[backend] Bring back use_aws_role option to force the AWS auth chain …

…usage (#5791)

opencti-platform/opencti-graphql/config/default.json

@@ -202,6 +202,7 @@
     "use_ssl": false,
     "access_key": "ChangeMe",
     "secret_key": "ChangeMe",
+    "use_aws_role": false,
     "excluded_files": [".DS_Store"]
   },
   "rabbitmq": {

opencti-platform/opencti-graphql/package.json

@@ -161,6 +161,7 @@
     "@types/ejs": "3.1.5",
     "@types/express": "4.17.21",
     "@types/graphql-upload": "16.0.7",
+    "@types/mime-types": "2.1.4",
     "@types/nconf": "0.10.6",
     "@types/ramda": "0.29.10",
     "@types/tough-cookie": "4.0.5",

opencti-platform/opencti-graphql/src/config/providers.js

@@ -15,21 +15,15 @@ import { HEADERS_AUTHENTICATORS, initAdmin, login, loginFromProvider } from '../
 import conf, { logApp } from './conf';
 import { AuthenticationFailure, ConfigurationError, UnsupportedError } from './errors';
 import { isEmptyField, isNotEmptyField } from '../database/utils';
-
-export const empty = R.anyPass([R.isNil, R.isEmpty]);
+import { DEFAULT_INVALID_CONF_VALUE } from '../utils/access';
 
 // Admin user initialization
 export const initializeAdminUser = async (context) => {
-  const DEFAULT_CONF_VALUE = 'ChangeMe';
   const adminEmail = conf.get('app:admin:email');
   const adminPassword = conf.get('app:admin:password');
   const adminToken = conf.get('app:admin:token');
-  if (
-    empty(adminEmail)
-    || empty(adminPassword)
-    || empty(adminToken)
-    || adminPassword === DEFAULT_CONF_VALUE
-    || adminToken === DEFAULT_CONF_VALUE
+  if (isEmptyField(adminEmail) || isEmptyField(adminPassword) || isEmptyField(adminToken)
+    || adminPassword === DEFAULT_INVALID_CONF_VALUE || adminToken === DEFAULT_INVALID_CONF_VALUE
   ) {
     throw ConfigurationError('You need to configure the environment vars');
   } else {
@@ -41,7 +35,6 @@ export const initializeAdminUser = async (context) => {
       throw ConfigurationError('Token must be a valid UUID');
     }
     // Initialize the admin account
-    // noinspection JSIgnoredPromiseFromCall
     await initAdmin(context, adminEmail, adminPassword, adminToken);
     logApp.info('[INIT] admin user initialized');
   }

opencti-platform/opencti-graphql/src/database/file-storage.js

@@ -1,6 +1,6 @@
 import * as s3 from '@aws-sdk/client-s3';
 import * as R from 'ramda';
-import path from 'path';
+import path from 'node:path';
 import { Upload } from '@aws-sdk/lib-storage';
 import { Promise as BluePromise } from 'bluebird';
 import { defaultProvider } from '@aws-sdk/credential-provider-node';
@@ -28,22 +28,27 @@ const bucketName = conf.get('minio:bucket_name') || 'opencti-bucket';
 const bucketRegion = conf.get('minio:bucket_region') || 'us-east-1';
 const excludedFiles = conf.get('minio:excluded_files') || ['.DS_Store'];
 const useSslConnection = booleanConf('minio:use_ssl', false);
+const useAwsRole = booleanConf('minio:use_aws_role', false);
 
 export const specialTypesExtensions = {
   'application/vnd.oasis.stix+json': 'json',
   'application/vnd.mitre.navigator+json': 'json',
 };
 
 const credentialProvider = () => {
-  if (clientAccessKey && clientSecretKey) {
-    return { accessKeyId: clientAccessKey, secretAccessKey: clientSecretKey, ...(clientSessionToken && { sessionToken: clientSessionToken }) };
+  if (useAwsRole) {
+    return defaultProvider({
+      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
+        // You must explicitly pass a region if you are not using us-east-1
+        region: bucketRegion
+      })
+    });
   }
-  return defaultProvider({
-    roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity({
-      // You must explicitly pass a region if you are not using us-east-1
-      region: bucketRegion
-    })
-  });
+  return {
+    accessKeyId: clientAccessKey,
+    secretAccessKey: clientSecretKey,
+    ...(clientSessionToken && { sessionToken: clientSessionToken })
+  };
 };
 
 const getEndpoint = () => {
@@ -200,9 +205,11 @@ export const loadFile = async (user, filename, opts = {}) => {
     throw UnsupportedError('Load file from storage fail', { cause: err, user_id: user.id, filename });
   }
 };
+
 const getFileName = (fileId) => {
   return fileId?.includes('/') ? R.last(fileId.split('/')) : fileId;
 };
+
 const guessMimeType = (fileId) => {
   const fileName = getFileName(fileId);
   const mimeType = mime.lookup(fileName) || null;

opencti-platform/opencti-graphql/src/http/httpPlatform.js

@@ -2,7 +2,6 @@
 import { URL } from 'node:url';
 import { readFileSync } from 'node:fs';
 import path from 'node:path';
-import * as R from 'ramda';
 import express from 'express';
 import bodyParser from 'body-parser';
 import compression from 'compression';
@@ -14,13 +13,13 @@ import archiverZipEncrypted from 'archiver-zip-encrypted';
 import rateLimit from 'express-rate-limit';
 import contentDisposition from 'content-disposition';
 import { basePath, booleanConf, DEV_MODE, logApp, OPENCTI_SESSION } from '../config/conf';
-import passport, { empty, isStrategyActivated, STRATEGY_CERT } from '../config/providers';
+import passport, { isStrategyActivated, STRATEGY_CERT } from '../config/providers';
 import { authenticateUser, authenticateUserFromRequest, HEADERS_AUTHENTICATORS, loginFromProvider, userWithOrigin } from '../domain/user';
 import { downloadFile, getFileContent, isStorageAlive, loadFile } from '../database/file-storage';
 import createSseMiddleware from '../graphql/sseMiddleware';
 import initTaxiiApi from './httpTaxii';
 import initHttpRollingFeeds from './httpRollingFeed';
-import { executionContext, SYSTEM_USER } from '../utils/access';
+import { DEFAULT_INVALID_CONF_VALUE, executionContext, SYSTEM_USER } from '../utils/access';
 import { ENTITY_TYPE_SETTINGS } from '../schema/internalObject';
 import { getEntityFromCache } from '../database/cache';
 import { isEmptyField, isNotEmptyField } from '../database/utils';
@@ -280,13 +279,13 @@ const createApp = async (app) => {
         res.redirect(redirect);
       } else {
         const cert = req.socket.getPeerCertificate();
-        if (!R.isEmpty(cert) && req.client.authorized) {
+        if (isNotEmptyField(cert) && req.client.authorized) {
           const { CN, emailAddress } = cert.subject;
-          if (empty(emailAddress)) {
+          if (isEmptyField(emailAddress)) {
             setCookieError(res, 'Client certificate need a correct emailAddress');
             res.redirect(redirect);
           } else {
-            const userInfo = { email: emailAddress, name: empty(CN) ? emailAddress : CN };
+            const userInfo = { email: emailAddress, name: isEmptyField(CN) ? emailAddress : CN };
             loginFromProvider(userInfo)
               .then(async (user) => {
                 await authenticateUser(context, req, user, 'cert');
@@ -414,7 +413,7 @@ const createApp = async (app) => {
         res.status(503).send({ status: 'error', error: 'request timeout' });
       });
       const configAccessKey = nconf.get('app:health_access_key');
-      if (configAccessKey === 'ChangeMe' || isEmptyField(configAccessKey)) {
+      if (configAccessKey === DEFAULT_INVALID_CONF_VALUE || isEmptyField(configAccessKey)) {
         res.status(401).send({ status: 'unauthorized' });
       } else {
         const { health_access_key: access_key } = req.query;

opencti-platform/opencti-graphql/src/utils/access.ts

@@ -17,6 +17,8 @@ import { telemetry } from '../config/tracing';
 import type { BasicStoreSettings } from '../types/settings';
 import { ACCOUNT_STATUS_ACTIVE } from '../config/conf';
 
+export const DEFAULT_INVALID_CONF_VALUE = 'ChangeMe';
+
 export const BYPASS = 'BYPASS';
 export const BYPASS_REFERENCE = 'BYPASSREFERENCE';
 export const SETTINGS_SET_ACCESSES = 'SETTINGS_SETACCESSES';

opencti-platform/opencti-graphql/yarn.lock

@@ -4834,6 +4834,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/mime-types@npm:2.1.4":
+  version: 2.1.4
+  resolution: "@types/mime-types@npm:2.1.4"
+  checksum: 10/f8c521c54ee0c0b9f90a65356a80b1413ed27ccdc94f5c7ebb3de5d63cedb559cd2610ea55b4100805c7349606a920d96e54f2d16b2f0afa6b7cd5253967ccc9
+  languageName: node
+  linkType: hard
+
 "@types/mime@npm:*":
   version: 3.0.4
   resolution: "@types/mime@npm:3.0.4"
@@ -11218,6 +11225,7 @@ __metadata:
     "@types/ejs": "npm:3.1.5"
     "@types/express": "npm:4.17.21"
     "@types/graphql-upload": "npm:16.0.7"
+    "@types/mime-types": "npm:2.1.4"
     "@types/nconf": "npm:0.10.6"
     "@types/ramda": "npm:0.29.10"
     "@types/tough-cookie": "npm:4.0.5"