From 6501e4b00bdbdac03488977e133e5f19aee355b3 Mon Sep 17 00:00:00 2001
From: Angelique <angelique.jard@filigran.io>
Date: Mon, 21 Oct 2024 09:26:16 +0200
Subject: [PATCH] Prevent from burning configuration defined admin

---
 opencti-platform/opencti-graphql/src/domain/user.js  |  5 ++++-
 .../tests/02-integration/02-resolvers/user-test.ts   | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
index 72793caf2c82e..835623d473b71 100644
--- a/opencti-platform/opencti-graphql/src/domain/user.js
+++ b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -1385,11 +1385,14 @@ export const resolveUserByToken = async (context, tokenValue) => {
 };
 
 export const userRenewToken = async (context, user, userId) => {
+  if (userId === OPENCTI_ADMIN_UUID) {
+    throw FunctionalError('Cannot renew token of admin user defined in configuration, please change configuration instead.');
+  }
+
   const userData = await storeLoadById(context, user, userId, ENTITY_TYPE_USER);
   if (!userData) {
     throw FunctionalError(`Cannot renew token, ${userId} user cannot be found.`);
   }
-
   const patch = { api_token: uuid() };
   await patchAttribute(context, user, userId, ENTITY_TYPE_USER, patch);
   const result = storeLoadById(context, user, userId, ENTITY_TYPE_USER);
diff --git a/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts b/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts
index f97f9a7ce2e02..e875d690734e0 100644
--- a/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts
+++ b/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.ts
@@ -24,6 +24,7 @@ import { VIRTUAL_ORGANIZATION_ADMIN } from '../../../src/utils/access';
 import type { Capability, Member } from '../../../src/generated/graphql';
 import { queryAsAdminWithSuccess, queryAsUserIsExpectedForbidden } from '../../utils/testQueryHelper';
 import { resolveUserByToken } from '../../../src/domain/user';
+import { OPENCTI_ADMIN_UUID } from '../../../src/schema/general';
 
 const LIST_QUERY = gql`
   query users(
@@ -327,6 +328,17 @@ describe('User resolver standard behavior', () => {
       variables: { id: userInternalId },
     });
   });
+  it('should be forbidden to renew yaml/env configured token (admin)', async () => {
+    const result = await queryAsAdmin({
+      query: TOKEN_RENEW_QUERY,
+      variables: { id: OPENCTI_ADMIN_UUID },
+    });
+    expect(result.errors).toBeDefined();
+    expect(result.errors?.length).toBe(1);
+    if (result.errors) {
+      expect(result.errors[0].message).toBe('Cannot renew token of admin user defined in configuration, please change configuration instead.');
+    }
+  });
   it('should update user confidence level', async () => {
     const UPDATE_QUERY = gql`
       mutation UserEdit($id: ID!, $input: [EditInput]!) {