Turn permission error into validation error for empty streams in event definition. (#22778)

* Cleaning up `EventConditionForm`.

* Turn permission error into validation error for empty streams in event definition.

* Adding changelog snippet.

* Fixing test.

* Adjusting `AggregationEventProcessorConfigTest`.

* Fixing cases where plugin types are missing.

* Fixing linter hint.

Author: dennisoelkers

changelog/unreleased/pr-22778.toml

@@ -0,0 +1,5 @@
+type = "f"
+message = "Turn permission error into validation error for empty streams in event definition."
+
+issues = ["Graylog2/graylog-plugin-enterprise#10869"]
+pulls = ["22778"]

graylog2-server/src/main/java/org/graylog/events/notifications/NotificationTestData.java

@@ -24,6 +24,7 @@
 import org.graylog.events.event.EventOriginContext;
 import org.graylog.events.processor.EventDefinitionDto;
 import org.graylog.events.processor.EventProcessorConfig;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.plugin.Tools;
 import org.graylog2.plugin.rest.ValidationResult;
@@ -61,7 +62,7 @@ public String type() {
                         return "test-dummy-v1";
                     }
                     @Override
-                    public ValidationResult validate() {
+                    public ValidationResult validate(UserContext userContext) {
                         return null;
                     }
                     @Override

graylog2-server/src/main/java/org/graylog/events/processor/EventDefinitionDto.java

@@ -18,7 +18,6 @@
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
@@ -37,6 +36,7 @@
 import org.graylog.events.notifications.EventNotificationSettings;
 import org.graylog.events.processor.storage.EventStorageHandler;
 import org.graylog.events.processor.storage.PersistToStreamsStorageHandler;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.ContentPackable;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.contentpacks.model.ModelId;
@@ -163,17 +163,17 @@ public static Builder builder() {
 
     public abstract Builder toBuilder();
 
-    @JsonIgnore
     public ValidationResult validate(@Nullable EventDefinitionDto oldEventDefinitionDto,
-                                     EventDefinitionConfiguration eventDefinitionConfiguration) {
+                                     EventDefinitionConfiguration eventDefinitionConfiguration,
+                                     UserContext userContext) {
         final ValidationResult validation = new ValidationResult();
 
         if (title().isEmpty()) {
             validation.addError(FIELD_TITLE, "Event Definition title cannot be empty.");
         }
 
         try {
-            validation.addAll(config().validate());
+            validation.addAll(config().validate(userContext));
             validation.addAll(config().validate(
                     Optional.ofNullable(oldEventDefinitionDto).map(EventDefinitionDto::config).orElse(null),
                     eventDefinitionConfiguration));

graylog2-server/src/main/java/org/graylog/events/processor/EventProcessorConfig.java

@@ -23,6 +23,7 @@
 import org.graylog.plugins.views.search.searchfilters.model.UsedSearchFilter;
 import org.graylog.scheduler.JobDefinitionConfig;
 import org.graylog.scheduler.clock.JobSchedulerClock;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.ContentPackable;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.plugin.rest.ValidationResult;
@@ -76,8 +77,7 @@ default ValidationResult validate(@Nullable EventProcessorConfig oldEventProcess
      *
      * @return the validation result
      */
-    @JsonIgnore
-    ValidationResult validate();
+    ValidationResult validate(UserContext userContext);
 
     /**
      * Returns the permissions that are required to create the event processor configuration. (e.g. stream permissions)
@@ -128,7 +128,7 @@ public String type() {
         }
 
         @Override
-        public ValidationResult validate() {
+        public ValidationResult validate(UserContext userContext) {
             throw new UnsupportedOperationException();
         }
 

graylog2-server/src/main/java/org/graylog/events/processor/aggregation/AggregationEventProcessorConfig.java

@@ -41,6 +41,7 @@
 import org.graylog.scheduler.schedule.CronJobSchedule;
 import org.graylog.scheduler.schedule.CronUtils;
 import org.graylog.scheduler.schedule.IntervalJobSchedule;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.contentpacks.model.ModelId;
 import org.graylog2.contentpacks.model.ModelTypes;
@@ -130,11 +131,6 @@ public abstract class AggregationEventProcessorConfig implements EventProcessorC
 
     @Override
     public Set<String> requiredPermissions() {
-        // When there are no streams the event processor will search in all streams so we need to require the
-        // generic stream permission.
-        if (streams().isEmpty()) {
-            return Collections.singleton(RestPermissions.STREAMS_READ);
-        }
         return streams().stream()
                 .map(streamId -> String.join(":", RestPermissions.STREAMS_READ, streamId))
                 .collect(Collectors.toSet());
@@ -242,7 +238,7 @@ private boolean isConditionsEmpty() {
     }
 
     @Override
-    public ValidationResult validate() {
+    public ValidationResult validate(UserContext userContext) {
         final ValidationResult validationResult = new ValidationResult();
 
         if (searchWithinMs() <= 0) {
@@ -273,6 +269,10 @@ public ValidationResult validate() {
                     }
                 });
 
+        if (streams().isEmpty() && !userContext.isPermitted(RestPermissions.STREAMS_READ)) {
+            validationResult.addError(FIELD_STREAMS, "At least one stream must have been selected.");
+        }
+
         if (useCronScheduling()) {
             if (cronExpression() == null || cronExpression().isEmpty()) {
                 validationResult.addError(FIELD_CRON_EXPRESSION, "Cron expression must not be empty when using cron scheduling");

graylog2-server/src/main/java/org/graylog/events/processor/systemnotification/SystemNotificationEventProcessorConfig.java

@@ -23,6 +23,7 @@
 import com.google.common.graph.MutableGraph;
 import org.graylog.events.contentpack.entities.EventProcessorConfigEntity;
 import org.graylog.events.processor.EventProcessorConfig;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.contentpacks.model.entities.EntityDescriptor;
 import org.graylog2.plugin.rest.ValidationResult;
@@ -51,7 +52,7 @@ public static Builder create() {
     }
 
     @Override
-    public ValidationResult validate() {
+    public ValidationResult validate(UserContext userContext) {
         // Nothing to validate
         return new ValidationResult();
     }

graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java

@@ -285,7 +285,7 @@ public Response create(@ApiParam("schedule") @QueryParam("schedule") @DefaultVal
         final EventDefinitionDto dto = unwrappedCreateEntityRequest.getEntity();
         checkEventDefinitionPermissions(dto, "create");
 
-        final ValidationResult result = dto.validate(null, eventDefinitionConfiguration);
+        final ValidationResult result = dto.validate(null, eventDefinitionConfiguration, userContext);
         if (result.failed()) {
             return Response.status(Response.Status.BAD_REQUEST).entity(result).build();
         }
@@ -314,7 +314,7 @@ public Response update(@ApiParam(name = "definitionId") @PathParam("definitionId
                 .orElseThrow(() -> new NotFoundException("Event definition <" + definitionId + "> doesn't exist"));
         checkProcessorConfig(oldDto, dto);
 
-        final ValidationResult result = dto.validate(oldDto, eventDefinitionConfiguration);
+        final ValidationResult result = dto.validate(oldDto, eventDefinitionConfiguration, userContext);
         if (!definitionId.equals(dto.id())) {
             result.addError("id", "Event definition IDs don't match");
         }
@@ -473,9 +473,10 @@ public EventDefinitionDto duplicate(@ApiParam(name = "definitionId") @PathParam(
     @ApiOperation(value = "Validate an event definition")
     @RequiresPermissions(RestPermissions.EVENT_DEFINITIONS_CREATE)
     public ValidationResult validate(@ApiParam(name = "JSON body", required = true)
-                                     @Valid @NotNull EventDefinitionDto toValidate) {
+                                         @Valid @NotNull EventDefinitionDto toValidate,
+                                     @Context UserContext userContext) {
         EventProcessorConfig oldConfig = dbService.get(toValidate.id()).map(EventDefinition::config).orElse(null);
-        ValidationResult validationResult = toValidate.config().validate();
+        ValidationResult validationResult = toValidate.config().validate(userContext);
         validationResult.addAll(toValidate.config().validate(oldConfig, eventDefinitionConfiguration));
         return validationResult;
     }

graylog2-server/src/test/java/org/graylog/events/TestEventProcessorConfig.java

@@ -23,10 +23,11 @@
 import org.graylog.events.contentpack.entities.EventProcessorConfigEntity;
 import org.graylog.events.processor.EventDefinition;
 import org.graylog.events.processor.EventProcessorConfig;
+import org.graylog.events.processor.EventProcessorExecutionJob;
 import org.graylog.events.processor.EventProcessorSchedulerConfig;
 import org.graylog.scheduler.clock.JobSchedulerClock;
-import org.graylog.events.processor.EventProcessorExecutionJob;
 import org.graylog.scheduler.schedule.IntervalJobSchedule;
+import org.graylog.security.UserContext;
 import org.graylog2.contentpacks.EntityDescriptorIds;
 import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange;
 import org.graylog2.plugin.rest.ValidationResult;
@@ -107,7 +108,7 @@ public EventProcessorConfigEntity toContentPackEntity(EntityDescriptorIds entity
     }
 
     @Override
-    public ValidationResult validate() {
+    public ValidationResult validate(UserContext userContext) {
         return new ValidationResult();
     }
 }

graylog2-server/src/test/java/org/graylog/events/processor/EventDefinitionDtoTest.java

@@ -23,6 +23,7 @@
 import org.graylog.events.fields.EventFieldSpec;
 import org.graylog.events.notifications.EventNotificationSettings;
 import org.graylog.events.processor.aggregation.AggregationEventProcessorConfig;
+import org.graylog.security.UserContext;
 import org.graylog2.plugin.rest.ValidationResult;
 import org.graylog2.shared.bindings.providers.ObjectMapperProvider;
 import org.junit.Before;
@@ -41,7 +42,7 @@ public class EventDefinitionDtoTest {
     @Before
     public void setUp() throws Exception {
         final AggregationEventProcessorConfig configMock = mock(AggregationEventProcessorConfig.class);
-        when(configMock.validate()).thenReturn(new ValidationResult());
+        when(configMock.validate(any(UserContext.class))).thenReturn(new ValidationResult());
         when(configMock.validate(any(), any())).thenReturn(new ValidationResult());
 
         testSubject = EventDefinitionDto.builder()
@@ -80,7 +81,7 @@ public void testValidateWithInvalidConfig() {
         final AggregationEventProcessorConfig configMock = mock(AggregationEventProcessorConfig.class);
         final ValidationResult mockedValidationResult = new ValidationResult();
         mockedValidationResult.addError("foo", "bar");
-        when(configMock.validate()).thenReturn(mockedValidationResult);
+        when(configMock.validate(any(UserContext.class))).thenReturn(mockedValidationResult);
         when(configMock.validate(any(), any())).thenReturn(mockedValidationResult);
 
         final EventDefinitionDto invalidEventDefinition = testSubject.toBuilder()
@@ -161,6 +162,6 @@ public void testEventDefinitionHtmlSanitization() throws JsonProcessingException
     }
 
     private static ValidationResult validate(EventDefinitionDto eventDefinitionDto) {
-        return eventDefinitionDto.validate(null, new EventDefinitionConfiguration());
+        return eventDefinitionDto.validate(null, new EventDefinitionConfiguration(), mock(UserContext.class));
     }
 }

graylog2-server/src/test/java/org/graylog/events/processor/aggregation/AggregationEventProcessorConfigTest.java

@@ -40,6 +40,7 @@
 import org.graylog.plugins.views.search.searchtypes.pivot.series.Max;
 import org.graylog.plugins.views.search.searchtypes.pivot.series.Sum;
 import org.graylog.scheduler.schedule.IntervalJobSchedule;
+import org.graylog.security.UserContext;
 import org.graylog.security.entities.EntityOwnershipService;
 import org.graylog.testing.mongodb.MongoDBFixtures;
 import org.graylog.testing.mongodb.MongoDBInstance;
@@ -48,6 +49,7 @@
 import org.graylog2.plugin.indexer.searches.timeranges.AbsoluteRange;
 import org.graylog2.plugin.rest.ValidationResult;
 import org.graylog2.shared.bindings.providers.ObjectMapperProvider;
+import org.graylog2.shared.security.RestPermissions;
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 import org.junit.Before;
@@ -67,7 +69,9 @@
 import static org.graylog.events.processor.aggregation.AggregationEventProcessorConfig.FIELD_SERIES;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
 
 public class AggregationEventProcessorConfigTest {
     public static final EventDefinitionConfiguration EVENT_DEFINITION_CONFIGURATION = new EventDefinitionConfiguration();
@@ -85,6 +89,9 @@ public class AggregationEventProcessorConfigTest {
     @Mock
     private DBEventProcessorStateService stateService;
 
+    @Mock
+    private UserContext userContext;
+
     private DBEventDefinitionService dbService;
     private JobSchedulerTestClock clock;
 
@@ -95,6 +102,8 @@ public void setUp() throws Exception {
         objectMapper.registerSubtypes(new NamedType(TemplateFieldValueProvider.Config.class, TemplateFieldValueProvider.Config.TYPE_NAME));
         objectMapper.registerSubtypes(new NamedType(PersistToStreamsStorageHandler.Config.class, PersistToStreamsStorageHandler.Config.TYPE_NAME));
 
+        when(userContext.isPermitted(anyString())).thenReturn(true);
+
         final MongoJackObjectMapperProvider mapperProvider = new MongoJackObjectMapperProvider(objectMapper);
         final MongoCollections mongoCollections = new MongoCollections(mapperProvider, mongodb.mongoConnection());
         this.dbService = new DBEventDefinitionService(mongoCollections, stateService,
@@ -167,15 +176,15 @@ public void testValidateWithInvalidTimeRange() {
                 .searchWithinMs(-1)
                 .build();
 
-        final ValidationResult validationResult1 = invalidConfig1.validate();
+        final ValidationResult validationResult1 = invalidConfig1.validate(userContext);
         assertThat(validationResult1.failed()).isTrue();
         assertThat(validationResult1.getErrors()).containsOnlyKeys("search_within_ms");
 
         final AggregationEventProcessorConfig invalidConfig2 = invalidConfig1.toBuilder()
                 .searchWithinMs(0)
                 .build();
 
-        final ValidationResult validationResult2 = invalidConfig2.validate();
+        final ValidationResult validationResult2 = invalidConfig2.validate(userContext);
         assertThat(validationResult2.failed()).isTrue();
         assertThat(validationResult2.getErrors()).containsOnlyKeys("search_within_ms");
     }
@@ -189,7 +198,7 @@ public void testValidateWithAggregationSeriesMissingFields() {
                 .conditions(trueConditionThatDoesNotMatter)
                 .build();
 
-        ValidationResult validationResult = configWithSingleSeriesWithoutField.validate();
+        ValidationResult validationResult = configWithSingleSeriesWithoutField.validate(userContext);
         assertTrue(validationResult.failed());
         assertEquals(1, validationResult.getErrors().get(FIELD_SERIES).size());
         assertThat(validationResult.getErrors()).containsOnlyKeys(FIELD_SERIES);
@@ -208,7 +217,7 @@ public void testValidateWithAggregationSeriesMissingFields() {
                 .conditions(trueConditionThatDoesNotMatter)
                 .build();
 
-        validationResult = configWithMultipleSeriesWithoutField.validate();
+        validationResult = configWithMultipleSeriesWithoutField.validate(userContext);
         assertTrue(validationResult.failed());
         assertThat(validationResult.getErrors()).containsOnlyKeys(FIELD_SERIES);
         assertEquals(5, validationResult.getErrors().get(FIELD_SERIES).size());
@@ -221,15 +230,15 @@ public void testValidateWithInvalidExecutionTime() {
                 .executeEveryMs(-1)
                 .build();
 
-        final ValidationResult validationResult1 = invalidConfig1.validate();
+        final ValidationResult validationResult1 = invalidConfig1.validate(userContext);
         assertThat(validationResult1.failed()).isTrue();
         assertThat(validationResult1.getErrors()).containsOnlyKeys("execute_every_ms");
 
         final AggregationEventProcessorConfig invalidConfig2 = invalidConfig1.toBuilder()
                 .executeEveryMs(0)
                 .build();
 
-        final ValidationResult validationResult2 = invalidConfig2.validate();
+        final ValidationResult validationResult2 = invalidConfig2.validate(userContext);
         assertThat(validationResult2.failed()).isTrue();
         assertThat(validationResult2.getErrors()).containsOnlyKeys("execute_every_ms");
     }
@@ -289,30 +298,30 @@ public void testValidateWithIncompleteAggregationOptions() {
                 .groupBy(ImmutableList.of("foo"))
                 .build();
 
-        ValidationResult validationResult = invalidConfig.validate();
+        ValidationResult validationResult = invalidConfig.validate(userContext);
         assertThat(validationResult.failed()).isTrue();
         assertThat(validationResult.getErrors()).containsOnlyKeys("series", "conditions");
 
         invalidConfig = getConfig().toBuilder()
                 .series(ImmutableList.of(this.getSeries()))
                 .build();
 
-        validationResult = invalidConfig.validate();
+        validationResult = invalidConfig.validate(userContext);
         assertThat(validationResult.failed()).isTrue();
         assertThat(validationResult.getErrors()).containsOnlyKeys("conditions");
 
         invalidConfig = getConfig().toBuilder()
                 .conditions(this.getConditions())
                 .build();
 
-        validationResult = invalidConfig.validate();
+        validationResult = invalidConfig.validate(userContext);
         assertThat(validationResult.failed()).isTrue();
         assertThat(validationResult.getErrors()).containsOnlyKeys("series");
     }
 
     @Test
     public void testValidConfiguration() {
-        final ValidationResult validationResult = getConfig().validate();
+        final ValidationResult validationResult = getConfig().validate(userContext);
         assertThat(validationResult.failed()).isFalse();
         assertThat(validationResult.getErrors().size()).isEqualTo(0);
     }
@@ -324,7 +333,7 @@ public void testValidFilterConfiguration() {
                 .streams(ImmutableSet.of("1", "2"))
                 .build();
 
-        final ValidationResult validationResult = config.validate();
+        final ValidationResult validationResult = config.validate(userContext);
         assertThat(validationResult.failed()).isFalse();
         assertThat(validationResult.getErrors().size()).isEqualTo(0);
     }
@@ -337,7 +346,7 @@ public void testValidAggregationConfiguration() {
                 .conditions(this.getConditions())
                 .build();
 
-        final ValidationResult validationResult = config.validate();
+        final ValidationResult validationResult = config.validate(userContext);
         assertThat(validationResult.failed()).isFalse();
         assertThat(validationResult.getErrors().size()).isEqualTo(0);
     }
@@ -352,7 +361,9 @@ public void requiredPermissions() {
     @Test
     @MongoDBFixtures("aggregation-processors.json")
     public void requiredPermissionsWithEmptyStreams() {
+        when(userContext.isPermitted(RestPermissions.STREAMS_READ)).thenReturn(false);
+
         assertThat(dbService.get("54e3deadbeefdeadbeefafff")).get().satisfies(definition ->
-                assertThat(definition.config().requiredPermissions()).containsOnly("streams:read"));
+                assertThat(definition.config().validate(userContext).getErrors()).containsKey("streams"));
     }
 }