[backend] Add authorized members side effect (#14047)

Author: OctaveLaventure

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -9629,6 +9629,10 @@ type Query {
   stixObjectOrStixRelationship(id: String!): StixObjectOrStixRelationship
   stixObjectOrStixRelationships(first: Int, after: ID, search: String, filters: FilterGroup): StixObjectOrStixRelationshipConnection
   stixCoreObjectOrStixCoreRelationship(id: String!): StixCoreObjectOrStixCoreRelationship
+  workflowDefinition(entityType: String!): WorkflowSchema
+  workflowInstance(entityId: String!): WorkflowInstance
+  allowedNextStatuses(entityId: String!): [Status!]!
+  allowedTransitions(entityId: String!): [WorkflowTransition!]!
   csvMapperTest(configuration: String!, content: String!): CsvMapperTestResult @deprecated(reason: "[>=6.4 & <6.7]. Use `csvMapperTest mutation`.")
   channel(id: String!): Channel
   channels(first: Int, after: ID, orderBy: ChannelsOrdering, orderMode: OrderingMode, filters: FilterGroup, search: String): ChannelConnection
@@ -9793,11 +9797,6 @@ type Query {
   Auth log history by provider id: internal_id for DB providers, or static id for singletons (Headers, Cert).
   """
   authLogHistoryById(id: String!): [AuthLogEntry!]!
-
-  workflowDefinition(entityType: String!): WorkflowSchema
-  workflowInstance(entityId: String!): WorkflowInstance
-  allowedNextStatuses(entityId: String!): [Status!]!
-  allowedTransitions(entityId: String!): [WorkflowTransition!]!
 }
 
 type Subscription {
@@ -10457,6 +10456,9 @@ type Mutation {
   stixRefRelationshipEdit(id: ID!): StixRefRelationshipEditMutations
   stixSightingRelationshipAdd(input: StixSightingRelationshipAddInput!): StixSightingRelationship
   stixSightingRelationshipEdit(id: ID!): StixSightingRelationshipEditMutations
+  workflowDefinitionSet(entityType: String!, definition: String!): EntitySetting
+  workflowDefinitionDelete(entityType: String!): EntitySetting
+  triggerWorkflowEvent(entityId: String!, eventName: String!): WorkflowTriggerResult!
   channelAdd(input: ChannelAddInput!): Channel
   channelDelete(id: ID!): ID
   channelFieldPatch(id: ID!, input: [EditInput]!, commitMessage: String, references: [String]): Channel
@@ -10747,9 +10749,6 @@ type Mutation {
   ldapProviderAdd(input: LdapInput!): AuthenticationProvider
   ldapProviderEdit(id: ID!, input: LdapInput!): AuthenticationProvider
   ldapProviderDelete(id: ID!): ID
-  workflowDefinitionSet(entityType: String!, definition: String!): EntitySetting
-  workflowDefinitionDelete(entityType: String!): EntitySetting
-  triggerWorkflowEvent(entityId: String!, eventName: String!): WorkflowTriggerResult!
 }
 
 enum WorkflowActionMode {
@@ -10837,6 +10836,30 @@ type WorkflowInstance {
   allowedTransitions: [WorkflowTransition!]!
 }
 
+type DraftWorkspace implements InternalObject & BasicObject {
+  workflowInstance: WorkflowInstance
+  id: ID!
+  entity_type: String!
+  standard_id: String!
+  parent_types: [String!]!
+  metrics: [Metric]
+  name: String!
+  createdBy: Identity
+  description: String
+  created_at: DateTime!
+  creators: [Creator!]
+  entity_id: String
+  objectAssignee: [Assignee!]
+  objectParticipant: [Participant!]
+  objectsCount: DraftObjectsCount!
+  draft_status: DraftStatus!
+  processingCount: Int!
+  works(first: Int): [Work!]
+  validationWork: Work
+  authorizedMembers: [MemberAccess!]!
+  currentUserAccessRight: String
+}
+
 type Channel implements BasicObject & StixObject & StixCoreObject & StixDomainObject {
   id: ID!
   standard_id: String!
@@ -14984,30 +15007,6 @@ enum DraftStatus {
   validated
 }
 
-type DraftWorkspace implements InternalObject & BasicObject {
-  id: ID!
-  entity_type: String!
-  standard_id: String!
-  parent_types: [String!]!
-  metrics: [Metric]
-  name: String!
-  createdBy: Identity
-  description: String
-  created_at: DateTime!
-  creators: [Creator!]
-  entity_id: String
-  objectAssignee: [Assignee!]
-  objectParticipant: [Participant!]
-  objectsCount: DraftObjectsCount!
-  draft_status: DraftStatus!
-  processingCount: Int!
-  works(first: Int): [Work!]
-  validationWork: Work
-  authorizedMembers: [MemberAccess!]!
-  currentUserAccessRight: String
-  workflowInstance: WorkflowInstance
-}
-
 type DraftObjectsCount {
   totalCount: Int!
   entitiesCount: Int!
@@ -16147,4 +16146,4 @@ type AuthenticationProviderMigrationResult {
 type AvailableSecretInfo {
   provider_name: String!
   secret_name: String!
-}
+}

opencti-platform/opencti-graphql/src/modules/entitySetting/entitySetting-utils.ts

@@ -77,7 +77,7 @@ export const defaultScale = JSON.stringify({
 export const availableSettings: Record<string, Array<string>> = {
   [ABSTRACT_STIX_DOMAIN_OBJECT]: ['attributes_configuration', 'platform_entity_files_ref', 'platform_hidden_type', 'enforce_reference', 'workflow_configuration'],
   [ABSTRACT_STIX_CORE_RELATIONSHIP]: ['attributes_configuration', 'enforce_reference', 'workflow_configuration'],
-  [STIX_SIGHTING_RELATIONSHIP]: ['attributes_configuration', 'enforce_reference', 'platform_hidden_type', 'workflow_configuration'],
+  [STIX_SIGHTING_RELATIONSHIP]: ['attributes_configuration', 'enforce_reference', 'platform_hidden_type', 'workflow_configuration', 'workflow_id'],
   [ABSTRACT_STIX_CYBER_OBSERVABLE]: ['platform_hidden_type'],
   [ENTITY_TYPE_EXTERNAL_REFERENCE]: ['platform_hidden_type'],
   // add templates for containers

opencti-platform/opencti-graphql/src/modules/workflow/registry/workflow-actions.ts

@@ -1,5 +1,5 @@
 import { logApp } from '../../../config/conf';
-import { validateDraftWorkspace } from '../../draftWorkspace/draftWorkspace-domain';
+import { draftWorkspaceEditAuthorizedMembers, validateDraftWorkspace } from '../../draftWorkspace/draftWorkspace-domain';
 import type { Context } from '../types/workflow-types';
 
 export type ActionFunction<TContext extends Context = Context> = (ctx: TContext, params?: any) => Promise<void> | void;
@@ -14,4 +14,8 @@ export const ActionRegistry: Record<string, ActionFunction> = {
     const { entity, user, context } = ctx;
     await validateDraftWorkspace(context, user, entity.id);
   },
+  updateAuthorizedMembers: async (ctx, params) => {
+    const { entity, user, context } = ctx;
+    await draftWorkspaceEditAuthorizedMembers(context, user, entity.id, params?.authorized_members);
+  },
 };

opencti-platform/opencti-graphql/tests/03-integration/02-resolvers/workflow-actions-test.ts

@@ -0,0 +1,140 @@
+import gql from 'graphql-tag';
+import { beforeAll, describe, expect, it } from 'vitest';
+import { adminQuery, ADMIN_USER, TEST_ORGANIZATION } from '../../utils/testQuery';
+
+const WORKFLOW_DEFINITION_SET_MUTATION = gql`
+  mutation WorkflowDefinitionSet($entityType: String!, $definition: String!) {
+    workflowDefinitionSet(entityType: $entityType, definition: $definition) {
+      id
+      target_type
+      workflow_id
+    }
+  }
+`;
+
+const CREATE_DRAFT_WORKSPACE_QUERY = gql`
+  mutation DraftWorkspaceAdd($input: DraftWorkspaceAddInput!) {
+    draftWorkspaceAdd(input: $input) {
+      id
+      name
+      draft_status
+    }
+  }
+`;
+
+const TRIGGER_WORKFLOW_EVENT_MUTATION = gql`
+  mutation TriggerWorkflowEvent($entityId: String!, $eventName: String!) {
+    triggerWorkflowEvent(entityId: $entityId, eventName: $eventName) {
+      success
+      newState
+      reason
+    }
+  }
+`;
+
+const DRAFT_WORKSPACE_QUERY = gql`
+  query DraftWorkspace($id: String!) {
+    draftWorkspace(id: $id) {
+      id
+      name
+      authorizedMembers {
+        member_id
+        access_right
+      }
+    }
+  }
+`;
+
+const WORKFLOW_DEFINITION_DELETE_MUTATION = gql`
+  mutation WorkflowDefinitionDelete($entityType: String!) {
+    workflowDefinitionDelete(entityType: $entityType) {
+      id
+      workflow_id
+    }
+  }
+`;
+
+describe('Workflow Actions Resolver', () => {
+  let draftWorkspaceId: string;
+
+  beforeAll(async () => {
+    const result = await adminQuery({
+      query: CREATE_DRAFT_WORKSPACE_QUERY,
+      variables: {
+        input: { name: 'Workflow Action Test Workspace' },
+      },
+    });
+    draftWorkspaceId = result.data.draftWorkspaceAdd.id;
+  });
+
+  it('should update authorized members on workflow event', async () => {
+    // 1. Define a workflow with updateAuthorizedMembers action
+    const authorizedMembersInput = [
+      { id: ADMIN_USER.id, access_right: 'admin' },
+      { id: TEST_ORGANIZATION.id, access_right: 'view' },
+    ];
+
+    const workflowDefinition = JSON.stringify({
+      id: 'draft-workflow-with-action',
+      name: 'Draft Workflow with Action',
+      initialState: 'open',
+      states: [
+        { name: 'open' },
+        {
+          name: 'restricted',
+          onEnter: [
+            {
+              type: 'updateAuthorizedMembers',
+              params: {
+                authorized_members: authorizedMembersInput
+              },
+            },
+          ],
+        },
+      ],
+      transitions: [{ from: 'open', to: 'restricted', event: 'restrict_event' }],
+    });
+
+    // 2. Set the workflow definition
+    await adminQuery({
+      query: WORKFLOW_DEFINITION_SET_MUTATION,
+      variables: {
+        entityType: 'DraftWorkspace',
+        definition: workflowDefinition,
+      },
+    });
+
+    // 3. Trigger the event
+    const triggerResult = await adminQuery({
+      query: TRIGGER_WORKFLOW_EVENT_MUTATION,
+      variables: {
+        entityId: draftWorkspaceId,
+        eventName: 'restrict_event',
+      },
+    });
+    expect(triggerResult.data.triggerWorkflowEvent.success).toBe(true);
+    expect(triggerResult.data.triggerWorkflowEvent.newState).toBe('restricted');
+
+    // 4. Verify authorized members
+    const workspaceResult = await adminQuery({
+      query: DRAFT_WORKSPACE_QUERY,
+      variables: { id: draftWorkspaceId },
+    });
+
+    const { authorizedMembers } = workspaceResult.data.draftWorkspace;
+    expect(authorizedMembers.length).toBe(2);
+    expect(authorizedMembers).toEqual(expect.arrayContaining([
+      expect.objectContaining({ member_id: ADMIN_USER.id, access_right: 'admin' }),
+      expect.objectContaining({ member_id: TEST_ORGANIZATION.id, access_right: 'view' }),
+    ]));
+  });
+
+  it('should cleanup after tests', async () => {
+    await adminQuery({
+      query: WORKFLOW_DEFINITION_DELETE_MUTATION,
+      variables: {
+        entityType: 'DraftWorkspace',
+      },
+    });
+  });
+});