search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.3k stars 931 forks source link

GraphQL is not Loading Properly #7077

Closed The-Stuke closed 5 months ago

The-Stuke commented 5 months ago

Description

When trying to use the graphql playground there are issues when trying to load any Schema, Docs, Tracing, or Query Plan. They either constantly load or gives errors. I am able to query data though by inputing a query and pressing the play button. I am just not able to view the Docs, Schema, Tracing, or Query Plan. I tried this on a fresh install of OpenCTI as well.

Environment

  1. OS (where OpenCTI server runs): Ubuntu 22.04 within Docker
  2. OpenCTI version: 6.1.3
  3. OpenCTI client: Frontend
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Login to OpenCTI and go to Profile
  2. Scroll down and click playground
  3. Clicks Schema, Docs, Tracing, or Query Plan
  4. Observe Errors

Expected Output

Schema, Docs, Tracing, or Query Plan to populate. Along with server cannot be reached message to not be there.

Actual Output

Schema, Docs, Tracing, or Query Plan is not loading any data or giving other errors.

Additional information

Constant 500 error can be seen on the web browser network console when looking at this image

Docker compose

version: '3'
services:
  redis:
    image: redis:7.2.4
    restart: always
    volumes:
      - redisdata-test:/data
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.13.4
    volumes:
      - esdata-test:/usr/share/elasticsearch/data
    environment:
      - discovery.type=single-node
      - xpack.ml.enabled=false
      - xpack.security.enabled=false
      - thread_pool.search.queue_size=5000
      - logger.org.elasticsearch.discovery="ERROR"
      - "ES_JAVA_OPTS=-Xms${ELASTIC_MEMORY_SIZE} -Xmx${ELASTIC_MEMORY_SIZE}"
    restart: always
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
  minio:
    image: minio/minio:RELEASE.2024-01-16T16-07-38Z
    volumes:
      - s3data-test:/data
    ports:
      - "9000:9000"
    environment:
      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}    
    command: server /data
    restart: always
  rabbitmq:
    image: rabbitmq:3.13-management
    environment:
      - RABBITMQ_DEFAULT_USER=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ_DEFAULT_PASS=${RABBITMQ_DEFAULT_PASS}
      - RABBITMQ_NODENAME=rabbit01@localhost
    volumes:
      - amqpdata-test:/var/lib/rabbitmq
    restart: always
  opencti:
    image: opencti/platform:6.1.3
    environment:
      - NODE_OPTIONS=--max-old-space-size=8096
      - APP__PORT=8080
      - APP__BASE_URL=${OPENCTI_BASE_URL}
      - APP__ADMIN__EMAIL=${OPENCTI_ADMIN_EMAIL}
      - APP__ADMIN__PASSWORD=${OPENCTI_ADMIN_PASSWORD}
      - APP__ADMIN__TOKEN=${OPENCTI_ADMIN_TOKEN}
      - APP__APP_LOGS__LOGS_LEVEL=info
      - REDIS__HOSTNAME=redis
      - REDIS__PORT=6379
      - ELASTICSEARCH__URL=http://elasticsearch:9200
      - MINIO__ENDPOINT=minio
      - MINIO__PORT=9000
      - MINIO__USE_SSL=false
      - MINIO__ACCESS_KEY=${MINIO_ROOT_USER}
      - MINIO__SECRET_KEY=${MINIO_ROOT_PASSWORD}
      - RABBITMQ__HOSTNAME=rabbitmq
      - RABBITMQ__PORT=5672
      - RABBITMQ__PORT_MANAGEMENT=15672
      - RABBITMQ__MANAGEMENT_SSL=false
      - RABBITMQ__USERNAME=${RABBITMQ_DEFAULT_USER}
      - RABBITMQ__PASSWORD=${RABBITMQ_DEFAULT_PASS}
      - SMTP__HOSTNAME=${SMTP_HOSTNAME}
      - SMTP__PORT=25
      - PROVIDERS__LOCAL__STRATEGY=LocalStrategy
    ports:
      - "8080:8080"
    depends_on:
      - redis
      - elasticsearch
      - minio
      - rabbitmq
    volumes:
      - /opt/opencti:/etc/ssl/certs
    restart: always
  worker:
    image: opencti/worker:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - WORKER_LOG_LEVEL=info
    depends_on:
      - opencti
    deploy:
      mode: replicated
      replicas: 3
    restart: always
  connector-export-file-stix:
    image: opencti/connector-export-file-stix:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_STIX_ID}
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileStix2
      - CONNECTOR_SCOPE=application/json
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      - opencti
  connector-export-file-csv:
    image: opencti/connector-export-file-csv:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_CSV_ID}
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileCsv
      - CONNECTOR_SCOPE=text/csv
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      - opencti
  connector-export-file-txt:
    image: opencti/connector-export-file-txt:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_EXPORT_FILE_TXT_ID}
      - CONNECTOR_TYPE=INTERNAL_EXPORT_FILE
      - CONNECTOR_NAME=ExportFileTxt
      - CONNECTOR_SCOPE=text/plain
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      - opencti
  connector-import-file-stix:
    image: opencti/connector-import-file-stix:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_IMPORT_FILE_STIX_ID}
      - CONNECTOR_TYPE=INTERNAL_IMPORT_FILE
      - CONNECTOR_NAME=ImportFileStix
      - CONNECTOR_VALIDATE_BEFORE_IMPORT=true
      - CONNECTOR_SCOPE=application/json,text/xml
      - CONNECTOR_AUTO=true
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=info
    restart: always
    depends_on:
      - opencti
  connector-import-document:
    image: opencti/connector-import-document:6.1.3
    environment:
      - OPENCTI_URL=http://opencti:8080
      - OPENCTI_TOKEN=${OPENCTI_ADMIN_TOKEN}
      - CONNECTOR_ID=${CONNECTOR_IMPORT_DOCUMENT_ID}
      - CONNECTOR_TYPE=INTERNAL_IMPORT_FILE
      - CONNECTOR_NAME=ImportDocument
      - CONNECTOR_VALIDATE_BEFORE_IMPORT=true
      - CONNECTOR_SCOPE=application/pdf,text/plain,text/html
      - CONNECTOR_AUTO=true
      - CONNECTOR_ONLY_CONTEXTUAL=false
      - CONNECTOR_CONFIDENCE_LEVEL=15
      - CONNECTOR_LOG_LEVEL=info
      - IMPORT_DOCUMENT_CREATE_INDICATOR=true
    restart: always
    depends_on:
      - opencti
volumes:
  esdata-test:
  s3data-test:
  redisdata-test:
  amqpdata-test:

I didn't see any errors present in INFO level logging, but turning it to debugging I saw some errors like this image

Screenshots (optional)

Able to pull data with a query, but shows Server cannot be reached. image

Errors of data not loading image image image image

richard-julien commented 5 months ago

Introspection is disable by default for security purpose. You can activate it in config with force_disabled_introspection

```

"graphql": { "armor_enabled": false, "batching_protection": { "mutation_default": 1, "query_default": 2, "query_subtypes": 4 }, "playground": { "enabled": true, "force_disabled_introspection": true } },



Tracing and apollo federation are not supported.
The-Stuke commented 5 months ago

Thank you I was not aware of that configuration. I found the reference in the documentation for APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION. I have tried this variable on both false and true in my config. In both cases I am receiving the same as I shared above on version 6.1.3. Docs and Schema constantly load and the "Server cannot be reached" error is still present.

As for expected output I spun up a quick instance of 6.0.7 as I knew it loaded the other day. It looks like it was working back in this version. I left out the APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION in my config for this example. Below are what I was hoping to see in the latest version.

image image image

I spun up a few instances to see what version of OpenCTI this quit working in. The last known working I can reproduce is 6.0.10. As soon as I went to 6.1.0 it goes into this constant loading state and Server cannot be reached error message.

The-Stuke commented 5 months ago

https://github.com/OpenCTI-Platform/opencti/issues/6992

This closed issue looks to be the same. Both false and true produces the same results.

SamuelHassine commented 5 months ago

@The-Stuke,

Typo in the doc: APP__GRAPHQL__PLAYGROUND__FORCE_DISABLED_INTROSPECTION=true instead of APP__GRAPHQL_PLAYGROUND__FORCE_DISABLED_INTROSPECTION=true.

I've fixed the doc.