MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #6749 from JakubOnderka/hide-orgs-from-sg 

Hide orgs from sharing group view
pull/6772/head
Jakub Onderka 2020-12-23 11:22:17 +01:00 committed by GitHub
parent b73e978c09 4d4b306b60
commit 97dbe0b4ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 269 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Controller/ObjectTemplatesController.php
View File

@ -21,12 +21,11 @@ class ObjectTemplatesController extends AppController
public function objectMetaChoice($event_id)
{
$metas = $this->ObjectTemplate->find('all', array(
'recursive' => -1,
$metas = $this->ObjectTemplate->find('column', array(
'conditions' => array('ObjectTemplate.active' => 1),
'fields' => array('meta-category'),
'group' => array('ObjectTemplate.meta-category'),
'order' => array('ObjectTemplate.meta-category asc')
'fields' => array('ObjectTemplate.meta-category'),
'order' => array('ObjectTemplate.meta-category asc'),
'unique' => true,
));
$eventId = h($event_id);
@ -35,7 +34,6 @@ class ObjectTemplatesController extends AppController
'value' => $this->baseurl . "/ObjectTemplates/objectChoice/$eventId/0"
]];
foreach ($metas as $meta) {
$meta = $meta['ObjectTemplate']['meta-category'];
$items[] = array(
'name' => $meta,
'value' => $this->baseurl . "/ObjectTemplates/objectChoice/$eventId/" . h($meta)

53
app/Controller/SharingGroupsController.php
View File

@ -288,6 +288,16 @@ class SharingGroupsController extends AppController
'LOWER(Organisation.name) LIKE' => $term,
];
}
// To allow sort sharing group by number of organisation and also show org count when user don't have permission ot see them
$this->SharingGroup->addCountField('org_count', $this->SharingGroup->SharingGroupOrg, ['SharingGroupOrg.sharing_group_id = SharingGroup.id']);
$this->paginate['fields'][] = 'SharingGroup.org_count';
if (!$this->__showOrgs()) {
unset($this->paginate['contain']['SharingGroupOrg']);
unset($this->paginate['contain']['SharingGroupServer']);
}
$result = $this->paginate();
// check if the current user can modify or delete the SG
@ -331,21 +341,30 @@ class SharingGroupsController extends AppController
if (!$this->SharingGroup->checkIfAuthorised($this->Auth->user(), $id)) {
throw new MethodNotAllowedException('Sharing group doesn\'t exist or you do not have permission to access it.');
}
$sg = $this->SharingGroup->find('first', [
'conditions' => Validation::uuid($id) ? ['SharingGroup.uuid' => $id] : ['SharingGroup.id' => $id],
'contain' => array(
'SharingGroupOrg' => array(
'Organisation' => array(
'fields' => array('id', 'name', 'uuid', 'local')
)
),
'Organisation',
'SharingGroupServer' => array(
'Server' => array(
'fields' => array('id', 'name', 'url')
)
$contain = array(
'Organisation',
'SharingGroupOrg' => array(
'Organisation' => array(
'fields' => array('id', 'name', 'uuid', 'local')
)
),
'SharingGroupServer' => array(
'Server' => array(
'fields' => array('id', 'name', 'url')
)
)
);
if (!$this->__showOrgs()) {
unset($contain['SharingGroupOrg']);
unset($contain['SharingGroupServer']);
$this->SharingGroup->addCountField('org_count', $this->SharingGroup->SharingGroupOrg, ['SharingGroupOrg.sharing_group_id = SharingGroup.id']);
}
$sg = $this->SharingGroup->find('first', [
'conditions' => Validation::uuid($id) ? ['SharingGroup.uuid' => $id] : ['SharingGroup.id' => $id],
'contain' => $contain,
]);
if (isset($sg['SharingGroupServer'])) {
foreach ($sg['SharingGroupServer'] as $key => $sgs) {
@ -577,4 +596,12 @@ class SharingGroupsController extends AppController
return $this->RestResponse->saveFailResponse('SharingGroup', $action, false, $object_type . ' could not be ' . $actionType . ' the sharing group.', $this->response->type());
}
}
/**
* @return bool
*/
private function __showOrgs()
{
return $this->Auth->user()['Role']['perm_sharing_group'] || !Configure::read('Security.hide_organisations_in_sharing_groups');
}
}

21
app/Lib/Tools/DistributionGraphTool.php
View File

@ -1,12 +1,15 @@
<?php
class DistributionGraphTool
{
private $__user = false;
/** @var array */
private $__user;
private $__json = array();
/** @var Event */
private $__eventModel;
/** @var Organisation */
private $__organisationModel;
/** @var array */
private $__serverList;
public function construct(Event $eventModel, array $servers, array $user, $extended_view=0)
{
@ -76,27 +79,27 @@ class DistributionGraphTool
$this->__addAdditionalDistributionInfo(3, "All other communities"); // add current community
// connected
$servers = $this->__serverList;
$this->__addAdditionalDistributionInfo(2, "This community"); // add current community
foreach ($servers as $server) {
foreach ($this->__serverList as $server) {
$this->__addAdditionalDistributionInfo(2, $server);
}
// community
$orgConditions = $this->__organisationModel->createConditions($this->__user);
$orgConditions['local'] = true;
$orgs = $this->__organisationModel->find('list', array(
'fields' => array('name'),
'conditions' => array('local' => true)
'fields' => ['id', 'name'],
'conditions' => $orgConditions,
));
$thisOrg = $this->__user['Organisation']['name'];
$this->__addAdditionalDistributionInfo(1, $thisOrg); // add current community
foreach ($orgs as $org) {
if ($thisOrg != $org) {
$this->__addAdditionalDistributionInfo(1, $org);
foreach ($orgs as $orgId => $orgName) {
if ($thisOrg != $orgName) {
$this->__addAdditionalDistributionInfo(1, $orgName);
}
}
// org only
$thisOrg = $this->__user['Organisation']['name'];
$this->__addAdditionalDistributionInfo(0, $thisOrg); // add current community
}

61
app/Model/AppModel.php
View File

@ -55,6 +55,7 @@ class AppModel extends Model
parent::__construct($id, $table, $ds);
$this->name = get_class($this);
$this->findMethods['column'] = true;
}
// deprecated, use $db_changes
@ -3017,6 +3018,66 @@ class AppModel extends Model
}
}
/**
* Find method that allows to fetch just one column from database.
* @param $state
* @param $query
* @param array $results
* @return array|mixed
* @throws Exception
*/
protected function _findColumn($state, $query, $results = array())
{
if ($state === 'before') {
if (count($query['fields']) === 1) {
if (strpos($query['fields'][0], '.') === false) {
$query['fields'][0] = $this->alias . '.' . $query['fields'][0];
}
$query['column'] = $query['fields'][0];
if (isset($query['unique']) && $query['unique']) {
$query['fields'] = array("DISTINCT {$query['fields'][0]}");
} else {
$query['fields'] = array($query['fields'][0]);
}
} else {
throw new Exception("Invalid number of column, expected one, " . count($query['fields']) . " given");
}
if (!isset($query['recursive'])) {
$query['recursive'] = -1;
}
return $query;
}
// Faster version of `Hash::extract`
foreach (explode('.', $query['column']) as $part) {
$results = array_column($results, $part);
}
return $results;
}
/**
* @param string $field
* @param AppModel $model
* @param array $conditions
*/
public function addCountField($field, AppModel $model, array $conditions)
{
$db = $this->getDataSource();
$subQuery = $db->buildStatement(
array(
'fields' => ['COUNT(*)'],
'table' => $db->fullTableName($model),
'alias' => $model->alias,
'conditions' => $conditions,
),
$model
);
$this->virtualFields[$field] = $subQuery;
}
/**
* Log exception with backtrace and with nested exceptions.
*

14
app/Model/Attribute.php
View File

@ -2048,11 +2048,11 @@ class Attribute extends AppModel
}
}
$ipList = $this->find('list', array(
$ipList = $this->find('column', array(
'conditions' => $conditions,
'group' => 'value1', // return just unique values
'fields' => array('value1'),
'order' => false
'fields' => ['Attribute.value1'],
'unique' => true,
'order' => false,
));
foreach ($ipList as $ipToCheck) {
$ipToCheckVersion = filter_var($ipToCheck, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ? 4 : 6;
@ -3981,13 +3981,13 @@ class Attribute extends AppModel
private function __getCIDRList()
{
return $this->find('list', array(
return $this->find('column', array(
'conditions' => array(
'type' => array('ip-src', 'ip-dst'),
'value1 LIKE' => '%/%'
),
'fields' => array('value1'),
'group' => array('value1', 'id'), // return just unique value
'fields' => array('Attribute.value1'),
'unique' => true,
'order' => false
));
}

14
app/Model/Event.php
View File

@ -843,18 +843,16 @@ class Event extends AppModel
// ii. Atttibute has a distribution between 1-3 (community only, connected communities, all orgs)
// iii. Attribute has a sharing group that the user is accessible to view
$conditionsCorrelation = $this->__buildEventConditionsCorrelation($user, $eventId, $sgids);
$correlations = $this->Correlation->find('list', array(
'fields' => array('Correlation.event_id', 'Correlation.event_id'),
'conditions' => $conditionsCorrelation,
'recursive' => 0,
'group' => 'Correlation.event_id',
'order' => array('Correlation.event_id DESC')));
$relatedEventIds = $this->Correlation->find('column', array(
'fields' => array('Correlation.event_id'),
'conditions' => $conditionsCorrelation,
'unique' => true,
));
if (empty($correlations)) {
if (empty($relatedEventIds)) {
return [];
}
$relatedEventIds = array_values($correlations);
// now look up the event data for these attributes
$conditions = $this->createEventConditions($user);
$conditions['AND'][] = array('Event.id' => $relatedEventIds);

38
app/Model/Organisation.php
View File

@ -486,6 +486,7 @@ class Organisation extends AppModel
/**
* Hide organisation view from users if they haven't yet contributed data and Security.hide_organisation_index_from_users is enabled
*
* @see Organisation::canSee if you want to check multiple orgs
* @param array $user
* @param int $orgId
* @return bool
@ -521,6 +522,43 @@ class Organisation extends AppModel
return true;
}
/**
* Create conditions for fetching orgs based on user permission.
* @see Organisation::canSee if you want to check just one org
* @param array $user
* @return array|array[]
*/
public function createConditions(array $user)
{
if (!$user['Role']['perm_sharing_group'] && Configure::read('Security.hide_organisation_index_from_users')) {
$allowedOrgs = [$user['org_id']];
$eventConditions = $this->Event->createEventConditions($user);
$orgsWithEvent = $this->Event->find('column', [
'fields' => ['Event.orgc_id'],
'conditions' => $eventConditions,
'unique' => true,
]);
$allowedOrgs = array_merge($allowedOrgs, $orgsWithEvent);
$proposalConditions = $this->Event->ShadowAttribute->buildConditions($user);
// Do not check orgs that we already can see
$proposalConditions['AND'][]['NOT'] = ['ShadowAttribute.org_id' => $allowedOrgs];
$orgsWithProposal = $this->Event->ShadowAttribute->find('column', [
'fields' => ['ShadowAttribute.org_id'],
'conditions' => $proposalConditions,
'contain' => ['Event', 'Attribute'],
'unique' => true,
'order' => false,
]);
$allowedOrgs = array_merge($allowedOrgs, $orgsWithProposal);
return ['AND' => ['id' => $allowedOrgs]];
}
return [];
}
private function getCountryGalaxyCluster()
{
static $list;

9
app/Model/Server.php
View File

@ -1558,6 +1558,15 @@ class Server extends AppModel
'type' => 'boolean',
'null' => true
),
'hide_organisations_in_sharing_groups' => [
'level' => self::SETTING_RECOMMENDED,
'description' => __('Enabling this setting will block the organisation list from being visible in sharing group besides user with sharing group permission.'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true
],
'disable_local_feed_access' => array(
'level' => 0,
'description' => __('Disabling this setting will allow the creation/modification of local feeds (as opposed to network feeds). Enabling this setting will restrict feed sources to be network based only. When disabled, keep in mind that a malicious site administrator could get access to any arbitrary file on the system that the apache user has access to. Make sure that proper safe-guards are in place. This setting can only be modified via the CLI.'),

12
app/Model/ShadowAttribute.php
View File

@ -481,13 +481,13 @@ class ShadowAttribute extends AppModel
*/
public function getEventContributors($eventId)
{
$orgs = $this->find('all', array(
'fields' => array('DISTINCT(ShadowAttribute.org_id)'),
$orgIds = $this->find('column', array(
'fields' => array('ShadowAttribute.org_id'),
'conditions' => array('event_id' => $eventId),
'recursive' => -1,
'unique' => true,
'order' => false
));
if (empty($orgs)) {
if (empty($orgIds)) {
return [];
}
@ -495,8 +495,8 @@ class ShadowAttribute extends AppModel
return $this->Organisation->find('list', array(
'recursive' => -1,
'fields' => array('id', 'name'),
'conditions' => array('Organisation.id' => Hash::extract($orgs, "{n}.ShadowAttribute.org_id")))
);
'conditions' => array('Organisation.id' => $orgIds)
));
}
/**

24
app/Model/SharingGroup.php
View File

@ -145,11 +145,10 @@ class SharingGroup extends AppModel
}
if ($user['Role']['perm_site_admin']) {
$ids = array_values($this->find('list', array(
'recursive' => -1,
$ids = $this->find('column', array(
'fields' => array('id'),
'conditions' => $conditions
)));
));
} else {
$ids = array_unique(array_merge(
$this->SharingGroupServer->fetchAllAuthorised(),
@ -204,13 +203,20 @@ class SharingGroup extends AppModel
} elseif ($scope === 'distribution_graph') {
// Specific scope that fetch just necessary information for distribution graph
// @see DistributionGraphTool
$canSeeOrgs = $user['Role']['perm_sharing_group'] || !Configure::read('Security.hide_organisations_in_sharing_groups');
$sgs = $this->find('all', array(
'contain' => ['SharingGroupOrg' => ['org_id']],
'contain' => $canSeeOrgs ? ['SharingGroupOrg' => ['org_id']] : [],
'conditions' => $conditions,
'fields' => ['SharingGroup.id', 'SharingGroup.name', 'SharingGroup.org_id'],
'order' => 'SharingGroup.name ASC'
));
return $this->appendOrgsAndServers($sgs, ['id', 'name'], []);
if ($canSeeOrgs) {
return $this->appendOrgsAndServers($sgs, ['id', 'name'], []);
}
foreach ($sgs as &$sg) {
$sg['SharingGroupOrg'] = [];
}
return $sgs;
} elseif ($scope === 'name') {
$sgs = $this->find('list', array(
'recursive' => -1,
@ -241,8 +247,10 @@ class SharingGroup extends AppModel
{
$orgsToFetch = [];
$serverToFetch = [];
foreach($sharingGroups as $sg) {
$orgsToFetch[$sg['SharingGroup']['org_id']] = true;
foreach ($sharingGroups as $sg) {
if (isset($sg['SharingGroup']['org_id'])) {
$orgsToFetch[$sg['SharingGroup']['org_id']] = true;
}
if (isset($sg['SharingGroupOrg'])) {
foreach ($sg['SharingGroupOrg'] as $sgo) {
$orgsToFetch[$sgo['org_id']] = true;
@ -283,7 +291,7 @@ class SharingGroup extends AppModel
}
foreach ($sharingGroups as &$sg) {
if (isset($orgsById[$sg['SharingGroup']['org_id']])) {
if (isset($sg['SharingGroup']['org_id']) && isset($orgsById[$sg['SharingGroup']['org_id']])) {
$sg['Organisation'] = $orgsById[$sg['SharingGroup']['org_id']];
}

57
app/View/SharingGroups/index.ctp
View File

@ -6,6 +6,17 @@ echo $this->element('/genericElements/IndexTable/index_table', array(
'data' => $sharingGroups,
'top_bar' => array(
'children' => array(
array(
'type' => 'simple',
'children' => array(
array(
'text' => __('Add'),
'fa-icon' => 'plus',
'url' => $baseurl . '/sharing_groups/add',
'requirement' => $isAclSharingGroup,
)
)
),
array(
'type' => 'simple',
'children' => array(
@ -68,36 +79,42 @@ echo $this->element('/genericElements/IndexTable/index_table', array(
),
array(
'name' => __('Org count'),
'element' => 'custom',
'class' => 'short',
'function' => function (array $sharingGroup) {
echo count($sharingGroup['SharingGroupOrg']);
}
'sort' => 'SharingGroup.org_count',
'data_path' => 'SharingGroup.org_count',
),
array(
'name' => __('Releasable to'),
'element' => 'custom',
'function' => function (array $sharingGroup) use ($baseurl) {
$combined = __("Organisations:");
if (empty($sharingGroup['SharingGroupOrg'])) $combined .= "<br>N/A";
foreach ($sharingGroup['SharingGroupOrg'] as $sge) {
if (!empty($sge['Organisation'])) {
$combined .= "<br><a href='" . $baseurl . "/organisation/view/" . h($sge['Organisation']['id']) . "'>" . h($sge['Organisation']['name']) . "</a>";
if ($sge['extend']) $combined .= ' (can extend)';
if (empty($sharingGroup['SharingGroupOrg'])) {
$combined .= "<br>N/A";
} else {
foreach ($sharingGroup['SharingGroupOrg'] as $sge) {
if (!empty($sge['Organisation'])) {
$combined .= "<br><a href='" . $baseurl . "/organisation/view/" . h($sge['Organisation']['id']) . "'>" . h($sge['Organisation']['name']) . "</a>";
if ($sge['extend']) {
$combined .= ' (can extend)';
}
}
}
}
$combined .= '<hr style="margin:5px 0;"><br>Instances:';
if (empty($sharingGroup['SharingGroupServer'])) $combined .= "<br>N/A";
foreach ($sharingGroup['SharingGroupServer'] as $sgs) {
if ($sgs['server_id'] != 0) {
$combined .= "<br><a href='" . $baseurl . "/server/view/" . h($sgs['Server']['id']) . "'>" . h($sgs['Server']['name']) . "</a>";
} else {
$combined .= "<br>This instance";
}
if ($sgs['all_orgs']) {
$combined .= ' (all organisations)';
} else {
$combined .= ' (as defined above)';
if (empty($sharingGroup['SharingGroupServer'])) {
$combined .= "<br>N/A";
} else {
foreach ($sharingGroup['SharingGroupServer'] as $sgs) {
if ($sgs['server_id'] != 0) {
$combined .= "<br><a href='" . $baseurl . "/server/view/" . h($sgs['Server']['id']) . "'>" . h($sgs['Server']['name']) . "</a>";
} else {
$combined .= "<br>This instance";
}
if ($sgs['all_orgs']) {
$combined .= ' (all organisations)';
} else {
$combined .= ' (as defined above)';
}
}
} ?>
<span data-toggle="popover" data-trigger="hover" title="<?= __('Distribution List') ?>" data-content="<?= h($combined) ?>">

8
app/View/SharingGroups/view.ctp
View File

@ -25,6 +25,12 @@ $tableData[] = [
'key' => __('Events'),
'html' => '<a href="' . $eventsLink . '">' . __n('%s event', '%s events', $sg['SharingGroup']['event_count'], $sg['SharingGroup']['event_count']) . '</a>',
];
if (isset($sg['SharingGroup']['org_count'])) {
$tableData[] = [
'key' => __('Organisations'),
'html' => __n('%s organisation', '%s organisations', $sg['SharingGroup']['org_count'], $sg['SharingGroup']['org_count']),
];
}
echo $this->element('genericElements/viewMetaTable', ['table_data' => $tableData]);
?>
</div></div>
@ -56,7 +62,7 @@ echo $this->element('genericElements/viewMetaTable', ['table_data' => $tableData
</div>
<?php
endif;
if (!$sg['SharingGroup']['roaming']):
if (!$sg['SharingGroup']['roaming'] && isset($sg['SharingGroupServer'])):
?>
<div class="span6">
<b>Instances</b>

14
app/webroot/js/misp.js
View File

@ -4200,12 +4200,18 @@ function initPopoverContent(context) {
}
function checkSharingGroup(context) {
var $sharingGroupSelect = $('#' + context + 'SharingGroupId');
if ($('#' + context + 'Distribution').val() == 4) {
$('#' + context + 'SharingGroupId').show();
$('#' + context + 'SharingGroupId').closest("div").show();
$sharingGroupSelect.show();
$sharingGroupSelect.closest("div").show();
// For sharing group select with more than 10 items, use chosen
if ($sharingGroupSelect.find('option').length > 10) {
$sharingGroupSelect.chosen();
}
} else {
$('#' + context + 'SharingGroupId').hide();
$('#' + context + 'SharingGroupId').closest("div").hide();
$sharingGroupSelect.hide();
$sharingGroupSelect.closest("div").hide();
}
}

16
tests/testlive_security.py
View File

@ -1277,6 +1277,22 @@ class TestSecurity(unittest.TestCase):
self.assertTrue(contains)
self.admin_misp_connector.delete_organisation(created_org)
def test_org_hide_from_sharing_group(self):
secret_org = self.__create_org()
visible_sg = self.__create_sharing_group()
check_response(self.admin_misp_connector.add_org_to_sharing_group(visible_sg, self.test_org.uuid))
check_response(self.admin_misp_connector.add_org_to_sharing_group(visible_sg, secret_org.uuid))
logged_in = PyMISP(url, self.test_usr.authkey)
logged_in.global_pythonify = True
with self.__setting("Security.hide_organisations_in_sharing_groups", True):
sg = send(logged_in, "GET", f"/sharingGroups/view/{visible_sg.id}")
self.assertNotIn("SharingGroupOrg", sg)
self.admin_misp_connector.delete_organisation(secret_org)
self.admin_misp_connector.delete_sharing_group(visible_sg)
def __generate_event(self, distribution: int = 1) -> MISPEvent:
mispevent = MISPEvent()
mispevent.info = 'This is a super simple test'