) {
return false;
}
return true;
}
/**
* The check works like this:
* - If the user is a site admin, return true
* - If the requested action has an OR-d list, iterate through the list. If any of the permissions are set for the user, return true
* - If the requested action has an AND-ed list, iterate through the list. If any of the permissions for the user are not set, turn the check to false. Otherwise return true.
* - If the requested action has a permission, check if the user's role has it flagged. If yes, return true
* - If we fall through all of the checks, return an exception.
*
* @param array|null $user
* @param string $controller
* @param string $action
* @param bool $checkLoggedActions
* @return true
* @throws NotFoundException
* @throws MethodNotAllowedException
*/
public function checkAccess($user, $controller, $action, $checkLoggedActions = true)
{
$controller = lcfirst(Inflector::camelize($controller));
$action = strtolower($action);
if ($checkLoggedActions) {
$this->__checkLoggedActions($user, $controller, $action);
}
if ($user && $user['Role']['perm_site_admin']) {
return true;
}
if (!isset(self::ACL_LIST[$controller])) {
2021-09-26 13:47:49 +02:00
throw new NotFoundException('Invalid controller.');
}
$controllerAclList = array_change_key_case(self::ACL_LIST[$controller]);
2021-09-26 13:47:49 +02:00
if (!empty($controllerAclList[$action])) {
$rules = $controllerAclList[$action];
if (in_array('*', $rules, true)) {
return true;
}
if (isset($rules['OR'])) {
foreach ($rules['OR'] as $permission) {
if (isset($this->dynamicChecks[$permission])) {
if ($this->dynamicChecks[$permission]($user)) {
return true;
}
} else {
if ($user['Role'][$permission]) {
return true;
}
}
}
} elseif (isset($rules['AND'])) {
$allConditionsMet = true;
foreach ($rules['AND'] as $permission) {
if (isset($this->dynamicChecks[$permission])) {
if (!$this->dynamicChecks[$permission]($user)) {
$allConditionsMet = false;
}
} else {
if (!$user['Role'][$permission]) {
$allConditionsMet = false;
}
}
}
if ($allConditionsMet) {
return true;
}
} elseif (isset($this->dynamicChecks[$rules[0]])) {
if ($this->dynamicChecks[$rules[0]]($user)) {
return true;
}
} elseif ($user['Role'][$rules[0]]) {
return true;
}
}
2021-09-26 13:47:49 +02:00
throw new MethodNotAllowedException('You do not have permission to use this functionality.');
}
private function __findAllFunctions()
{
$functionsToIgnore = ['beforeFilter', 'afterFilter', 'beforeRender', 'getEventManager'];
$functionFinder = '/function[\s\n]+(\S+)[\s\n]*\(/';
$dir = new Folder(APP . 'Controller');
$files = $dir->find('.*\.php');
$results = array();
foreach ($files as $file) {
$controllerName = lcfirst(str_replace('Controller.php', "", $file));
if ($controllerName === 'app') {
$controllerName = '*';
}
$functionArray = array();
$fileContents = FileAccessTool::readFromFile(APP . 'Controller' . DS . $file);
$fileContents = preg_replace('/\/\*[^\*]+?\*\//', '', $fileContents);
preg_match_all($functionFinder, $fileContents, $functionArray);
foreach ($functionArray[1] as $function) {
if ($function[0] !== '_' && !in_array($function, $functionsToIgnore, true)) {
$results[$controllerName][] = $function;
}
}
}
return $results;
}
public function printAllFunctionNames($content = false)
{
$results = $this->__findAllFunctions();
ksort($results);
return $results;
}
2016-04-18 03:19:01 +02:00
public function findMissingFunctionNames($content = false)
{
$results = $this->__findAllFunctions();
$missing = array();
foreach ($results as $controller => $functions) {
foreach ($functions as $function) {
if (!isset(self::ACL_LIST[$controller]) || !in_array($function, array_keys(self::ACL_LIST[$controller]))) {
$missing[$controller][] = $function;
}
}
}
return $missing;
}
public function printRoleAccess($content = false)
{
$results = array();
$this->Role = ClassRegistry::init('Role');
$conditions = array();
if (is_numeric($content)) {
$conditions = array('Role.id' => $content);
}
$roles = $this->Role->find('all', array(
'recursive' => -1,
'conditions' => $conditions
));
if (empty($roles)) {
throw new NotFoundException('Role not found.');
}
foreach ($roles as $role) {
$urls = $this->__checkRoleAccess($role['Role']);
$results[$role['Role']['id']] = array('name' => $role['Role']['name'], 'urls' => $urls);
}
return $results;
}
private function __checkRoleAccess(array $role)
{
$result = array();
2022-10-23 21:50:16 +02:00
$fakeUser = ['Role' => $role, 'org_id' => $this->hostOrgId];
foreach (self::ACL_LIST as $controller => $actions) {
$controllerNames = Inflector::variable($controller) === Inflector::underscore($controller) ?
array(Inflector::variable($controller)) :
array(Inflector::variable($controller), Inflector::underscore($controller));
foreach ($controllerNames as $controllerName) {
foreach ($actions as $action => $permissions) {
if ($this->canUserAccess($fakeUser, $controllerName, $action)) {
$result[] = "/$controllerName/$action";
}
}
}
}
return $result;
}
}