[backend/frontend] Implementation of sensitive configuration protection (#8284)

opencti-platform/opencti-front/lang/front/de.json

@@ -135,6 +135,7 @@
   "All types of relationship": "Alle Arten von Beziehungen",
   "All types of target": "Alle Arten von Ziel",
   "All years": "Alle Jahre",
+  "Allow modification of sensitive configuration": "Änderung der sensiblen Konfiguration zulassen",
   "Allowed marking definitions": "Erlaubte Markierungsdefinitionen",
   "Allowed markings": "Erlaubte Markierungen",
   "Already in plat.": "Bereits in plat.",

opencti-platform/opencti-front/lang/front/en.json

@@ -135,6 +135,7 @@
   "All types of relationship": "All types of relationship",
   "All types of target": "All types of target",
   "All years": "All years",
+  "Allow modification of sensitive configuration": "Allow modification of sensitive configuration",
   "Allowed marking definitions": "Allowed marking definitions",
   "Allowed markings": "Allowed markings",
   "Already in plat.": "Already in plat.",

opencti-platform/opencti-front/lang/front/es.json

@@ -135,6 +135,7 @@
   "All types of relationship": "Todos los tipos de relación",
   "All types of target": "Todo los tipos de objetivo",
   "All years": "Todos los años",
+  "Allow modification of sensitive configuration": "Permitir la modificación de la configuración sensible",
   "Allowed marking definitions": "Definiciones de marcado permitidas",
   "Allowed markings": "Marcas permitidas",
   "Already in plat.": "Ya está en la plataforma.",

opencti-platform/opencti-front/lang/front/fr.json

@@ -135,6 +135,7 @@
   "All types of relationship": "Tous les types de relation",
   "All types of target": "Tous les types de cible",
   "All years": "Toutes les années",
+  "Allow modification of sensitive configuration": "Permettre la modification d'une configuration sensible",
   "Allowed marking definitions": "Définitions de marquage autorisées",
   "Allowed markings": "Marquages autorisés",
   "Already in plat.": "Déjà dans la plat.",

opencti-platform/opencti-front/lang/front/ja.json

@@ -135,6 +135,7 @@
   "All types of relationship": "全てのリレーションシップの種別",
   "All types of target": "あらゆる種類のターゲット",
   "All years": "すべての年",
+  "Allow modification of sensitive configuration": "機密設定の変更を許可する",
   "Allowed marking definitions": "許可されたマーキング定義",
   "Allowed markings": "許可されるマーキング",
   "Already in plat.": "すでにプラットフォームに存在します",

opencti-platform/opencti-front/lang/front/ko.json

@@ -135,6 +135,7 @@
   "All types of relationship": "모든 관계 유형",
   "All types of target": "모든 대상 유형",
   "All years": "모든 연도",
+  "Allow modification of sensitive configuration": "민감한 구성의 수정 허용",
   "Allowed marking definitions": "허용된 마킹 정의",
   "Allowed markings": "허용된 마킹",
   "Already in plat.": "이미 플랫폼에 있음",

opencti-platform/opencti-front/lang/front/zh.json

@@ -135,6 +135,7 @@
   "All types of relationship": "关系的所有类型",
   "All types of target": "所有类型的目标",
   "All years": "所有年份",
+  "Allow modification of sensitive configuration": "允许修改敏感配置",
   "Allowed marking definitions": "允许的标记定义",
   "Allowed markings": "允许的标记",
   "Already in plat.": "已经在平台",

opencti-platform/opencti-front/src/private/Root.tsx

@@ -141,6 +141,7 @@ const meUserFragment = graphql`
       id
       name
     }
+    is_sensitive_changes_allow
   }
 `;
 

opencti-platform/opencti-front/src/private/components/settings/groups/Group.tsx

@@ -30,6 +30,7 @@ import ItemIcon from '../../../../components/ItemIcon';
 import GroupHiddenTypesChipList from './GroupHiddenTypesChipList';
 import ExpandableMarkdown from '../../../../components/ExpandableMarkdown';
 import { checkIsMarkingAllowed } from '../../../../utils/markings/markingsFiltering';
+import useSensitiveModifications from '../../../../utils/hooks/useSensitiveModifications';
 
 // Deprecated - https://mui.com/system/styles/basics/
 // Do not use it for new code.
@@ -123,6 +124,7 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
   const classes = useStyles();
   const { t_i18n } = useFormatter();
   const group = useFragment<Group_group$key>(groupFragment, groupData);
+  const { ffenabled, isSensitiveModifAllowed } = useSensitiveModifications();
   const markingsSort = R.sortWith([
     R.ascend(R.propOr('TLP', 'definition_type')),
     R.descend(R.propOr(0, 'x_opencti_order')),
@@ -153,9 +155,19 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
       >
         {group.name}
       </Typography>
-      <div className={classes.popover}>
-        <GroupPopover groupId={group.id} />
-      </div>
+      {ffenabled && (
+        isSensitiveModifAllowed
+          ? <div className={classes.popover}>
+            <GroupPopover groupId={group.id} />
+          </div>
+          : <></>
+      )}
+      {!ffenabled && (
+        <div className={classes.popover}>
+          <GroupPopover groupId={group.id} />
+        </div>
+      )
+      }
       <div className="clearfix" />
       <Grid
         container={true}
@@ -458,7 +470,19 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
         <Triggers recipientId={group.id} filterKey="authorized_members.id" />
         <GroupUsers groupId={group.id} />
       </Grid>
-      <GroupEdition groupId={group.id} />
+      {ffenabled && (
+        isSensitiveModifAllowed
+          ? <div className={classes.popover}>
+            <GroupEdition groupId={group.id} />
+          </div>
+          : <></>
+      )}
+      {!ffenabled && (
+        <div className={classes.popover}>
+          <GroupEdition groupId={group.id} />
+        </div>
+      )
+      }
     </div>
   );
 };

opencti-platform/opencti-front/src/private/components/settings/roles/CapabilitiesList.tsx

@@ -4,11 +4,15 @@ import List from '@mui/material/List';
 import ListItem from '@mui/material/ListItem';
 import ListItemText from '@mui/material/ListItemText';
 import ListItemIcon from '@mui/material/ListItemIcon';
+import ListItemSecondaryAction from '@mui/material/ListItemSecondaryAction';
+import Checkbox from '@mui/material/Checkbox';
+import LocalPoliceOutlined from '@mui/icons-material/LocalPoliceOutlined';
 import { useFormatter } from '../../../../components/i18n';
 import { roleEditionCapabilitiesLinesSearch } from './RoleEditionCapabilities';
 import { RoleEditionCapabilitiesLinesSearchQuery } from './__generated__/RoleEditionCapabilitiesLinesSearchQuery.graphql';
 import { Role_role$data } from './__generated__/Role_role.graphql';
 import ItemIcon from '../../../../components/ItemIcon';
+import useSensitiveModifications from '../../../../utils/hooks/useSensitiveModifications';
 
 interface CapabilitiesListProps {
   queryRef: PreloadedQuery<RoleEditionCapabilitiesLinesSearchQuery>;
@@ -27,8 +31,23 @@ const CapabilitiesList: FunctionComponent<CapabilitiesListProps> = ({
     roleEditionCapabilitiesLinesSearch,
     queryRef,
   );
+  const { ffenabled } = useSensitiveModifications();
+
   return (
     <List>
+      {ffenabled && (
+      <ListItem
+        key='sensitive'
+        dense={true}
+        divider={true}
+        style={{ paddingLeft: 0 }}
+      >
+        <ListItemIcon style={{ minWidth: 32 }}>
+          <ItemIcon type="Capability" />
+        </ListItemIcon>
+        <ListItemText primary={t_i18n('Allow modification of sensitive configuration')} />
+      </ListItem>
+      )}
       {capabilities?.edges?.map((edge, i) => {
         const capability = edge?.node;
         if (capability) {

opencti-platform/opencti-front/src/private/components/settings/roles/Role.tsx

@@ -24,6 +24,7 @@ import { groupsSearchQuery } from '../Groups';
 import { GroupsSearchQuery } from '../__generated__/GroupsSearchQuery.graphql';
 import ItemIcon from '../../../../components/ItemIcon';
 import ExpandableMarkdown from '../../../../components/ExpandableMarkdown';
+import useSensitiveModifications from '../../../../utils/hooks/useSensitiveModifications';
 
 // Deprecated - https://mui.com/system/styles/basics/
 // Do not use it for new code.
@@ -61,6 +62,7 @@ const roleFragment = graphql`
       name
       description
     }
+    is_sensitive_changes_allow
   }
 `;
 
@@ -81,6 +83,7 @@ const Role = ({
         : null))
       .filter((n) => n !== null && n !== undefined);
   };
+  const { ffenabled, isSensitiveModifAllowed } = useSensitiveModifications();
   const role = useFragment<Role_role$key>(roleFragment, roleData);
   const queryRef = useQueryLoading<RoleEditionCapabilitiesLinesSearchQuery>(
     roleEditionCapabilitiesLinesSearch,
@@ -96,10 +99,20 @@ const Role = ({
         >
           {role.name}
         </Typography>
-        <div className={classes.popover}>
-          <RolePopover roleId={role.id} />
-        </div>
-        <div className="clearfix" />
+        {ffenabled && (
+          isSensitiveModifAllowed
+            ? <div className={classes.popover}>
+              <RolePopover roleId={role.id}/>
+            </div>
+            : <></>
+        )}
+        {!ffenabled && (
+          <div className={classes.popover}>
+            <RolePopover roleId={role.id}/>
+          </div>
+        )
+        }
+        <div className="clearfix"/>
       </div>
       <Grid
         container={true}
@@ -168,6 +181,15 @@ const Role = ({
         variables={{ id: role.id }}
         render={({ props }: { props: RolePopoverEditionQuery$data }) => {
           if (props && props.role) {
+            if (ffenabled) {
+              return (
+                isSensitiveModifAllowed
+                  ? <RoleEdition
+                      role={props.role}
+                    />
+                  : <></>
+              );
+            }
             return (
               <RoleEdition
                 role={props.role}

opencti-platform/opencti-front/src/private/components/settings/roles/RoleEditionCapabilities.tsx

@@ -15,6 +15,7 @@ import { RoleEditionCapabilitiesLinesSearchQuery } from './__generated__/RoleEdi
 import { RoleEditionCapabilities_role$data } from './__generated__/RoleEditionCapabilities_role.graphql';
 import useApiMutation from '../../../../utils/hooks/useApiMutation';
 import { SETTINGS } from '../../../../utils/hooks/useGranted';
+import useSensitiveModifications from '../../../../utils/hooks/useSensitiveModifications';
 
 const roleEditionAddCapability = graphql`
   mutation RoleEditionCapabilitiesAddCapabilityMutation(
@@ -45,6 +46,19 @@ const roleEditionRemoveCapability = graphql`
   }
 `;
 
+const roleEditionPatchAllowSensitiveConf = graphql`
+  mutation RoleEditionCapabilitiesPatchAllowSensitiveChangesMutation(
+    $id: ID!
+    $input: [EditInput]!
+  ) {
+    roleEdit(id: $id) {
+      fieldPatch(input: $input) {
+        is_sensitive_changes_allow
+      }
+    }
+  }
+`;
+
 export const roleEditionCapabilitiesLinesSearch = graphql`
   query RoleEditionCapabilitiesLinesSearchQuery {
     capabilities(first: 500) {
@@ -75,6 +89,7 @@ const RoleEditionCapabilitiesComponent: FunctionComponent<RoleEditionCapabilitie
   })) as { name: string }[];
   const [commitAddCapability] = useApiMutation(roleEditionAddCapability);
   const [commitRemoveCapability] = useApiMutation(roleEditionRemoveCapability);
+  const [commitPatchAllowSensitiveConf] = useApiMutation(roleEditionPatchAllowSensitiveConf);
   const handleToggle = (
     capabilityId: string,
     event: React.ChangeEvent<HTMLInputElement>,
@@ -101,9 +116,46 @@ const RoleEditionCapabilitiesComponent: FunctionComponent<RoleEditionCapabilitie
     }
   };
 
+  const handleSensitiveToggle = (
+    event: React.ChangeEvent<HTMLInputElement>,
+  ) => {
+    const roleId = role.id;
+    commitPatchAllowSensitiveConf({
+      variables: {
+        id: roleId,
+        input: {
+          key: 'is_sensitive_changes_allow',
+          value: event.target.checked,
+        },
+      },
+    });
+    // And invalid me ?? or invalidSession
+  };
+
+  const { ffenabled } = useSensitiveModifications();
+
   if (capabilities && capabilities.edges) {
     return (
       <List dense={true}>
+        {ffenabled && (
+        <ListItem
+          key='sensitive'
+          divider={true}
+          style={{ paddingLeft: 0 }}
+        >
+          <ListItemIcon style={{ minWidth: 32 }}>
+            <LocalPoliceOutlined fontSize="small" />
+          </ListItemIcon>
+          <ListItemText primary={t_i18n('Allow modification of sensitive configuration')} />
+          <ListItemSecondaryAction>
+            <Checkbox
+              onChange={(event) => handleSensitiveToggle(event)}
+              checked={role.is_sensitive_changes_allow ? role.is_sensitive_changes_allow : false}
+              disabled={false}
+            />
+          </ListItemSecondaryAction>
+        </ListItem>
+        )}
         {capabilities.edges.map((edge) => {
           const capability = edge?.node;
           if (capability) {
@@ -155,6 +207,7 @@ const RoleEditionCapabilities = createFragmentContainer(
     role: graphql`
       fragment RoleEditionCapabilities_role on Role {
         id
+        is_sensitive_changes_allow
         capabilities {
           id
           name

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -1608,6 +1608,7 @@ type MeUser implements BasicObject & InternalObject {
   submenu_show_icons: Boolean
   submenu_auto_collapse: Boolean
   monochrome_labels: Boolean
+  is_sensitive_changes_allow: Boolean
 }
 
 type SessionDetail {
@@ -1694,6 +1695,7 @@ type Role implements BasicObject & InternalObject {
   updated_at: DateTime!
   capabilities: [Capability]
   editContext: [EditUserContext!]
+  is_sensitive_changes_allow: Boolean
 }
 
 input RoleAddInput {

opencti-platform/opencti-front/src/utils/hooks/useSensitiveModifications.ts

@@ -0,0 +1,13 @@
+import useAuth from './useAuth';
+import useHelper from './useHelper';
+
+const PROTECT_SENSITIVE_CHANGES_FF = 'PROTECT_SENSITIVE_CHANGES';
+
+const useSensitiveModifications = () => {
+  const { me } = useAuth();
+  const { isFeatureEnable } = useHelper();
+  // When is_sensitive_changes_allow is not set then it's allowed.
+  return { ffenabled: isFeatureEnable(PROTECT_SENSITIVE_CHANGES_FF), isSensitiveModifAllowed: me.is_sensitive_changes_allow ?? true };
+};
+
+export default useSensitiveModifications;

opencti-platform/opencti-graphql/config/default.json

@@ -11,7 +11,8 @@
       "NEW_IMPORT_SCREENS",
       "FILIGRAN_LOADER",
       "CONTAINERS_AUTHORIZED_MEMBERS",
-      "TELEMETRY_COUNT_ACTIVE_USERS"
+      "TELEMETRY_COUNT_ACTIVE_USERS",
+      "PROTECT_SENSITIVE_CHANGES"
     ],
     "https_cert": {
       "ca": [],

opencti-platform/opencti-graphql/config/schema/opencti.graphql

@@ -1542,6 +1542,7 @@ type MeUser implements BasicObject & InternalObject {
   submenu_show_icons: Boolean
   submenu_auto_collapse: Boolean
   monochrome_labels: Boolean
+  is_sensitive_changes_allow: Boolean
 }
 type SessionDetail {
   id: ID!
@@ -1624,6 +1625,7 @@ type Role implements BasicObject & InternalObject {
   updated_at: DateTime!
   capabilities: [Capability]
   editContext: [EditUserContext!]
+  is_sensitive_changes_allow: Boolean
 }
 input RoleAddInput {
   name: String! @constraint(minLength: 2, format: "not-blank")