Commit Graph

486 Commits (3e5ae5271e2a6460407fd70c1cacbdcf0715d33a)

Author SHA1 Message Date
iglocska 41a241cada
new: [pgp] library ported from MISP
- added proper view elements for encryption keys
- added key information extraction
2022-10-21 15:25:52 +02:00
Sami Mokaddem ddfc83af6f
chg: [navigation:socialProvider] Improved UI for SSO profile management 2022-10-21 14:14:38 +02:00
Sami Mokaddem 0f27435251
fix: [metaTemplates] Correctly show update message 2022-10-21 14:07:41 +02:00
Sami Mokaddem 455daba4d4
fix: [navigation:meta-template] Correctly show badge for new templates 2022-10-21 14:06:46 +02:00
Sami Mokaddem 8d26be28a2
chg: [auditlogs:index] Reverse sort by ID 2022-09-20 15:31:42 +02:00
iglocska 760badd268
fix: [alignments] missing contains added 2022-09-19 02:17:36 +02:00
iglocska fd6d3466d7
fix: [authkey] should only be used in a rest context
- otherwise some weird authentication snafus can happen
- as reported by SK-CERT
2022-09-19 02:14:57 +02:00
iglocska 4c0c6ef4ac
fix: [counter graphs] fixed to disallow invalid interval entries
- as reported by SK-CERT
2022-09-19 01:46:57 +02:00
iglocska a9eccb3097
fix: [security] X-FRAME-OPTIONS: DENY added to all responses
- as reported by SK-CERT
2022-09-19 01:11:18 +02:00
iglocska af1e2fd632
new: [security] Bruteforce protection added
- logins allow for 5 attempts every 5 minutes
- Code ported and updated from MISP

- As reported by SK-CERT
2022-09-19 00:25:15 +02:00
iglocska 254fdc3b84
chg: [security] keycloak enabled - disallow multiple users from being created for the same individual
- as reported by SK-CERT
2022-09-18 19:26:24 +02:00
iglocska 85e8a35091
fix: [api rearrange] shouldn't trigger when dealing with arrays 2022-09-18 18:27:00 +02:00
iglocska 370995ab50
fix: [audit log] error due to compressible fields not being streams when compression not enabled 2022-09-18 18:16:34 +02:00
iglocska 3857de8499
fix: [notice] errors when not logged in removed 2022-08-24 14:47:40 +02:00
iglocska fac19e0a3c
fix: [exception] speculative fix to a check causing a 500 2022-08-24 11:43:36 +02:00
iglocska 4c1ce31d50
fix: [unauthed] users internal error fixed 2022-08-24 11:42:38 +02:00
iglocska d35a674505
chg: [navigation] added keycloak self management
- also some changes to the navigation system
2022-08-24 11:39:56 +02:00
iglocska 94bfafb743
fix: [meta template] fixes 2022-08-23 16:02:52 +02:00
iglocska 8bc3088e12
fix: [revert] meta fields unindexing
- required for the saving of vchanges
2022-08-23 14:50:13 +02:00
iglocska 095dd4513c
chg: [rearrange] moved to Entity 2022-08-23 11:42:30 +02:00
iglocska d96353ee4f
chg: [APIRearrange] component tied into rest response 2022-08-19 13:02:25 +02:00
iglocska 3e0d015f69
fix: [meta] template loading reworked
- no more crappy string numeric keys among others
2022-08-19 13:01:47 +02:00
iglocska b9e5b76766
new: [component] APIRearrange component added
- alter the data's format before passing it back via the RestResponseComponent
  - to be used to clean up UI specific artifacts / junk
  - also to maintain compability between versions/tools
2022-08-19 13:00:19 +02:00
iglocska cbb737e18e
fix: [deprecation] pagination component's use removed to comply with 4.4 requirements 2022-08-17 14:00:38 +02:00
iglocska 60d8a8f655
fix: [deprecation] toList() queries updated 2022-08-17 13:49:11 +02:00
Sami Mokaddem fa68d62890
fix: [component:CRUD] Removed deprecation notice when trying to extract without requesting the collection 2022-06-08 11:56:09 +02:00
Sami Mokaddem 8c4c75d83a
fix: [localTools:action] Catch error if local tool's action returned unexpected data 2022-06-08 11:51:52 +02:00
iglocska be064bb0c9
new: [KC] profile link added 2022-05-17 10:42:44 +02:00
iglocska 4575406b33
fix: [users] edit
- various issues fixed with the edit function
- re-added the chance to change organisations of a user as a site admin
- tighter checks on the options for the drop downs
2022-05-17 04:02:06 +02:00
Sami Mokaddem 2289e91aca
fix: [component:CRUD] Avoid patching entity if it wasn't modified 2022-03-09 12:01:15 +01:00
Luciano Righetti c0a76d3f99 fix: error when entity has no meta_fields 2022-03-09 09:27:53 +01:00
Sami Mokaddem 61736531b1
chg: [indexTable:context_filters] Support of default context filter
This filter is used by default if none is provided
2022-03-09 08:55:59 +01:00
Luciano Righetti e5d0ffa041 fix: remove filter 2022-03-08 15:55:23 +01:00
Luciano Righetti 1a5ee2767f fix: remove commented line 2022-03-08 15:54:38 +01:00
Luciano Righetti 9a2c6a4c4b new: add api tests for MetaTemplates and openapi spec, fix minor issues. 2022-03-08 15:51:07 +01:00
Sami Mokaddem c064ca6f53
fix: Bumped ACLComponent 2022-03-01 15:23:44 +01:00
Sami Mokaddem 71cd1e307d
chg: [Component:CRUD] Only show used meta-template in view pages 2022-03-01 15:21:56 +01:00
Sami Mokaddem 5fa0280f15
fix: [sharingrGroup:delete] Missing params variable 2022-03-01 14:08:16 +01:00
Sami Mokaddem f8c8bbcb0b
fix: [component:CRUD] Fixed typo massageMetaFields 2022-03-01 14:07:20 +01:00
Sami Mokaddem 0fb03aae91
fix: [Component:CRUD] Removed confusing `get` parameter
- It was confusing and using it could lead to unwanted consequences
- It's clearer to implement the desired logic on controller's side
2022-03-01 14:02:26 +01:00
Sami Mokaddem 713f867082
chg: [component:CRUD] Better validation messages 2022-03-01 09:51:51 +01:00
Sami Mokaddem 8450e83607
chg: [sharingroup:index] Changed conditions allowing member org to view a sharing group
Previously only the SG owner could see the SG
2022-02-28 14:23:40 +01:00
Sami Mokaddem b628bc38ae
fix: [sharinggroups:view] Typo skipping org membership check 2022-02-28 14:23:00 +01:00
Sami Mokaddem 8293312f90
fix: [instance:search_all] Support of conditions and afterFind when using global search 2022-02-28 14:16:12 +01:00
Sami Mokaddem aa351b3ccb
fix: [Component:CRUD] Prevent duplication of first metafield if it was unmodified 2022-02-28 11:08:42 +01:00
Sami Mokaddem c13fb53ae0
chg: [organisations] Added meta-field global filtering 2022-02-28 10:50:04 +01:00
Sami Mokaddem 3ef64911f9
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable 2022-02-28 09:51:51 +01:00
Sami Mokaddem 4089623eaa
chg: [users] Removed useless imports 2022-02-28 09:37:29 +01:00
Sami Mokaddem 04b82d356e
chg: [indexTable:filtering] Initial work on supporting custom operators 2022-02-25 15:36:55 +01:00
iglocska 9d04533e14
chg: [users] restrict org admins from creating other org admins
- temporary solution for a single community, make this optional in the future
2022-02-25 10:20:25 +01:00
Sami Mokaddem a9570426db
fix: [component:CRUD] Fix edit where query parameters where not passed correctly
It fixes meta-fields duplication while saving
2022-02-25 08:19:01 +01:00
iglocska 79459838eb
chg: [user add] if no password was set, set a random one
- can't be used so far as we have no emailing in place
- it allows user creation when username/password mode is disabled
2022-02-25 00:31:19 +01:00
iglocska 6f6c10670e
new: [CRUD] added beforeMarshal hook 2022-02-25 00:30:50 +01:00
iglocska 828946a97f
new: [users] several changes
- make usernames immutable
- restrict user creation to aligned individuals (org admin only)
- optionally create individual while creating a user
2022-02-24 13:45:10 +01:00
Sami Mokaddem 64cb0f920a
chg: [mailinglist] Added ACL conditions on mailing list operations
- Site admins have all authorizations
- Org admins can manipulate the list their user own (can be later replaced by organisation_id instead of user_id)
- Other users can see the all lists they are included in
2022-02-23 10:03:12 +01:00
Sami Mokaddem d2c98fc3c5
chg: [Component:ACL] Added entries for mailing list 2022-02-23 10:01:18 +01:00
Sami Mokaddem ba047885c9
chg: [Component:ACL] Added entry for audit log filtering 2022-02-23 10:00:42 +01:00
Sami Mokaddem 20d896ad47
chg: [Component:CRUD] Allow to filter out rows from the index with afterFind
Filtering can be achieved by returning `false` instead of the row in the `afterFind` function
2022-02-23 09:58:55 +01:00
Sami Mokaddem bf3e31c59a
fix: [Component:CRUD] Typo in merge conflict 2022-02-23 08:18:08 +01:00
Sami Mokaddem bce4c5fde9
chg: [Component:CRUD] Removed comment and init correct variable type 2022-02-21 11:51:05 +01:00
Sami Mokaddem aeac86cb52
chg: [Component:CRUD] Typo 2022-02-21 11:48:41 +01:00
Sami Mokaddem 7ea5acb167
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable 2022-02-21 11:17:05 +01:00
iglocska b67c221476
fix: [copy pasta fail] left previous assignment in that is now superseeded by the if branch above 2022-02-20 15:07:58 +01:00
iglocska e2bb58d3c7
fix: [flood protection] default to 127.0.0.1 if no remote_addr is set as we're dealing with a local CLI script 2022-02-20 15:00:15 +01:00
iglocska c005cb7f66
fix: [error code] adding an authkey for a user you are not authorised to modify resulted in a 404 instead of a 405 2022-02-20 14:56:21 +01:00
iglocska b046990153
fix: [flood protection] default to REMOTE_ADDR if the selected default logging IP source header is not populated 2022-02-20 11:49:57 +01:00
iglocska 283299bf36
fix: [security] flood protection control enabled by default
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:34:07 +01:00
iglocska 6e67a5b239
fix: [security] Sharing group creation on behalf of other organisation fixed
- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security
2022-02-19 01:21:29 +01:00
iglocska b41b0dd712
fix: [security] privilege escalation via user edit fixed
- org admins could circumvent the role restrictions and elevate themselves to a site admin

- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:02:49 +01:00
Sami Mokaddem a77e29fa38
new: [layout:sidebar] Notifications in the sidebar 2022-02-08 17:58:30 +01:00
Sami Mokaddem 62ca877f0b
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable 2022-02-08 08:42:25 +01:00
iglocska c7b226f844
chg: [flood protection] added cleanup 2022-02-07 02:14:53 +01:00
iglocska d45a4dc499
new: [registration] added optional registration flood protection
- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 02:03:41 +01:00
iglocska e6643365d2
new: [flood protection] behaviour added
simple expiration system to allow flood protections to be added to any functionality
2022-02-07 02:01:59 +01:00
iglocska 88f3cc7944
fix: [security] user settings allow enumeration of usernames
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:45:42 +01:00
iglocska a263234917
fix: [security] open endpoints should only be open when enabled
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:36:31 +01:00
iglocska 15190b930e
fix: [security] Sharing group ACL fixes
- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg

- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:16:24 +01:00
iglocska cf67c3d1f0
fix: [roles] setting default should be exclusive
- added aftersave action to remove default from other roles
2022-01-27 22:06:26 +01:00
iglocska 1ca0f21b86
chg: [user add] form defaults
- org will default to own org for site admins
- role will default to the default role (if set)
2022-01-27 21:54:59 +01:00
Andras Iklody 6443f36650
Merge pull request #86 from righel/add-inter-connection-tests
Add inter-connection test
2022-01-27 16:13:35 +01:00
Sami Mokaddem 7de1c14407
chg: [userSettings:add] Adhere to the passed user context 2022-01-27 10:44:47 +01:00
Sami Mokaddem 789bd9926f
chg: [navigation:users] Restored breadcrumb navigation to access user profile settings 2022-01-27 08:41:31 +01:00
Sami Mokaddem 2e7aabf704
fix: [users:toggle] Prevent users to disable admins 2022-01-26 16:10:33 +01:00
Sami Mokaddem fcffad6777
fix: [users:delete] Typo copy paste error 2022-01-26 15:45:57 +01:00
Luciano Righetti d91a362e99 Merge branch 'develop' into add-inter-connection-tests 2022-01-26 15:31:49 +01:00
iglocska 665999b8f4
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-26 15:29:53 +01:00
iglocska 95ecc2bc80
fix: [security] fields not adhered to in CRUD components edit
- users can circumvent restrictions on editable fields
- can lead to privilege escalation when users edit themselves
2022-01-26 15:28:10 +01:00
Sami Mokaddem d05868106d
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-26 14:59:57 +01:00
iglocska f695744bd7
fix: [user view] ACL fixed 2022-01-26 14:57:01 +01:00
iglocska b7facf226d
chg: [Navigationcomponent] added missing changes from previous commit 2022-01-26 14:55:47 +01:00
Sami Mokaddem 74e95855bd
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-26 14:54:03 +01:00
iglocska c186c88d5c
chg: [navigation] Breadcrumb generation is user aware
- moved the initialisation of the generation to be invoked from the appcontroller's beforefilter, after the user is loaded into the ACL component
- Only show user setting edits when the user is editing themselves
2022-01-26 14:21:27 +01:00
iglocska 9a0ddef2af
new: [ACL] added canEditUser() function
- simple comparison between two users
- checks role + org based permission
2022-01-26 14:16:28 +01:00
Sami Mokaddem 54ee91ba1a
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-26 12:11:53 +01:00
Sami Mokaddem f53b458103
fix: [userSettings] Allow admin to edit other user's settings 2022-01-26 12:11:44 +01:00
Luciano Righetti d18471ba95 fix: failing when request is empty json object 2022-01-25 18:02:41 +01:00
iglocska 19c81b7c11
fix: [Sharing groups] UUID and owner org shouldn't be editable 2022-01-25 17:09:29 +01:00
iglocska acc9c94baa
Merge branch 'main' into develop 2022-01-25 15:59:31 +01:00
iglocska 55782af52b
fix: [users] add
- fixed role selection
2022-01-25 15:58:31 +01:00
Sami Mokaddem 44913c5ed7
fix: [users:settings] Allow admin to see account settings of other users 2022-01-25 15:27:34 +01:00
Sami Mokaddem 4f8b663b87
chg: [localtTools:connectionRequest] Provide more info on exception 2022-01-25 15:02:30 +01:00
Sami Mokaddem 7d227a4387
chg: [inbox:index] Sort messages by created datetime 2022-01-25 15:02:25 +01:00
Sami Mokaddem dc2bfcb6b2
fix: [components:CRUD] Support of controller's paginate public variable 2022-01-25 15:02:16 +01:00
iglocska e9f77aff51
Merge branch 'develop' into main 2022-01-25 11:36:06 +01:00
iglocska 57e2c75352
fix: [users] role based action filtering added
- to avoid annoying clickable, but blocked actions for og admins
2022-01-25 11:34:22 +01:00
Sami Mokaddem 74df550419
chg: [inbox:collectNotifications] Collect notifications for the logged in user 2022-01-25 11:32:09 +01:00
Sami Mokaddem dd3a1b8a15
chg: [appcontroller] Breadcrumbs and notifications are fetched only if the user is logged in 2022-01-25 11:29:50 +01:00
Sami Mokaddem 7535cd2bdf
chg: [localtTools:connectionRequest] Provide more info on exception 2022-01-24 16:12:46 +01:00
Sami Mokaddem 6321725fa9
new: [notification] Added initial version of the notification system 2022-01-24 15:13:28 +01:00
iglocska 932a28288d
new: [CRUD] added some new useful features
- afterFind for the edit functions to make last minute decisions on the modification after already having loaded the data to be modified
- moved the field restrictions to be able to pass it to the view
- try/catch for bulk deletions. A single failure in the beforeSave call will no longer block the entire saving process
2022-01-21 13:41:29 +01:00
Sami Mokaddem 7c557f6d85
chg: [inbox:index] Sort messages by created datetime 2022-01-21 09:48:53 +01:00
Sami Mokaddem a59f59ba0d
fix: [components:CRUD] Support of controller's paginate public variable 2022-01-21 09:35:55 +01:00
Sami Mokaddem 38a9aa9869
chg: [auditlog] Allow filtering and searching the table 2022-01-20 13:55:27 +01:00
Sami Mokaddem 420bbb9207
fix: [auditlog] Typo in field name 2022-01-20 13:54:59 +01:00
Sami Mokaddem ec76948ebd
fix: [component:CRUD] Filtering view variables get correctly set 2022-01-20 13:54:17 +01:00
Sami Mokaddem a98c7f8f32
fix: [metaTemplate] Various fixed on meta-templates updates 2022-01-20 12:00:39 +01:00
Sami Mokaddem 86946719c7
chg: [component:CRUD] Fixed typo 2022-01-20 11:57:48 +01:00
Sami Mokaddem a60ca95120
chg: [ui:api] Moved API navigation link into admin section and created breadcrumb config 2022-01-20 09:32:39 +01:00
Sami Mokaddem 2e0051401f
chg: [appController] Don't generate nav breadcrumbs in API context 2022-01-20 09:31:51 +01:00
Sami Mokaddem 324ac1ce40
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into refactor-metatemplates 2022-01-20 09:00:45 +01:00
Andras Iklody 80cd93da40
Merge pull request #80 from righel/add-integration-tests
Add integration tests
2022-01-19 16:25:19 +01:00
iglocska d488f01051
fix: [authkey] add fixed
- incorrectly potentially filter out valid options when adding a key by a regular user
2022-01-19 14:39:03 +01:00
Luciano Righetti ee5c723c71 Merge branch 'develop' into add-integration-tests 2022-01-18 18:11:53 +01:00
iglocska f75d0829d1
fix: [user edit] fixed for non admins 2022-01-18 17:52:59 +01:00
iglocska dbaa2ba7b3
fix: [encryption keys] several fixes
- fix the user view to correctly point to the list of related encryption keys
- fix the lookup on the index to be based on owner_model + owner_id combo
- fix the filtering of the dropdown in the encryption key add form to only valid options
2022-01-18 16:56:38 +01:00
Luciano Righetti afcfe57767 Merge branch 'develop' into add-integration-tests 2022-01-18 16:26:06 +01:00
iglocska eae8e62e5e
fix: [CRUD] delete post message fix
- correct order of execution for the beforesave command
2022-01-18 16:24:24 +01:00
Luciano Righetti 6e31005d79 Merge branch 'develop' into add-integration-tests 2022-01-18 16:11:23 +01:00
iglocska 8cb24baf5f
fix: [ACL] tightening for delete functions
- implemented beforeSave() function in the CRUD::delete() functionality
- added correct handling for the organisation level encryption keys in the beforeSave constructor
2022-01-18 15:35:55 +01:00
iglocska c35d67ebca
fix: [encryption keys] functionality to filter orgs/individuals fixed
- actually execute the query rather than just build it
2022-01-18 14:59:41 +01:00
Luciano Righetti f48c1a5a17 Merge branch 'develop' into add-integration-tests 2022-01-18 14:29:54 +01:00
iglocska a29a4ea024
Merge branch 'main' into develop 2022-01-18 00:23:19 +01:00
iglocska ec994b05ed
chg: [user] edit restricted to password only for self 2022-01-18 00:20:53 +01:00
iglocska b80d778e1a
fix: [encryption keys] tightened ACL across all CRUD functions 2022-01-18 00:17:47 +01:00
iglocska 8c97c3b3a0
Merge branch 'main' into develop 2022-01-17 17:17:31 +01:00
iglocska 6d13d4aba0
fix: [authkeys] tighten requirements to add authkeys for other org admins
- site admin: can add to all
- org admin: can add to all in org, except site admin
- everyone else: can add to self only
2022-01-17 17:16:03 +01:00
Sami Mokaddem 49a3dd1623
chg: [instance] Added support of API response for 2 endpoints 2022-01-17 15:55:55 +01:00
Sami Mokaddem 0c9b032536
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop 2022-01-17 15:30:07 +01:00
Sami Mokaddem 98e8272810
fix: [ACL] Allow anyone to view encryption keys 2022-01-17 15:29:58 +01:00
Sami Mokaddem ef2827e87a
fix: [userSettings] Various permissions issues 2022-01-17 15:24:30 +01:00
iglocska 453c838dfe
fix: [placeholder removed] WiP functionality for local_tool->local_tool connections within the same brood temporarily removed
- was never fully implemented
2022-01-17 13:15:26 +01:00
iglocska 1b4c681a88
new: [Outbox] entity added
- to inherit the appModel functions
2022-01-17 12:47:48 +01:00
iglocska 12d7607aae
new: [encryption key] view added
- was missing, despite links to it
2022-01-17 09:45:45 +01:00
iglocska caf48c9060
fix: [ACL] proper error messages on user edit
- don't just silently redirect to the own user editing if the user isn't authorised to modify another user
2022-01-17 09:19:53 +01:00
iglocska 87723c2100
fix: [ACL] added correct file for previous fix (user edit admin permission check) 2022-01-12 10:32:47 +01:00
iglocska 204c60f739
fix: [ACL] fixed ACL check on user edit for the admin permission
- invalid name used for the lookup (perm_side_admin instead of perm_admin) leading to incorrect downgrading of the permissions
2022-01-12 10:31:06 +01:00
Luciano Righetti 241e760ad2 add: add API menu option 2022-01-10 16:20:22 +01:00
Luciano Righetti ce1a51cc39 fix: incorrect check 2022-01-10 11:59:23 +01:00
Luciano Righetti a69608530c new: add /api openapi spec view with redoc, add faker to fixtures, validate api responses with openapi spec, add /api/v1/ prefix to api routes 2022-01-07 13:45:52 +01:00
Luciano Righetti f45727704f fix: deprecation warning 2022-01-05 17:44:24 +01:00