First step of implementing chunk1 for sensitive conf protection(#8284)

opencti-platform/opencti-front/src/private/components/settings/roles/RoleEditionCapabilities.tsx

@@ -15,6 +15,8 @@ import { RoleEditionCapabilitiesLinesSearchQuery } from './__generated__/RoleEdi
 import { RoleEditionCapabilities_role$data } from './__generated__/RoleEditionCapabilities_role.graphql';
 import useApiMutation from '../../../../utils/hooks/useApiMutation';
 import { SETTINGS } from '../../../../utils/hooks/useGranted';
+import useHelper from '../../../../utils/hooks/useHelper';
+import useSensitiveModifications from '../../../../utils/hooks/useSensitiveModifications';
 
 const roleEditionAddCapability = graphql`
   mutation RoleEditionCapabilitiesAddCapabilityMutation(
@@ -101,9 +103,30 @@ const RoleEditionCapabilitiesComponent: FunctionComponent<RoleEditionCapabilitie
     }
   };
 
+  const {ffenabled, isSensitiveModifAllowed} = useSensitiveModifications();
+
   if (capabilities && capabilities.edges) {
     return (
       <List dense={true}>
+        {ffenabled && (
+        <ListItem
+            key='sensitive'
+            divider={true}
+            style={{paddingLeft: 0}}
+        >
+          <ListItemIcon style={{ minWidth: 32 }}>
+            <LocalPoliceOutlined fontSize="small" />
+          </ListItemIcon>
+          <ListItemText primary={t_i18n('Allow modification of sensitive configuration')} />
+          <ListItemSecondaryAction>
+            <Checkbox
+                onChange={(event) => handleToggle('1234', event)}
+                checked={isSensitiveModifAllowed}
+                disabled={false}
+            />
+          </ListItemSecondaryAction>
+        </ListItem>
+        )}
         {capabilities.edges.map((edge) => {
           const capability = edge?.node;
           if (capability) {

opencti-platform/opencti-front/src/schema/relay.schema.graphql

@@ -1608,6 +1608,7 @@ type MeUser implements BasicObject & InternalObject {
   submenu_show_icons: Boolean
   submenu_auto_collapse: Boolean
   monochrome_labels: Boolean
+  is_sensitive_changes_allow: Boolean
 }
 
 type SessionDetail {
@@ -1694,6 +1695,7 @@ type Role implements BasicObject & InternalObject {
   updated_at: DateTime!
   capabilities: [Capability]
   editContext: [EditUserContext!]
+  is_sensitive_changes_allow: Boolean
 }
 
 input RoleAddInput {

opencti-platform/opencti-front/src/utils/hooks/useSensitiveModifications.ts

@@ -0,0 +1,12 @@
+import useAuth from './useAuth';
+import useScale from './useScale';
+
+const PROTECT_SENSITIVE_CHANGES_FF = 'PROTECT_SENSITIVE_CHANGES';
+
+const useSensitiveModifications = () => {
+    const { me } = useAuth();
+    // with FF  & me.sensitve truc;
+    return {ffenabled: true, isSensitiveModifAllowed: true};
+};
+
+export default useSensitiveModifications;

opencti-platform/opencti-graphql/config/default.json

@@ -11,7 +11,8 @@
       "NEW_IMPORT_SCREENS",
       "FILIGRAN_LOADER",
       "CONTAINERS_AUTHORIZED_MEMBERS",
-      "TELEMETRY_COUNT_ACTIVE_USERS"
+      "TELEMETRY_COUNT_ACTIVE_USERS",
+      "PROTECT_SENSITIVE_CHANGES"
     ],
     "https_cert": {
       "ca": [],

opencti-platform/opencti-graphql/config/schema/opencti.graphql

@@ -1542,6 +1542,7 @@ type MeUser implements BasicObject & InternalObject {
   submenu_show_icons: Boolean
   submenu_auto_collapse: Boolean
   monochrome_labels: Boolean
+  is_sensitive_changes_allow: Boolean
 }
 type SessionDetail {
   id: ID!
@@ -1624,6 +1625,7 @@ type Role implements BasicObject & InternalObject {
   updated_at: DateTime!
   capabilities: [Capability]
   editContext: [EditUserContext!]
+  is_sensitive_changes_allow: Boolean
 }
 input RoleAddInput {
   name: String! @constraint(minLength: 2, format: "not-blank")

opencti-platform/opencti-graphql/src/domain/grant.js

@@ -5,6 +5,8 @@ import { ENTITY_TYPE_CAPABILITY, ENTITY_TYPE_GROUP, ENTITY_TYPE_ROLE } from '../
 import { RELATION_HAS_CAPABILITY } from '../schema/internalRelationship';
 import { generateStandardId } from '../schema/identifier';
 import { publishUserAction } from '../listener/UserActionListener';
+import {isFeatureEnabled} from '../config/conf';
+import {PROTECT_SENSITIVE_CHANGES_FF} from './user';
 
 export const addCapability = async (context, user, capability) => {
   return createEntity(context, user, capability, ENTITY_TYPE_CAPABILITY);
@@ -16,7 +18,19 @@ export const addRole = async (context, user, role) => {
     assoc('description', role.description ? role.description : ''),
     dissoc('capabilities'),
   )(role);
-  const { element, isCreation } = await createEntity(context, user, roleToCreate, ENTITY_TYPE_ROLE, { complete: true });
+
+  let completeRoleToCreate;
+  if(isFeatureEnabled((PROTECT_SENSITIVE_CHANGES_FF))){
+    completeRoleToCreate = {
+      ...roleToCreate,
+      is_sensitive_changes_allow: true
+    }
+  } else {
+    completeRoleToCreate = {
+      ...roleToCreate
+    }
+  }
+  const { element, isCreation } = await createEntity(context, user, completeRoleToCreate, ENTITY_TYPE_ROLE, { complete: true });
   const relationPromises = capabilities.map(async (capabilityName) => {
     const generateToId = generateStandardId(ENTITY_TYPE_CAPABILITY, { name: capabilityName });
     return createRelation(context, user, { fromId: element.id, toId: generateToId, relationship_type: RELATION_HAS_CAPABILITY });

opencti-platform/opencti-graphql/src/domain/user.js

@@ -9,7 +9,7 @@ import {
   ACCOUNT_STATUSES,
   BUS_TOPICS,
   DEFAULT_ACCOUNT_STATUS,
-  ENABLED_DEMO_MODE,
+  ENABLED_DEMO_MODE, isFeatureEnabled,
   logApp,
   OPENCTI_SESSION,
   PLATFORM_VERSION,
@@ -1280,6 +1280,13 @@ const getStackTrace = () => {
   Error.captureStackTrace(obj, getStackTrace);
   return obj.stack;
 };
+
+
+export const PROTECT_SENSITIVE_CHANGES_FF='PROTECT_SENSITIVE_CHANGES';
+const isSensitiveChangesAllowed = async (context) => {
+  return true;
+};
+
 export const buildCompleteUser = async (context, client) => {
   if (!client) {
     return undefined;
@@ -1330,8 +1337,14 @@ export const buildCompleteUser = async (context, client) => {
   const no_creators = groups.filter((g) => g.no_creators).length === groups.length;
   const restrict_delete = !isByPass && groups.filter((g) => g.restrict_delete).length === groups.length;
 
+  let ff = null;
+  if(isFeatureEnabled(PROTECT_SENSITIVE_CHANGES_FF)){
+    ff = {is_sensitive_changes_allow: isSensitiveChangesAllowed(context)}
+  }
+
   return {
     ...client,
+    ...ff,
     roles,
     capabilities,
     default_hidden_types,
@@ -1349,6 +1362,8 @@ export const buildCompleteUser = async (context, client) => {
     no_creators,
     restrict_delete,
   };
+
+
 };
 
 export const resolveUserByIdFromCache = async (context, id) => {

opencti-platform/opencti-graphql/src/generated/graphql.ts

@@ -12761,6 +12761,7 @@ export type MeUser = BasicObject & InternalObject & {
   groups?: Maybe<GroupConnection>;
   id: Scalars['ID']['output'];
   individual_id?: Maybe<Scalars['String']['output']>;
+  is_sensitive_changes_allow?: Maybe<Scalars['Boolean']['output']>;
   language?: Maybe<Scalars['String']['output']>;
   lastname?: Maybe<Scalars['String']['output']>;
   max_shareable_marking?: Maybe<Array<MarkingDefinition>>;
@@ -22317,6 +22318,7 @@ export type Role = BasicObject & InternalObject & {
   editContext?: Maybe<Array<EditUserContext>>;
   entity_type: Scalars['String']['output'];
   id: Scalars['ID']['output'];
+  is_sensitive_changes_allow?: Maybe<Scalars['Boolean']['output']>;
   name: Scalars['String']['output'];
   parent_types: Array<Maybe<Scalars['String']['output']>>;
   standard_id: Scalars['String']['output'];
@@ -35669,6 +35671,7 @@ export type MeUserResolvers<ContextType = any, ParentType extends ResolversParen
   groups?: Resolver<Maybe<ResolversTypes['GroupConnection']>, ParentType, ContextType, Partial<MeUserGroupsArgs>>;
   id?: Resolver<ResolversTypes['ID'], ParentType, ContextType>;
   individual_id?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
+  is_sensitive_changes_allow?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
   language?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   lastname?: Resolver<Maybe<ResolversTypes['String']>, ParentType, ContextType>;
   max_shareable_marking?: Resolver<Maybe<Array<ResolversTypes['MarkingDefinition']>>, ParentType, ContextType>;
@@ -37827,6 +37830,7 @@ export type RoleResolvers<ContextType = any, ParentType extends ResolversParentT
   editContext?: Resolver<Maybe<Array<ResolversTypes['EditUserContext']>>, ParentType, ContextType>;
   entity_type?: Resolver<ResolversTypes['String'], ParentType, ContextType>;
   id?: Resolver<ResolversTypes['ID'], ParentType, ContextType>;
+  is_sensitive_changes_allow?: Resolver<Maybe<ResolversTypes['Boolean']>, ParentType, ContextType>;
   name?: Resolver<ResolversTypes['String'], ParentType, ContextType>;
   parent_types?: Resolver<Array<Maybe<ResolversTypes['String']>>, ParentType, ContextType>;
   standard_id?: Resolver<ResolversTypes['String'], ParentType, ContextType>;

opencti-platform/opencti-graphql/src/modules/attributes/internalObject-registrationAttributes.ts

@@ -347,6 +347,7 @@ const internalObjectsAttributes: { [k: string]: Array<AttributeDefinition> } = {
   [ENTITY_TYPE_ROLE]: [
     { name: 'name', label: 'Name', type: 'string', format: 'short', mandatoryType: 'external', editDefault: true, multiple: false, upsert: false, isFilterable: true },
     { name: 'description', label: 'Description', type: 'string', format: 'text', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: true },
+    { name: 'is_sensitive_changes_allow', label: 'Is sensitive changes allowed', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
   ],
   [ENTITY_TYPE_RULE]: [
     { name: 'active', label: 'Status', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: true, isFilterable: true }

opencti-platform/opencti-graphql/src/types/user.d.ts

@@ -4,6 +4,7 @@ import type { ConfidenceLevel } from '../generated/graphql';
 
 interface UserRole extends BasicStoreIdentifier {
   name: string;
+  patate: boolean;
 }
 
 interface UserCapability {