[MRG] Merge pull request #655 from dfir-iris/hotfix_2.4.17

Hotfix 2.4.17

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.4.16
+current_version = 2.4.17
 commit = True
 tag = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(-(?P<release>.*)-(?P<build>\d+))?

README.md

@@ -6,7 +6,7 @@
 <p align="center">
   Incident Response Investigation System
   <br>
-  <i>Current Version v2.4.16</i>
+  <i>Current Version v2.4.17</i>
   <br>
   <a href="https://v200.beta.dfir-iris.org">Online Demonstration</a>
 </p>
@@ -52,7 +52,7 @@ git clone https://github.com/dfir-iris/iris-web.git
 cd iris-web
 
 # Checkout to the last tagged version 
-git checkout v2.4.16
+git checkout v2.4.17
 
 # Copy the environment file 
 cp .env.model .env

docker-compose.yml

@@ -25,25 +25,25 @@ services:
     extends:
       file: docker-compose.base.yml
       service: db
-    image: ${DB_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_db}:${DB_IMAGE_TAG:-v2.4.16}
+    image: ${DB_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_db}:${DB_IMAGE_TAG:-v2.4.17}
 
   app:
     extends:
       file: docker-compose.base.yml
       service: app
-    image: ${APP_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_app}:${APP_IMAGE_TAG:-v2.4.16}
+    image: ${APP_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_app}:${APP_IMAGE_TAG:-v2.4.17}
 
   worker:
     extends:
       file: docker-compose.base.yml
       service: worker
-    image: ${APP_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_app}:${APP_IMAGE_TAG:-v2.4.16}
+    image: ${APP_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_app}:${APP_IMAGE_TAG:-v2.4.17}
 
   nginx:
     extends:
       file: docker-compose.base.yml
       service: nginx
-    image: ${NGINX_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_nginx}:${NGINX_IMAGE_TAG:-v2.4.16}
+    image: ${NGINX_IMAGE_NAME:-ghcr.io/dfir-iris/iriswebapp_nginx}:${NGINX_IMAGE_TAG:-v2.4.17}
 
 volumes:
   iris-downloads:

source/app/blueprints/alerts/alerts_routes.py

@@ -110,31 +110,45 @@ def alerts_list_route() -> Response:
         except ValueError:
             return response_error('Invalid alert ioc')
 
-    filtered_data = get_filtered_alerts(
-        start_date=request.args.get('creation_start_date'),
-        end_date=request.args.get('creation_end_date'),
-        source_start_date=request.args.get('source_start_date'),
-        source_end_date=request.args.get('source_end_date'),
-        source_reference=request.args.get('source_reference'),
-        title=request.args.get('alert_title'),
-        description=request.args.get('alert_description'),
-        status=request.args.get('alert_status_id', type=int),
-        severity=request.args.get('alert_severity_id', type=int),
-        owner=request.args.get('alert_owner_id', type=int),
-        source=request.args.get('alert_source'),
-        tags=request.args.get('alert_tags'),
-        classification=request.args.get('alert_classification_id', type=int),
-        client=request.args.get('alert_customer_id'),
-        case_id=request.args.get('case_id', type=int),
-        alert_ids=alert_ids,
-        page=page,
-        per_page=per_page,
-        sort=request.args.get('sort'),
-        assets=alert_assets,
-        iocs=alert_iocs,
-        resolution_status=request.args.get('alert_resolution_id', type=int),
-        current_user_id=current_user.id
-    )
+    fields_str = request.args.get('fields')
+    if fields_str:
+        # Split into a list
+        fields = [field.strip() for field in fields_str.split(',') if field.strip()]
+    else:
+        fields = None
+
+    try:
+        filtered_data = get_filtered_alerts(
+            start_date=request.args.get('creation_start_date'),
+            end_date=request.args.get('creation_end_date'),
+            source_start_date=request.args.get('source_start_date'),
+            source_end_date=request.args.get('source_end_date'),
+            source_reference=request.args.get('source_reference'),
+            title=request.args.get('alert_title'),
+            description=request.args.get('alert_description'),
+            status=request.args.get('alert_status_id', type=int),
+            severity=request.args.get('alert_severity_id', type=int),
+            owner=request.args.get('alert_owner_id', type=int),
+            source=request.args.get('alert_source'),
+            tags=request.args.get('alert_tags'),
+            classification=request.args.get('alert_classification_id', type=int),
+            client=request.args.get('alert_customer_id'),
+            case_id=request.args.get('case_id', type=int),
+            alert_ids=alert_ids,
+            page=page,
+            per_page=per_page,
+            sort=request.args.get('sort', 'desc', type=str),
+            custom_conditions=request.args.get('custom_conditions'),
+            assets=alert_assets,
+            iocs=alert_iocs,
+            resolution_status=request.args.get('alert_resolution_id', type=int),
+            current_user_id=current_user.id,
+            fields=fields
+        )
+
+    except Exception as e:
+        app.app.logger.exception(e)
+        return response_error(str(e))
 
     if filtered_data is None:
         return response_error('Filtering error')
@@ -434,6 +448,9 @@ def alerts_batch_update_route() -> Response:
             if not user_has_client_access(current_user.id, alert.alert_customer_id):
                 return response_error('User not entitled to update alerts for the client', status=403)
 
+            if getattr(alert, 'alert_owner_id') is None:
+                updates['alert_owner_id'] = current_user.id
+
             if data.get('alert_owner_id') == "-1" or data.get('alert_owner_id') == -1:
                 updates['alert_owner_id'] = None
 
@@ -531,7 +548,7 @@ def alerts_delete_route(alert_id) -> Response:
         delete_similar_alert_cache(alert_id=alert_id)
 
         # Delete the similarity entries
-        delete_related_alerts_cache(alert_id=alert_id)
+        delete_related_alerts_cache([alert_id])
 
         # Delete the alert from the database
         db.session.delete(alert)

source/app/blueprints/alerts/templates/alerts.html

@@ -179,6 +179,50 @@
                             </select>
                     </div>
                 </div>
+                <div class="form-row mt-3">
+                    <div class="col-md-12">
+                        <button class="btn btn-sm btn-outline-dark" type="button" data-toggle="collapse" data-target="#customConditionsCollapse" aria-expanded="false" aria-controls="customConditionsCollapse">
+                            Custom Conditions
+                        </button>
+                        <a href="#" class="ml-2" data-toggle="collapse" data-target="#customConditionsExamples" aria-expanded="false" aria-controls="customConditionsExamples">
+                            Show Examples
+                        </a>
+                    </div>
+                </div>
+
+                <div class="collapse mt-3" id="customConditionsCollapse">
+                    <div class="form-row">
+                        <div class="col-md-12 form-group">
+                            <label for="custom_conditions">Custom Conditions</label>
+                            <div class="form-control" id="custom_conditions"></div>
+                        </div>
+                    </div>
+                </div>
+
+                <div class="collapse" id="customConditionsExamples">
+                    <div class="card card-body mt-2">
+                        <p>Here are two sample custom conditions:</p>
+                        <pre><code>
+[{
+  "field": "alert_severity_id",
+  "operator": "in",
+  "value": [1, 2]
+},
+{
+  "field": "alert_title",
+  "operator": "like",
+  "value": "phishing"
+}]</code></pre>
+<pre><code>
+[{
+  "field": "severity.severity_name",
+  "operator": "like",
+  "value": "Critical"
+}]
+</code></pre>
+                        <p>Copy one of these conditions and paste it into the "Custom Conditions" field above, then adjust the values as needed.</p>
+                    </div>
+                </div>
                 <div class="form-row mt-3">
                     <div class="col centered">
                         <button type="submit" class="btn btn-sm btn-primary">Apply Filters</button>

source/app/blueprints/dashboard/dashboard_routes.py

@@ -58,6 +58,9 @@
 
 from oic.oauth2.exception import GrantError
 
+log = app.logger
+
+
 # CONTENT ------------------------------------------------
 dashboard_blueprint = Blueprint(
     'index',
@@ -93,9 +96,12 @@ def logout():
                     ctx_less=True,
                     display_in_ui=False
                 )
+            except Exception as e:
+                log.error(f"Error logging out: {e}")
+                log.warning(f'Will continue to local logout')
 
-    track_activity("user '{}' has been logged-out".format(current_user.user), ctx_less=True, display_in_ui=False)
     logout_user()
+    track_activity("user '{}' has been logged-out".format(current_user.user), ctx_less=True, display_in_ui=False)
     session.clear()
 
     return redirect(not_authenticated_redirection_url('/'))

source/app/blueprints/login/login_routes.py

@@ -218,20 +218,23 @@ def oidc_authorise():
         email_field = app.config.get("OIDC_MAPPING_EMAIL")
         username_field = app.config.get("OIDC_MAPPING_USERNAME")
 
-        user_login = access_token_resp['id_token'].get(email_field) or access_token_resp['id_token'].get(username_field)
+        user_login = access_token_resp['id_token'].get(username_field) or access_token_resp['id_token'].get(email_field)
         user_name = access_token_resp['id_token'].get(email_field) or access_token_resp['id_token'].get(username_field)
 
         user = get_user(user_login, 'user')
 
         if not user:
-            if app.config.get("AUTHENTICATION_CREATE_USER_IF_NOT_EXISTS") is False:
+            log.warning(f"OIDC user {user_login} not found in database")
+            if app.config.get("AUTHENTICATION_CREATE_USER_IF_NOT_EXIST") is False:
+                log.warning(f"Authentication is set to not create user if not exists")
                 track_activity(
                     f"OIDC user {user_login} not found in database",
                     ctx_less=True,
                     display_in_ui=False,
                 )
                 return response_error("User not found in IRIS", 404)
 
+            log.info(f"Creating OIDC user {user_login} in database")
             track_activity(
                 f"Creating OIDC user {user_login} in database",
                 ctx_less=True,

source/app/blueprints/manage/manage_users.py

@@ -543,7 +543,8 @@ def view_delete_user(cur_id):
         track_activity(message="deleted user ID {}".format(cur_id), ctx_less=True)
         return response_success("Deleted user ID {}".format(cur_id))
 
-    except Exception:
+    except Exception as e:
+        print(e)
         db.session.rollback()
         track_activity(message="tried to delete active user ID {}".format(cur_id), ctx_less=True)
         return response_error("Cannot delete active user")

source/app/business/cases.py

@@ -79,7 +79,7 @@ def create(request_json):
 
         case = _load(request_data)
         case.owner_id = current_user.id
-        case.severity_id = 4
+        if not case.severity_id: case.severity_id = 4
 
         if case_template_id and len(case_template_id) > 0:
             case = case_template_pre_modifier(case, case_template_id)

source/app/configuration.py

@@ -206,7 +206,8 @@ class AuthenticationType(Enum):
 authentication_type = os.environ.get('IRIS_AUTHENTICATION_TYPE',
                                      config.get('IRIS', 'AUTHENTICATION_TYPE', fallback="local"))
 
-authentication_create_user_if_not_exists = config.load('IRIS', 'AUTHENTICATION_CREATE_USER_IF_NOT_EXIST')
+authentication_create_user_if_not_exists = config.load('IRIS', 'AUTHENTICATION_CREATE_USER_IF_NOT_EXIST',
+                                                        fallback="False")
 
 tls_root_ca = os.environ.get('TLS_ROOT_CA',
                              config.get('IRIS', 'TLS_ROOT_CA', fallback=None))
@@ -263,7 +264,7 @@ class CeleryConfig:
 # --------- APP ---------
 class Config:
     # Handled by bumpversion
-    IRIS_VERSION = "v2.4.16" # DO NOT EDIT THIS LINE MANUALLY
+    IRIS_VERSION = "v2.4.17" # DO NOT EDIT THIS LINE MANUALLY
 
     if os.environ.get('IRIS_DEMO_VERSION') is not None and os.environ.get('IRIS_DEMO_VERSION') != 'None':
         IRIS_VERSION = os.environ.get('IRIS_DEMO_VERSION')