Prevent from burning configuration defined admin

OpenCTI-Platform · Oct 21, 2024 · 6501e4b · 6501e4b
1 parent b8a8745
commit 6501e4b
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -1385,11 +1385,14 @@ export const resolveUserByToken = async (context, tokenValue) => {
 };
 
 export const userRenewToken = async (context, user, userId) => {
+  if (userId === OPENCTI_ADMIN_UUID) {
+    throw FunctionalError('Cannot renew token of admin user defined in configuration, please change configuration instead.');
+  }
+
   const userData = await storeLoadById(context, user, userId, ENTITY_TYPE_USER);
   if (!userData) {
     throw FunctionalError(`Cannot renew token, ${userId} user cannot be found.`);
   }
-
   const patch = { api_token: uuid() };
   await patchAttribute(context, user, userId, ENTITY_TYPE_USER, patch);
   const result = storeLoadById(context, user, userId, ENTITY_TYPE_USER);

diff --git a/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts b/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts
@@ -24,6 +24,7 @@ import { VIRTUAL_ORGANIZATION_ADMIN } from '../../../src/utils/access';
 import type { Capability, Member } from '../../../src/generated/graphql';
 import { queryAsAdminWithSuccess, queryAsUserIsExpectedForbidden } from '../../utils/testQueryHelper';
 import { resolveUserByToken } from '../../../src/domain/user';
+import { OPENCTI_ADMIN_UUID } from '../../../src/schema/general';
 
 const LIST_QUERY = gql`
   query users(
@@ -327,6 +328,17 @@ describe('User resolver standard behavior', () => {
       variables: { id: userInternalId },
     });
   });
+  it('should be forbidden to renew yaml/env configured token (admin)', async () => {
+    const result = await queryAsAdmin({
+      query: TOKEN_RENEW_QUERY,
+      variables: { id: OPENCTI_ADMIN_UUID },
+    });
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.length).toBe(1);
+    if (result.errors) {
+      expect(result.errors[0].message).toBe('Cannot renew token of admin user defined in configuration, please change configuration instead.');
+    }
+  });
   it('should update user confidence level', async () => {
     const UPDATE_QUERY = gql`
       mutation UserEdit($id: ID!, $input: [EditInput]!) {