Allow hunts to be scheduled on multiple orgs (#2182)

Also fixed service install on windows with `velociraptor service install`
Velocidex · Oct 24, 2022 · d4c60ac · d4c60ac
1 parent 173e5f7
commit d4c60ac
Show file tree

Hide file tree

Showing 12 changed files with 375 additions and 100 deletions.
diff --git a/api/hunts.go b/api/hunts.go
@@ -112,26 +112,75 @@ func (self *ApiServer) CreateHunt(
 			"User is not allowed to launch hunts.")
 	}
 
-	logging.GetLogger(org_config_obj, &logging.Audit).
-		WithFields(logrus.Fields{
-			"user":    in.Creator,
-			"hunt_id": in.HuntId,
-			"details": json.MustMarshalString(in),
-		}).Info("CreateHunt")
+	// Require the Org Admin permission to launch hunts in a differen
+	// org.
+	orgs := in.OrgIds
+	if len(orgs) > 0 {
+		permissions := acls.ORG_ADMIN
+		perm, err := acls.CheckAccess(org_config_obj, in.Creator, permissions)
+		if !perm || err != nil {
+			return nil, status.Error(codes.PermissionDenied,
+				"User is not allowed to launch hunts in other orgs.")
+		}
+	} else {
+		orgs = append(orgs, org_config_obj.OrgId)
+	}
 
-	result := &api_proto.StartFlowResponse{}
-	hunt_dispatcher, err := services.GetHuntDispatcher(org_config_obj)
+	logger := logging.GetLogger(org_config_obj, &logging.FrontendComponent)
+	org_manager, err := services.GetOrgManager()
 	if err != nil {
 		return nil, Status(self.verbose, err)
 	}
 
-	hunt_id, err := hunt_dispatcher.CreateHunt(
-		ctx, org_config_obj, acl_manager, in)
-	if err != nil {
-		return nil, Status(self.verbose, err)
+	var orgs_we_scheduled []string
+
+	for _, org_id := range orgs {
+		org_config_obj, err := org_manager.GetOrgConfig(org_id)
+		if err != nil {
+			logger.Error("CreateHunt: GetOrgConfig %v", err)
+			continue
+		}
+
+		// Make sure the user is allowed to collect in that org
+		perm, err := acls.CheckAccess(org_config_obj, in.Creator,
+			acls.COLLECT_CLIENT)
+		if !perm || err != nil {
+			logger.Error("CreateHunt: User is not allowed to launch hunts in "+
+				"org %v.", org_id)
+			continue
+		}
+
+		hunt_dispatcher, err := services.GetHuntDispatcher(org_config_obj)
+		if err != nil {
+			logger.Error("CreateHunt: GetOrgConfig %v", err)
+			continue
+		}
+
+		hunt_id, err := hunt_dispatcher.CreateHunt(
+			ctx, org_config_obj, acl_manager, in)
+		if err != nil {
+			logger.Error("CreateHunt: GetOrgConfig %v", err)
+			continue
+		}
+
+		orgs_we_scheduled = append(orgs_we_scheduled, org_id)
+		// Reuse the hunt id for all the hunts we launch on all the
+		// orgs - this makes it easier to combine results from all
+		// orgs.
+		in.HuntId = hunt_id
 	}
 
-	result.FlowId = hunt_id
+	result := &api_proto.StartFlowResponse{}
+	result.FlowId = in.HuntId
+
+	// Audit message for GUI access
+	logging.GetLogger(org_config_obj, &logging.Audit).
+		WithFields(logrus.Fields{
+			"user":    in.Creator,
+			"hunt_id": result.FlowId,
+			"details": json.MustMarshalString(in),
+			"orgs":    orgs_we_scheduled,
+		}).Info("CreateHunt")
 
 	return result, nil
 }

diff --git a/api/proto/hunts.pb.go b/api/proto/hunts.pb.go
diff --git a/api/proto/hunts.proto b/api/proto/hunts.proto
@@ -141,6 +141,9 @@ message Hunt {
     State state = 8 [(sem_type) = {
             description: "This is state of the hunt. This field is manupulated by the GUI."
         }];
+
+    // A list of the org IDs that the hunt will be launched on
+    repeated string org_ids = 22;
 }
 
 message HuntEstimateRequest {

diff --git a/artifacts/testdata/server/testcases/cobalt.in.yaml b/artifacts/testdata/server/testcases/cobalt.in.yaml
@@ -58,7 +58,7 @@ Queries:
 
   - LET _ <= remap(config=RemappingTemplate, copy=["zip", "scope", "data", "process"], clear=TRUE)
 
-  - SELECT OSPath FROM glob(globs="/**") ORDER BY OSPath
+  - SELECT OSPath, Name FROM glob(globs="/**") ORDER BY Name
 
   # tests embedded shellcode in data section parsing
   - SELECT Rule,FullPath.Basename,Hash,Xor,DecodedConfig