Sync 0.6.6 branch to master (#2054)

* [Snyk] Upgrade ace-builds from 1.9.3 to 1.9.5 (#2037)

fix: upgrade ace-builds from 1.9.3 to 1.9.5

Snyk has created this PR to upgrade ace-builds from 1.9.3 to 1.9.5.

See this package in npm:
https://www.npmjs.com/package/ace-builds

See this project in Snyk:
https://app.snyk.io/org/scudette/project/76f4d127-566b-42ef-86f4-bdcbc92b90b4?utm_source=github&utm_medium=referral&page=upgrade-pr

* Added Send to CyberChef context menu on table cells. (#2039)

* Made context menus settable in the config file (#2040)

Added more context targets:
- VirusTotal
- Google
- CyberChef

* Updated themes for context menu (#2041)

Added "Clipboard" target

* Added org_delete() function to remove orgs. (#2042)

* Org manager maintains services lifetime (#2045)

* Pass org ids in href parameters (#2047)

Usually OrgId is passed in headers but we do have some href links so
we need to also support passing the org id in query parameters.

* collect each query's status separately (#2049)

When dealing with multiple queries per collection it is important to
keep stats on each query separately to get more accurate picture of
what happened. For example one artifact may collect successfuly and
another may fail.

This change also fixes a bug where the execution duration was
sometimes counted twice for queries that failed because they send an
error as well as a completion message.

* Split server sanity checks into root org and other orgs (#2052)

The sanity checker ensured the server is running in a sane state. It
also starts things like initial server artifacts etc.

This PR split sanity checks to run on the root org (i.e. once when the
server is started) and on each org. For example the initial server
artifacts are only run on the root org and not on other orgs.

Added org rm command

* Fixed CSS for column selector ui (#2053)

* Prepare for 0.6.6 release

Co-authored-by: Snyk bot <snyk-bot@snyk.io>

Makefile

@@ -1,6 +1,9 @@
 all:
 	go run make.go -v autoDev
 
+assets:
+	go run make.go -v assets
+
 auto:
 	go run make.go -v auto
 

acls/roles.go

@@ -6,6 +6,7 @@ import (
 
 	acl_proto "www.velocidex.com/golang/velociraptor/acls/proto"
 	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
+	"www.velocidex.com/golang/velociraptor/utils"
 )
 
 func ValidateRole(role string) bool {
@@ -97,7 +98,7 @@ func GetRolePermissions(
 
 			// An administrator for the root org is allowed to
 			// manipulate orgs.
-			if config_obj != nil && config_obj.OrgId == "" {
+			if config_obj != nil && utils.IsRootOrg(config_obj.OrgId) {
 				result.OrgAdmin = true
 			}
 

api/api.go

@@ -56,6 +56,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/paths"
 	"www.velocidex.com/golang/velociraptor/server"
 	"www.velocidex.com/golang/velociraptor/services"
+	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 	"www.velocidex.com/golang/velociraptor/vql/acl_managers"
 	"www.velocidex.com/golang/vfilter"
@@ -433,7 +434,7 @@ func (self *ApiServer) GetUserUITraits(
 	result.Orgs = user_info.Orgs
 
 	for _, item := range result.Orgs {
-		if item.Id == "" {
+		if utils.IsRootOrg(item.Id) {
 			item.Name = "<root>"
 			item.Id = "root"
 		}
@@ -449,6 +450,7 @@ func (self *ApiServer) GetUserUITraits(
 		result.InterfaceTraits.DefaultPassword = user_options.DefaultPassword
 		result.InterfaceTraits.DefaultDownloadsLock = user_options.DefaultDownloadsLock
 		result.InterfaceTraits.Customizations = user_options.Customizations
+		result.InterfaceTraits.Links = user_options.Links
 	}
 
 	return result, nil

api/assets.go

@@ -89,6 +89,7 @@ func GetTemplateHandler(
 			BasePath:  base,
 			Heading:   "Heading",
 			UserTheme: user_options.Theme,
+			OrgId:     user_options.Org,
 		}
 		err = tmpl.Execute(w, args)
 		if err != nil {

api/auth.go

@@ -30,12 +30,7 @@ func NewDefaultUserObject(config_obj *config_proto.Config) *api_proto.ApiUser {
 
 	if config_obj.GUI != nil {
 		result.InterfaceTraits = &api_proto.ApiUserInterfaceTraits{
-			Links: []*api_proto.UILink{},
-		}
-
-		for _, link := range config_obj.GUI.Links {
-			result.InterfaceTraits.Links = append(result.InterfaceTraits.Links,
-				&api_proto.UILink{Text: link.Text, Url: link.Url})
+			Links: config_obj.GUI.Links,
 		}
 	}
 

api/authenticators/orgs.go

@@ -3,23 +3,44 @@ package authenticators
 import (
 	"errors"
 	"net/http"
+	"net/url"
 
 	"www.velocidex.com/golang/velociraptor/acls"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	"www.velocidex.com/golang/velociraptor/services"
 )
 
-func CheckOrgAccess(r *http.Request, user_record *api_proto.VelociraptorUser) error {
+func GetOrgIdFromRequest(r *http.Request) string {
+	// Now we have to determine which org the user wants to use. First
+	// let's check if the user specified an org in the header.
+	org_id := r.Header.Get("Grpc-Metadata-Orgid")
+	if org_id != "" {
+		return org_id
+	}
 
-	// Now we have to determine which org the user wants to
-	// use. First let's check if the user specified an org in the
-	// header.
-	org_id := "root"
-	current_orgid_array := r.Header.Get("Grpc-Metadata-Orgid")
-	if len(current_orgid_array) == 1 {
-		org_id = string(current_orgid_array[0])
+	// Maybe the org id is specified in the URL itself. We allow
+	// the org id to be specified as a query string in order to
+	// support plain href links. However ultimately the GRPC
+	// gateway needs to check the org id in a header - so if an
+	// org is specified using a query string and NOT specified
+	// using a header, we set the header from it for further
+	// checks by the GRPC layer (in services/users/grpc.go)
+	q, err := url.ParseQuery(r.URL.RawQuery)
+	if err == nil {
+		org_id = q.Get("org_id")
+		if org_id != "" {
+			r.Header.Set("Grpc-Metadata-Orgid", org_id)
+			return org_id
+		}
 	}
 
+	org_id = "root"
+	r.Header.Set("Grpc-Metadata-Orgid", org_id)
+	return org_id
+}
+
+func CheckOrgAccess(r *http.Request, user_record *api_proto.VelociraptorUser) error {
+	org_id := GetOrgIdFromRequest(r)
 	err := _checkOrgAccess(r, org_id, user_record)
 	if err == nil {
 		return nil