[backend] Sharing saved filters APIs (#11624)

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -10658,6 +10658,7 @@ type Mutation {
   savedFilterAdd(input: SavedFilterAddInput!): SavedFilter
   savedFilterDelete(id: ID!): ID
   savedFilterFieldPatch(id: ID!, input: [EditInput!]): SavedFilter
+  savedFilterEditAuthorizedMembers(id: ID!, input: [MemberAccessInput!]!): SavedFilter
   requestAccessAdd(input: RequestAccessAddInput!): ID
   requestAccessConfigure(input: RequestAccessConfigureInput!): RequestAccessConfiguration
   pirAdd(input: PirAddInput!): Pir
@@ -15147,6 +15148,8 @@ type SavedFilter implements InternalObject & BasicObject {
   name: String!
   filters: String!
   scope: String!
+  authorizedMembers: [MemberAccess!]!
+  currentUserAccessRight: String
 }
 
 type SavedFilterEdge {

opencti-platform/opencti-graphql/src/generated/graphql.ts

@@ -17220,6 +17220,7 @@ export type Mutation = {
   samlProviderEdit?: Maybe<AuthenticationProvider>;
   savedFilterAdd?: Maybe<SavedFilter>;
   savedFilterDelete?: Maybe<Scalars['ID']['output']>;
+  savedFilterEditAuthorizedMembers?: Maybe<SavedFilter>;
   savedFilterFieldPatch?: Maybe<SavedFilter>;
   sectorAdd?: Maybe<Sector>;
   sectorEdit?: Maybe<SectorEditMutations>;
@@ -19212,6 +19213,12 @@ export type MutationSavedFilterDeleteArgs = {
 };
 
 
+export type MutationSavedFilterEditAuthorizedMembersArgs = {
+  id: Scalars['ID']['input'];
+  input: Array<MemberAccessInput>;
+};
+
+
 export type MutationSavedFilterFieldPatchArgs = {
   id: Scalars['ID']['input'];
   input?: InputMaybe<Array<EditInput>>;
@@ -28975,6 +28982,8 @@ export type SamlInput = {
 
 export type SavedFilter = BasicObject & InternalObject & {
   __typename?: 'SavedFilter';
+  authorizedMembers: Array<MemberAccess>;
+  currentUserAccessRight?: Maybe<Scalars['String']['output']>;
   entity_type: Scalars['String']['output'];
   filters: Scalars['String']['output'];
   id: Scalars['ID']['output'];
@@ -47053,6 +47062,7 @@ export type MutationResolvers<ContextType = any, ParentType extends ResolversPar
   samlProviderEdit?: Resolver<Maybe<ResolversTypes['AuthenticationProvider']>, ParentType, ContextType, RequireFields<MutationSamlProviderEditArgs, 'id' | 'input'>>;
   savedFilterAdd?: Resolver<Maybe<ResolversTypes['SavedFilter']>, ParentType, ContextType, RequireFields<MutationSavedFilterAddArgs, 'input'>>;
   savedFilterDelete?: Resolver<Maybe<ResolversTypes['ID']>, ParentType, ContextType, RequireFields<MutationSavedFilterDeleteArgs, 'id'>>;
+  savedFilterEditAuthorizedMembers?: Resolver<Maybe<ResolversTypes['SavedFilter']>, ParentType, ContextType, RequireFields<MutationSavedFilterEditAuthorizedMembersArgs, 'id' | 'input'>>;
   savedFilterFieldPatch?: Resolver<Maybe<ResolversTypes['SavedFilter']>, ParentType, ContextType, RequireFields<MutationSavedFilterFieldPatchArgs, 'id'>>;
   sectorAdd?: Resolver<Maybe<ResolversTypes['Sector']>, ParentType, ContextType, RequireFields<MutationSectorAddArgs, 'input'>>;
   sectorEdit?: Resolver<Maybe<ResolversTypes['SectorEditMutations']>, ParentType, ContextType, RequireFields<MutationSectorEditArgs, 'id'>>;
@@ -49471,6 +49481,8 @@ export type SamlConfigurationResolvers<ContextType = any, ParentType extends Res
 }>;
 
 export type SavedFilterResolvers<ContextType = any, ParentType extends ResolversParentTypes['SavedFilter'] = ResolversParentTypes['SavedFilter']> = ResolversObject<{
+  authorizedMembers?: Resolver<Array<ResolversTypes['MemberAccess']>, ParentType, ContextType>;
+  currentUserAccessRight?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   entity_type?: Resolver<ResolversTypes['String'], ParentType, ContextType>;
   filters?: Resolver<ResolversTypes['String'], ParentType, ContextType>;
   id?: Resolver<ResolversTypes['ID'], ParentType, ContextType>;

opencti-platform/opencti-graphql/src/modules/draftWorkspace/draftWorkspace-domain.ts

@@ -173,7 +173,6 @@ export const getProcessingCount = async (context: AuthContext, user: AuthUser, d
 };
 
 export const getCurrentUserAccessRight = async (
-  context: AuthContext,
   user: AuthUser,
   draft: BasicStoreEntityDraftWorkspace,
 ) => {

opencti-platform/opencti-graphql/src/modules/draftWorkspace/draftWorkspace-resolvers.ts

@@ -48,7 +48,7 @@ const draftWorkspaceResolvers: Resolvers = {
     },
     validationWork: (draft, _, context) => (draft.validation_work_id ? findWorkById(context, context.user, draft.validation_work_id) as any : null),
     authorizedMembers: (workspace, _, context) => getAuthorizedMembers(context, context.user, workspace),
-    currentUserAccessRight: (workspace, _, context) => getCurrentUserAccessRight(context, context.user, workspace),
+    currentUserAccessRight: (workspace, _, context) => getCurrentUserAccessRight(context.user, workspace),
     objectParticipant: async (workspace, _, context) => loadParticipants(context, context.user, workspace),
     objectAssignee: async (workspace, _, context) => loadAssignees(context, context.user, workspace),
     createdBy: (rel, _, context) => loadThroughDenormalized(context, context.user, rel, INPUT_CREATED_BY),

opencti-platform/opencti-graphql/src/modules/savedFilter/savedFilter-domain.ts

@@ -1,12 +1,14 @@
 import { publishUserAction } from '../../listener/UserActionListener';
-import { FunctionalError } from '../../config/errors';
+import { ForbiddenAccess, FunctionalError } from '../../config/errors';
 import { updateAttribute } from '../../database/middleware';
 import { type BasicStoreEntitySavedFilter, ENTITY_TYPE_SAVED_FILTER, type StoreEntitySavedFilter } from './savedFilter-types';
 import type { AuthContext, AuthUser } from '../../types/user';
 import { pageEntitiesConnection, storeLoadById } from '../../database/middleware-loader';
-import type { MutationSavedFilterFieldPatchArgs, QuerySavedFiltersArgs, SavedFilterAddInput } from '../../generated/graphql';
+import type { MemberAccessInput, MutationSavedFilterFieldPatchArgs, QuerySavedFiltersArgs, SavedFilterAddInput } from '../../generated/graphql';
 import { createInternalObject, deleteInternalObject } from '../../domain/internalObject';
-import { MEMBER_ACCESS_RIGHT_ADMIN } from '../../utils/access';
+import { getUserAccessRight, KNOWLEDGE_KNSHAREFILTERS, MEMBER_ACCESS_RIGHT_ADMIN } from '../../utils/access';
+import { editAuthorizedMembers } from '../../utils/authorizedMembers';
+import { isFeatureEnabled } from '../../config/conf';
 
 const findById = (context: AuthContext, user: AuthUser, id: string) => {
   return storeLoadById<BasicStoreEntitySavedFilter>(context, user, id, ENTITY_TYPE_SAVED_FILTER);
@@ -46,3 +48,28 @@ export const fieldPatchSavedFilter = async (context: AuthContext, user: AuthUser
 
   return element;
 };
+
+export const savedFilterEditAuthorizedMembers = async (
+  context: AuthContext,
+  user: AuthUser,
+  savedFilterId: string,
+  input: MemberAccessInput[],
+) => {
+  if (!isFeatureEnabled('SHARE_FILTERS')) {
+    throw ForbiddenAccess('Sharing saved filters is disabled');
+  }
+  const args = {
+    entityId: savedFilterId,
+    input,
+    requiredCapabilities: [KNOWLEDGE_KNSHAREFILTERS],
+    entityType: ENTITY_TYPE_SAVED_FILTER,
+  };
+  return editAuthorizedMembers(context, user, args);
+};
+
+export const getCurrentUserAccessRight = (
+  user: AuthUser,
+  savedFilter: BasicStoreEntitySavedFilter,
+) => {
+  return getUserAccessRight(user, savedFilter);
+};

opencti-platform/opencti-graphql/src/modules/savedFilter/savedFilter-resolver.ts

@@ -1,10 +1,22 @@
 import type { Resolvers } from '../../generated/graphql';
-import { addSavedFilter, deleteSavedFilter, fieldPatchSavedFilter, findSaveFilterPaginated } from './savedFilter-domain';
+import {
+  addSavedFilter,
+  deleteSavedFilter,
+  fieldPatchSavedFilter,
+  findSaveFilterPaginated,
+  getCurrentUserAccessRight,
+  savedFilterEditAuthorizedMembers,
+} from './savedFilter-domain';
+import { getAuthorizedMembers } from '../../utils/authorizedMembers';
 
 const savedFilterResolver: Resolvers = {
   Query: {
     savedFilters: (_, args, context) => findSaveFilterPaginated(context, context.user, args),
   },
+  SavedFilter: {
+    authorizedMembers: (savedFilter, _, context) => getAuthorizedMembers(context, context.user, savedFilter),
+    currentUserAccessRight: (savedFilter, _, context) => getCurrentUserAccessRight(context.user, savedFilter),
+  },
   Mutation: {
     savedFilterAdd: (_, { input }, context) => {
       return addSavedFilter(context, context.user, input);
@@ -15,6 +27,9 @@ const savedFilterResolver: Resolvers = {
     savedFilterFieldPatch: (_, args, context) => {
       return fieldPatchSavedFilter(context, context.user, args);
     },
+    savedFilterEditAuthorizedMembers: (_, { id, input }, context) => {
+      return savedFilterEditAuthorizedMembers(context, context.user, id, input);
+    },
   },
 };
 

opencti-platform/opencti-graphql/src/modules/savedFilter/savedFilter.graphql

@@ -8,6 +8,9 @@ type SavedFilter implements InternalObject & BasicObject {
     name: String!
     filters: String!
     scope: String!
+    # Sharing
+    authorizedMembers: [MemberAccess!]! @ff(flags: ["SHARE_FILTERS"], softFail: true)
+    currentUserAccessRight: String @ff(flags: ["SHARE_FILTERS"], softFail: true)
 }
 
 type SavedFilterEdge {
@@ -47,4 +50,5 @@ type Mutation {
     savedFilterAdd(input: SavedFilterAddInput!): SavedFilter @auth
     savedFilterDelete(id: ID!): ID @auth
     savedFilterFieldPatch(id: ID!, input: [EditInput!]): SavedFilter @auth
+    savedFilterEditAuthorizedMembers(id: ID!, input: [MemberAccessInput!]!): SavedFilter @auth(for: [KNOWLEDGE_KNSHAREFILTERS]) @ff(flags: ["SHARE_FILTERS"])
 }

opencti-platform/opencti-graphql/src/modules/savedFilter/savedFilter.ts

@@ -3,7 +3,7 @@ import convertSavedFiltersToStix from './savedFilter-converter';
 import { ENTITY_TYPE_SAVED_FILTER, type StoreEntitySavedFilter, type StixSavedFilter } from './savedFilter-types';
 import { ABSTRACT_INTERNAL_OBJECT } from '../../schema/general';
 import { type ModuleDefinition, registerDefinition } from '../../schema/module';
-import { creators, createdAt } from '../../schema/attribute-definition';
+import { authorizedMembers, creators, createdAt } from '../../schema/attribute-definition';
 
 const SAVED_FILTER_DEFINITION: ModuleDefinition<StoreEntitySavedFilter, StixSavedFilter> = {
   type: {
@@ -20,6 +20,7 @@ const SAVED_FILTER_DEFINITION: ModuleDefinition<StoreEntitySavedFilter, StixSave
   attributes: [
     creators,
     createdAt,
+    authorizedMembers,
     {
       name: 'name',
       label: 'Name',

opencti-platform/opencti-graphql/src/modules/workspace/workspace-domain.ts

@@ -83,7 +83,6 @@ export const workspaceEditAuthorizedMembers = async (
 };
 
 export const getCurrentUserAccessRight = async (
-  _context: AuthContext,
   user: AuthUser,
   workspace: BasicStoreEntityWorkspace,
 ) => {

opencti-platform/opencti-graphql/src/modules/workspace/workspace-resolver.ts

@@ -33,7 +33,7 @@ const workspaceResolvers: Resolvers = {
   },
   Workspace: {
     authorizedMembers: (workspace, _, context) => getAuthorizedMembers(context, context.user, workspace),
-    currentUserAccessRight: (workspace, _, context) => getCurrentUserAccessRight(context, context.user, workspace),
+    currentUserAccessRight: (workspace, _, context) => getCurrentUserAccessRight(context.user, workspace),
     owner: (workspace, _, context) => loadCreator(context, context.user, getOwnerId(workspace)),
     objects: (workspace, args, context) => {
       return objects(context, context.user, workspace, args) as any;

opencti-platform/opencti-graphql/tests/02-dataInjection/01-dataCount/entityCountHelper.ts

@@ -55,7 +55,7 @@ export const relationsCounter = {
   'attributed-to': 2,
   'created-by': 22,
   'external-reference': 7,
-  'has-capability': 73,
+  'has-capability': 74,
   'has-role': 9,
   indicates: 4,
   'kill-chain-phase': 3,