Skip to content

Commit 33e4d63

Browse files
authored
Merge pull request #914 from dfir-iris/api_v2_create_object_comment
Api v2 create object comment
2 parents 367f0b4 + 374dddb commit 33e4d63

65 files changed

Lines changed: 1288 additions & 463 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -185,7 +185,13 @@ jobs:
185185
PYTHONUNBUFFERED=true python -m unittest --verbose
186186
- name: Stop development server
187187
run: |
188+
docker compose logs app > ${{ runner.temp }}/iriswebapp_app.log
188189
docker compose down
190+
- name: Upload artifact
191+
uses: actions/upload-artifact@v4
192+
with:
193+
name: Test API iriswebapp_app logs
194+
path: ${{ runner.temp }}/iriswebapp_app.log
189195

190196
test-database-migration:
191197
name: Database migration tests

source/app/blueprints/access_controls.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
from app.datamgmt.manage.manage_access_control_db import user_has_client_access
4949
from app.datamgmt.manage.manage_users_db import get_user
5050
from app.iris_engine.access_control.iris_user import iris_current_user
51-
from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
51+
from app.business.access_controls import ac_fast_check_user_has_case_access
5252
from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
5353
from app.iris_engine.utils.tracker import track_activity
5454
from app.models.authorization import Permissions

source/app/blueprints/graphql/permissions.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@
2525
from app.blueprints.access_controls import get_case_access_from_api
2626
from app.iris_engine.access_control.iris_user import iris_current_user
2727
from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
28-
from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
28+
from app.business.access_controls import ac_fast_check_current_user_has_case_access
2929

3030

3131
class PermissionDeniedError(Exception):

source/app/blueprints/pages/manage/manage_cases_routes.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
from app.datamgmt.manage.manage_cases_db import get_case_protagonists
3535
from app.datamgmt.manage.manage_common import get_severities_list
3636
from app.forms import AddCaseForm
37-
from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
37+
from app.business.access_controls import ac_fast_check_current_user_has_case_access
3838
from app.iris_engine.access_control.utils import ac_current_user_has_permission
3939
from app.models.authorization import CaseAccessLevel
4040
from app.models.authorization import Permissions

source/app/blueprints/rest/alerts_routes.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1019,6 +1019,7 @@ def alert_comment_edit(alert_id, com_id):
10191019

10201020

10211021
@alerts_rest_blueprint.route('/alerts/<int:alert_id>/comments/add', methods=['POST'])
1022+
@endpoint_deprecated('POST', '/api/v2/alerts/{alert_identifier}/comments')
10221023
@ac_api_requires(Permissions.alerts_write)
10231024
def case_comment_add(alert_id):
10241025
"""

source/app/blueprints/rest/case/case_assets_routes.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@
4747
from app.datamgmt.manage.manage_attribute_db import get_default_custom_attributes
4848
from app.datamgmt.manage.manage_users_db import get_user_cases_fast
4949
from app.datamgmt.states import get_assets_state
50-
from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
50+
from app.business.access_controls import ac_fast_check_current_user_has_case_access
5151
from app.iris_engine.module_handler.module_handler import call_modules_hook
5252
from app.iris_engine.utils.tracker import track_activity
5353
from app.models.models import AnalysisStatus
@@ -349,6 +349,7 @@ def case_comment_asset_list(cur_id, caseid):
349349

350350

351351
@case_assets_rest_blueprint.route('/case/assets/<int:cur_id>/comments/add', methods=['POST'])
352+
@endpoint_deprecated('POST', '/api/v2/assets/{asset_identifier}/comments')
352353
@ac_requires_case_identifier(CaseAccessLevel.full_access)
353354
@ac_api_requires()
354355
def case_comment_asset_add(cur_id, caseid):

source/app/blueprints/rest/case/case_evidences_routes.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,7 @@ def case_comment_evidence_list(cur_id, caseid):
152152

153153

154154
@case_evidences_rest_blueprint.route('/case/evidences/<int:cur_id>/comments/add', methods=['POST'])
155+
@endpoint_deprecated('POST', '/api/v2/evidences/{evidence_identifier}/comments')
155156
@ac_requires_case_identifier(CaseAccessLevel.full_access)
156157
@ac_api_requires()
157158
def case_comment_evidence_add(cur_id, caseid):

source/app/blueprints/rest/case/case_ioc_routes.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@
4545
from app.datamgmt.case.case_iocs_db import get_tlps_dict
4646
from app.datamgmt.manage.manage_attribute_db import get_default_custom_attributes
4747
from app.datamgmt.states import get_ioc_state
48-
from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
48+
from app.business.access_controls import ac_fast_check_current_user_has_case_access
4949
from app.iris_engine.module_handler.module_handler import call_modules_hook
5050
from app.iris_engine.utils.tracker import track_activity
5151
from app.models.authorization import CaseAccessLevel
@@ -259,6 +259,7 @@ def case_comment_ioc_list(cur_id, caseid):
259259

260260

261261
@case_ioc_rest_blueprint.route('/case/ioc/<int:cur_id>/comments/add', methods=['POST'])
262+
@endpoint_deprecated('POST', '/api/v2/iocs/{ioc_identifier}/comments')
262263
@ac_requires_case_identifier(CaseAccessLevel.full_access)
263264
@ac_api_requires()
264265
def case_comment_ioc_add(cur_id, caseid):

source/app/blueprints/rest/case/case_notes_routes.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -404,6 +404,7 @@ def case_comment_note_list(cur_id, caseid):
404404

405405

406406
@case_notes_rest_blueprint.route('/case/notes/<int:cur_id>/comments/add', methods=['POST'])
407+
@endpoint_deprecated('POST', '/api/v2/notes/{note_identifier}/comments')
407408
@ac_requires_case_identifier(CaseAccessLevel.full_access)
408409
@ac_api_requires()
409410
def case_comment_note_add(cur_id, caseid):

source/app/blueprints/rest/case/case_routes.py

Lines changed: 16 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -38,9 +38,8 @@
3838
from app.datamgmt.manage.manage_groups_db import get_group_with_members
3939
from app.datamgmt.manage.manage_users_db import get_user
4040
from app.datamgmt.manage.manage_users_db import get_users_list_restricted_from_case
41-
from app.datamgmt.manage.manage_users_db import set_user_case_access
41+
from app.business.access_controls import set_user_case_access, ac_fast_check_user_has_case_access
4242
from app.business.cases import cases_export_to_json
43-
from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
4443
from app.iris_engine.access_control.utils import ac_set_case_access_for_users
4544
from app.iris_engine.utils.tracker import track_activity
4645
from app.models.models import CaseStatus
@@ -243,21 +242,29 @@ def user_cac_set_case(caseid):
243242

244243
try:
245244

246-
success, logs = set_user_case_access(user.id, data.get('case_id'), data.get('access_level'))
245+
case_identifier = data.get('case_id')
246+
access_level = data.get('access_level')
247+
248+
if user.id is None or type(user.id) is not int:
249+
return response_error('Invalid user id')
250+
if case_identifier is None or type(case_identifier) is not int:
251+
return response_error('Invalid case id')
252+
if access_level is None or type(access_level) is not int:
253+
return response_error('Invalid access level')
254+
if CaseAccessLevel.has_value(access_level) is False:
255+
return response_error('Invalid access level')
256+
257+
set_user_case_access(user.id, case_identifier, access_level)
247258
track_activity('case access set to {} for user {}'.format(data.get('access_level'), user.name), caseid)
248259
add_obj_history_entry(case, 'access changed to {} for user {}'.format(data.get('access_level'), user.name))
249260

250261
db.session.commit()
262+
return response_success(msg=f'Case access set to {access_level} for user {user.id}')
251263

252264
except Exception as e:
253265
log.error(f'Error while setting case access for user: {e}')
254266
log.error(traceback.format_exc())
255-
return response_error(msg=str(e))
256-
257-
if success:
258-
return response_success(msg=logs)
259-
260-
return response_error(msg=logs)
267+
return response_error(str(e))
261268

262269

263270
@case_rest_blueprint.route('/case/update-status', methods=['POST'])

0 commit comments

Comments
 (0)