[backend] Bring back use_aws_role option to force the AWS auth chain …

…usage (#5791)

opencti-platform/opencti-graphql/config/default.json

@@ -202,6 +202,7 @@
  "use_ssl": false,
  "access_key": "ChangeMe",
  "secret_key": "ChangeMe",
+ "use_aws_role": false,
  "excluded_files": [".DS_Store"]
  },
  "rabbitmq": {

opencti-platform/opencti-graphql/package.json

@@ -161,6 +161,7 @@
  "@types/ejs": "3.1.5",
  "@types/express": "4.17.21",
  "@types/graphql-upload": "16.0.7",
+ "@types/mime-types": "2.1.4",
  "@types/nconf": "0.10.6",
  "@types/ramda": "0.29.10",
  "@types/tough-cookie": "4.0.5",

opencti-platform/opencti-graphql/src/config/providers.js

@@ -15,21 +15,15 @@ import { HEADERS_AUTHENTICATORS, initAdmin, login, loginFromProvider } from '../
 import conf, { logApp } from './conf';
 import { AuthenticationFailure, ConfigurationError, UnsupportedError } from './errors';
 import { isEmptyField, isNotEmptyField } from '../database/utils';
-
-export const empty = R.anyPass([R.isNil, R.isEmpty]);
+import { DEFAULT_INVALID_CONF_VALUE } from '../utils/access';
 
 // Admin user initialization
 export const initializeAdminUser = async (context) => {
- const DEFAULT_CONF_VALUE = 'ChangeMe';
  const adminEmail = conf.get('app:admin:email');
  const adminPassword = conf.get('app:admin:password');
  const adminToken = conf.get('app:admin:token');
- if (
- empty(adminEmail)
- || empty(adminPassword)
- || empty(adminToken)
- || adminPassword === DEFAULT_CONF_VALUE
- || adminToken === DEFAULT_CONF_VALUE
+ if (isEmptyField(adminEmail) || isEmptyField(adminPassword) || isEmptyField(adminToken)
+ || adminPassword === DEFAULT_INVALID_CONF_VALUE || adminToken === DEFAULT_INVALID_CONF_VALUE
  ) {
  throw ConfigurationError('You need to configure the environment vars');
  } else {
@@ -41,7 +35,6 @@ export const initializeAdminUser = async (context) => {
  throw ConfigurationError('Token must be a valid UUID');
  }
  // Initialize the admin account
- // noinspection JSIgnoredPromiseFromCall
  await initAdmin(context, adminEmail, adminPassword, adminToken);
  logApp.info('[INIT] admin user initialized');
  }

opencti-platform/opencti-graphql/src/database/file-storage.js

@@ -1,6 +1,6 @@
 import * as s3 from '@aws-sdk/client-s3';
 import * as R from 'ramda';
-import path from 'path';
+import path from 'node:path';
 import { Upload } from '@aws-sdk/lib-storage';
 import { Promise as BluePromise } from 'bluebird';
 import { defaultProvider } from '@aws-sdk/credential-provider-node';
@@ -28,22 +28,27 @@ const bucketName = conf.get('minio:bucket_name') || 'opencti-bucket';
 const bucketRegion = conf.get('minio:bucket_region') || 'us-east-1';
 const excludedFiles = conf.get('minio:excluded_files') || ['.DS_Store'];
 const useSslConnection = booleanConf('minio:use_ssl', false);
+const useAwsRole = booleanConf('minio:use_aws_role', false);
 
 export const specialTypesExtensions = {
  'application/vnd.oasis.stix+json': 'json',
  'application/vnd.mitre.navigator+json': 'json',
 };
 
 const credentialProvider = () => {
- if (clientAccessKey && clientSecretKey) {
- return { accessKeyId: clientAccessKey, secretAccessKey: clientSecretKey, ...(clientSessionToken && { sessionToken: clientSessionToken }) };
+ if (useAwsRole) {
+ return defaultProvider({
+ roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
+ // You must explicitly pass a region if you are not using us-east-1
+ region: bucketRegion
+ })
+ });
  }
- return defaultProvider({
- roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
- // You must explicitly pass a region if you are not using us-east-1
- region: bucketRegion
- })
- });
+ return {
+ accessKeyId: clientAccessKey,
+ secretAccessKey: clientSecretKey,
+ ...(clientSessionToken && { sessionToken: clientSessionToken })
+ };
 };
 
 const getEndpoint = () => {
@@ -200,9 +205,11 @@ export const loadFile = async (user, filename, opts = {}) => {
  throw UnsupportedError('Load file from storage fail', { cause: err, user_id: user.id, filename });
  }
 };
+
 const getFileName = (fileId) => {
  return fileId?.includes('/') ? R.last(fileId.split('/')) : fileId;
 };
+
 const guessMimeType = (fileId) => {
  const fileName = getFileName(fileId);
  const mimeType = mime.lookup(fileName) || null;

opencti-platform/opencti-graphql/src/http/httpPlatform.js

@@ -2,7 +2,6 @@
 import { URL } from 'node:url';
 import { readFileSync } from 'node:fs';
 import path from 'node:path';
-import * as R from 'ramda';
 import express from 'express';
 import bodyParser from 'body-parser';
 import compression from 'compression';
@@ -14,13 +13,13 @@ import archiverZipEncrypted from 'archiver-zip-encrypted';
 import rateLimit from 'express-rate-limit';
 import contentDisposition from 'content-disposition';
 import { basePath, booleanConf, DEV_MODE, logApp, OPENCTI_SESSION } from '../config/conf';
-import passport, { empty, isStrategyActivated, STRATEGY_CERT } from '../config/providers';
+import passport, { isStrategyActivated, STRATEGY_CERT } from '../config/providers';
 import { authenticateUser, authenticateUserFromRequest, HEADERS_AUTHENTICATORS, loginFromProvider, userWithOrigin } from '../domain/user';
 import { downloadFile, getFileContent, isStorageAlive, loadFile } from '../database/file-storage';
 import createSseMiddleware from '../graphql/sseMiddleware';
 import initTaxiiApi from './httpTaxii';
 import initHttpRollingFeeds from './httpRollingFeed';
-import { executionContext, SYSTEM_USER } from '../utils/access';
+import { DEFAULT_INVALID_CONF_VALUE, executionContext, SYSTEM_USER } from '../utils/access';
 import { ENTITY_TYPE_SETTINGS } from '../schema/internalObject';
 import { getEntityFromCache } from '../database/cache';
 import { isEmptyField, isNotEmptyField } from '../database/utils';
@@ -280,13 +279,13 @@ const createApp = async (app) => {
  res.redirect(redirect);
  } else {
  const cert = req.socket.getPeerCertificate();
- if (!R.isEmpty(cert) && req.client.authorized) {
+ if (isNotEmptyField(cert) && req.client.authorized) {
  const { CN, emailAddress } = cert.subject;
- if (empty(emailAddress)) {
+ if (isEmptyField(emailAddress)) {
  setCookieError(res, 'Client certificate need a correct emailAddress');
  res.redirect(redirect);
  } else {
- const userInfo = { email: emailAddress, name: empty(CN) ? emailAddress : CN };
+ const userInfo = { email: emailAddress, name: isEmptyField(CN) ? emailAddress : CN };
  loginFromProvider(userInfo)
  .then(async (user) => {
  await authenticateUser(context, req, user, 'cert');
@@ -414,7 +413,7 @@ const createApp = async (app) => {
  res.status(503).send({ status: 'error', error: 'request timeout' });
  });
  const configAccessKey = nconf.get('app:health_access_key');
- if (configAccessKey === 'ChangeMe' || isEmptyField(configAccessKey)) {
+ if (configAccessKey === DEFAULT_INVALID_CONF_VALUE || isEmptyField(configAccessKey)) {
  res.status(401).send({ status: 'unauthorized' });
  } else {
  const { health_access_key: access_key } = req.query;

opencti-platform/opencti-graphql/src/utils/access.ts

@@ -17,6 +17,8 @@ import { telemetry } from '../config/tracing';
 import type { BasicStoreSettings } from '../types/settings';
 import { ACCOUNT_STATUS_ACTIVE } from '../config/conf';
 
+export const DEFAULT_INVALID_CONF_VALUE = 'ChangeMe';
+
 export const BYPASS = 'BYPASS';
 export const BYPASS_REFERENCE = 'BYPASSREFERENCE';
 export const SETTINGS_SET_ACCESSES = 'SETTINGS_SETACCESSES';

opencti-platform/opencti-graphql/yarn.lock

@@ -4834,6 +4834,13 @@ __metadata:
  languageName: node
  linkType: hard
 
+"@types/mime-types@npm:2.1.4":
+ version: 2.1.4
+ resolution: "@types/mime-types@npm:2.1.4"
+ checksum: 10/f8c521c54ee0c0b9f90a65356a80b1413ed27ccdc94f5c7ebb3de5d63cedb559cd2610ea55b4100805c7349606a920d96e54f2d16b2f0afa6b7cd5253967ccc9
+ languageName: node
+ linkType: hard
+
 "@types/mime@npm:*":
  version: 3.0.4
  resolution: "@types/mime@npm:3.0.4"
@@ -11218,6 +11225,7 @@ __metadata:
  "@types/ejs": "npm:3.1.5"
  "@types/express": "npm:4.17.21"
  "@types/graphql-upload": "npm:16.0.7"
+ "@types/mime-types": "npm:2.1.4"
  "@types/nconf": "npm:0.10.6"
  "@types/ramda": "npm:0.29.10"
  "@types/tough-cookie": "npm:4.0.5"