search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.45k stars 626 forks source link

[Bug] Can't create case from an alert with api key with shuffle #2462

Open Blood78 opened 1 year ago

Blood78 commented 1 year ago

Request Type

Bug Can't create case from an alert with api key with shuffle AuthorizationError: Unauthorized action

Work Environment

Question Answer
OS version (server) Ubuntu
OS version (client) 18.04.6
Virtualized Env. True
Dedicated RAM 32 GB
vCPU 8
TheHive version / git hash 4.1.24-1
Package Type From source
Database Cassandra
Index type Lucene
Attachments storage Local

Problem Description

I created a workflow on shuffle but when I want to create a case from an alert I get the error AuthorizationError: Unauthorized action while when I perform the action via a curl and the same api key with shuffle it works perfectly

Steps to Reproduce

  1. Launch the workflow with case creation from an alert
  2. Error returned: AuthorizationError: Unauthorized action
  3. Launch the same workflow but with a curl that performs the same action as thehive module and all work correctly

Here are thehive logs when I launch my workflow via thehive module to create a case from an alert

Logs :

2023-04-07 03:14:17,795 [ERROR] from org.thp.scalligraph.utils.Retry in application-akka.actor.default-dispatcher-39 [00000903|16360cb1] uncaught error, not retrying org.thp.scalligraph.AuthorizationError: Unauthorized action at org.thp.scalligraph.traversal.TraversalOps$TraversalOpsDefs.existsOrFail(TraversalOps.scala:154) at org.thp.thehive.controllers.v0.AlertCtrl.$anonfun$createCase$5(AlertCtrl.scala:275) at scala.Option.map(Option.scala:230) at org.thp.thehive.controllers.v0.AlertCtrl.$anonfun$createCase$4(AlertCtrl.scala:275) at scala.util.Success.flatMap(Try.scala:251) at org.thp.thehive.controllers.v0.AlertCtrl.$anonfun$createCase$3(AlertCtrl.scala:269) at scala.util.Success.flatMap(Try.scala:251) at org.thp.thehive.controllers.v0.AlertCtrl.$anonfun$createCase$2(AlertCtrl.scala:268) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$authPermittedTransaction$2(Entrypoint.scala:129) at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$7(JanusDatabase.scala:241) at scala.util.Try$.apply(Try.scala:213) at org.thp.scalligraph.janus.JanusDatabase.$anonfun$tryTransaction$6(JanusDatabase.scala:241) at scala.util.Try$.apply(Try.scala:213) at org.thp.scalligraph.utils.DelayRetry.withTry(Retry.scala:93) at org.thp.scalligraph.janus.JanusDatabase.tryTransaction(JanusDatabase.scala:238) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$authPermittedTransaction$1(Entrypoint.scala:129) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$auth$1(Entrypoint.scala:86) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$4(Entrypoint.scala:108) at org.scalactic.Good.fold(Or.scala:1229) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$2(Entrypoint.scala:108) at org.thp.scalligraph.DiagnosticContext$.$anonfun$withRequest$2(ContextPropagatingDisptacher.scala:108) at org.thp.scalligraph.DiagnosticContext$.saveDiagnosticContext(ContextPropagatingDisptacher.scala:114) at org.thp.scalligraph.DiagnosticContext$.withRequest(ContextPropagatingDisptacher.scala:99) at org.thp.scalligraph.controllers.Entrypoint$EntryPointBuilder.$anonfun$asyncAuth$1(Entrypoint.scala:105) at org.thp.scalligraph.auth.AuthSrvWithActionFunction$$anon$1.$anonfun$invokeBlock$2(AuthSrv.scala:91) at scala.Option.fold(Option.scala:251) at org.thp.scalligraph.auth.AuthSrvWithActionFunction$$anon$1.invokeBlock(AuthSrv.scala:90) at org.thp.scalligraph.auth.AuthSrvWithActionFunction$$anon$1.invokeBlock(AuthSrv.scala:87) at org.thp.scalligraph.auth.BasicAuthSrv$$anon$1.$anonfun$invokeBlock$1(BasicAuthSrv.scala:54) at scala.Option.fold(Option.scala:251) at org.thp.scalligraph.auth.BasicAuthSrv$$anon$1.invokeBlock(BasicAuthSrv.scala:54) at org.thp.scalligraph.auth.BasicAuthSrv$$anon$1.invokeBlock(BasicAuthSrv.scala:52) at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.$anonfun$invokeBlock$1(SessionAuthSrv.scala:98) at scala.Option.fold(Option.scala:251) at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.invokeBlock(SessionAuthSrv.scala:98) at org.thp.scalligraph.auth.SessionAuthSrv$$anon$1.invokeBlock(SessionAuthSrv.scala:95) at play.api.mvc.ActionBuilder$$anon$10.$anonfun$invokeBlock$2(Action.scala:408) at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:441) at play.api.mvc.ActionBuilderImpl.invokeBlock(Action.scala:439) at play.api.mvc.ActionBuilder$$anon$10.invokeBlock(Action.scala:408) at play.api.mvc.ActionBuilder$$anon$10.invokeBlock(Action.scala:404) at play.api.mvc.ActionBuilder$$anon$9.apply(Action.scala:379) at play.api.mvc.Action.$anonfun$apply$4(Action.scala:82) at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$4(Accumulator.scala:168) at scala.util.Try$.apply(Try.scala:213) at play.api.libs.streams.StrictAccumulator.$anonfun$mapFuture$3(Accumulator.scala:168) at scala.Function1.$anonfun$andThen$1(Function1.scala:57) at scala.Function1.$anonfun$andThen$1(Function1.scala:57) at scala.Function1.$anonfun$andThen$1(Function1.scala:57) at play.api.libs.streams.StrictAccumulator.run(Accumulator.scala:200) at play.core.server.AkkaHttpServer.$anonfun$runAction$4(AkkaHttpServer.scala:418) at akka.http.scaladsl.util.FastFuture$.strictTransform$1(FastFuture.scala:41) at akka.http.scaladsl.util.FastFuture$.$anonfun$transformWith$3(FastFuture.scala:51) at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:64) at org.thp.scalligraph.ContextPropagatingDispatcher$$anon$1.$anonfun$execute$2(ContextPropagatingDisptacher.scala:57) at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23) at org.thp.scalligraph.DiagnosticContext$.$anonfun$withDiagnosticContext$2(ContextPropagatingDisptacher.scala:93) at org.thp.scalligraph.DiagnosticContext$.saveDiagnosticContext(ContextPropagatingDisptacher.scala:114) at org.thp.scalligraph.DiagnosticContext$.withDiagnosticContext(ContextPropagatingDisptacher.scala:91) at org.thp.scalligraph.DiagnosticContext$$anon$2.withContext(ContextPropagatingDisptacher.scala:76) at org.thp.scalligraph.ContextPropagatingDispatcher$$anon$1.$anonfun$execute$1(ContextPropagatingDisptacher.scala:57) at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:49) at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48) at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175) 2023-04-07 03:14:17,795 [ERROR] from org.thp.scalligraph.models.Database in application-akka.actor.default-dispatcher-39 [00000903|16360cb1] Exception raised, rollback (Unauthorized action) 2023-04-07 03:14:17,795 [WARN] from org.thp.scalligraph.ErrorHandler in application-akka.actor.default-dispatcher-39 [00000903|16360cb1] POST /api/alert/~122978320/createCase returned 403 2023-04-07 03:14:17,796 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-31 [00000903|] 192.168.1.29 POST /api/alert/~122978320/createCase took 29ms and returned 403 61 bytes

image image

And here is thehive logs when i do the same action but via a curl with the same api key

Logs :

2023-04-07 03:38:38,823 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-32 [000009be|] 192.168.1.65 POST /api/v1/query?name=alerts.count 2023-04-07 03:38:38,823 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-38 [000009ba|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count 2023-04-07 03:38:38,823 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-37 [000009bd|] 192.168.1.65 POST /api/v1/query?name=alerts 2023-04-07 03:38:38,823 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-24 [000009bb|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count 2023-04-07 03:38:38,824 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-39 [000009bc|] 192.168.1.65 POST /api/v1/query?name=alert-count-all 2023-04-07 03:38:38,827 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-37 [000009bd|] 192.168.1.65 POST /api/v1/query?name=alerts took 4ms and returned 200 2023-04-07 03:38:38,905 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-28 [000009bf|] 192.168.1.65 POST /api/v1/query?name=alert-count-all 2023-04-07 03:38:38,955 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-24 [000009ba|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count took 132ms and returned 200 2 bytes 2023-04-07 03:38:38,955 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-38 [000009bb|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count took 132ms and returned 200 2 bytes 2023-04-07 03:38:38,956 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-24 [000009be|] 192.168.1.65 POST /api/v1/query?name=alerts.count took 133ms and returned 200 1 bytes 2023-04-07 03:38:38,956 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-30 [000009bc|] 192.168.1.65 POST /api/v1/query?name=alert-count-all took 133ms and returned 200 2 bytes 2023-04-07 03:38:38,958 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-36 [000009c0|] 192.168.1.65 POST /api/v1/query?name=alerts 2023-04-07 03:38:38,993 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-36 [000009c0|] 192.168.1.65 POST /api/v1/query?name=alerts took 35ms and returned 200 2023-04-07 03:38:38,994 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-38 [000009c1|] 192.168.1.65 POST /api/v1/query?name=alerts.count 2023-04-07 03:38:39,064 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-28 [000009bf|] 192.168.1.65 POST /api/v1/query?name=alert-count-all took 162ms and returned 200 2 bytes 2023-04-07 03:38:39,069 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-38 [000009c1|] 192.168.1.65 POST /api/v1/query?name=alerts.count took 75ms and returned 200 1 bytes 2023-04-07 03:38:40,710 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-24 [000009c4|] 192.168.1.29 POST /api/alert/~41115728/artifact 2023-04-07 03:38:40,731 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-24 [000009c4|] 192.168.1.29 POST /api/alert/~41115728/artifact took 29ms and returned 201 294 bytes 2023-04-07 03:38:40,932 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-32 [000009c2|] 192.168.1.65 GET /api/stream/jKJgDEFt2CMmP8yzuS5n took 1099ms and returned 200 1072 bytes 2023-04-07 03:38:40,932 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-30 [000009c3|] 192.168.1.65 GET /api/stream/SypTB9xku0GmY1hRWzsK took 991ms and returned 200 1072 bytes 2023-04-07 03:38:42,972 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-28 [000009c7|] 192.168.1.29 POST /api/alert/~41115728/createCase 2023-04-07 03:38:43,107 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-24 [000009c7|] 192.168.1.29 POST /api/alert/~41115728/createCase took 142ms and returned 201 742 bytes 2023-04-07 03:38:43,265 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-16 [000009c5|] 192.168.1.65 GET /api/stream/jKJgDEFt2CMmP8yzuS5n took 1317ms and returned 200 1528 bytes 2023-04-07 03:38:43,265 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-37 [000009c6|] 192.168.1.65 GET /api/stream/SypTB9xku0GmY1hRWzsK took 314ms and returned 200 1528 bytes 2023-04-07 03:38:43,268 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-39 [000009c9|] 192.168.1.65 POST /api/v1/query?name=alert-count-all 2023-04-07 03:38:43,268 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-34 [000009c8|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count 2023-04-07 03:38:43,269 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-36 [000009ca|] 192.168.1.65 POST /api/v1/query?name=alerts 2023-04-07 03:38:43,270 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-37 [000009cb|] 192.168.1.65 POST /api/v1/query?name=alerts.count 2023-04-07 03:38:43,271 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-36 [000009ca|] 192.168.1.65 POST /api/v1/query?name=alerts took 2ms and returned 200 2023-04-07 03:38:43,485 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-16 [000009cc|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count 2023-04-07 03:38:43,494 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-38 [000009cd|] 192.168.1.65 POST /api/v1/query?name=alert-count-all 2023-04-07 03:38:43,576 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-34 [000009c8|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count took 308ms and returned 200 2 bytes 2023-04-07 03:38:43,580 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-24 [000009ce|] 192.168.1.65 POST /api/v1/query?name=alerts 2023-04-07 03:38:43,582 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-24 [000009ce|] 192.168.1.65 POST /api/v1/query?name=alerts took 3ms and returned 200 2023-04-07 03:38:43,656 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-39 [000009c9|] 192.168.1.65 POST /api/v1/query?name=alert-count-all took 388ms and returned 200 2 bytes 2023-04-07 03:38:43,657 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-37 [000009cb|] 192.168.1.65 POST /api/v1/query?name=alerts.count took 388ms and returned 200 1 bytes 2023-04-07 03:38:43,726 [INFO] from org.thp.scalligraph.controllers.Entrypoint in application-akka.actor.default-dispatcher-37 [000009cf|] 192.168.1.65 POST /api/v1/query?name=alerts.count 2023-04-07 03:38:43,827 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-38 [000009cd|] 192.168.1.65 POST /api/v1/query?name=alert-count-all took 334ms and returned 200 2 bytes 2023-04-07 03:38:43,828 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-16 [000009cc|] 192.168.1.65 POST /api/v1/query?name=unread-alert-count took 344ms and returned 200 2 bytes 2023-04-07 03:38:43,831 [INFO] from org.thp.scalligraph.AccessLogFilter in application-akka.actor.default-dispatcher-37 [000009cf|] 192.168.1.65 POST /api/v1/query?name=alerts.count took 106ms and returned 200 1 bytes

image

I really don't understand the problem. Has anyone had the same problem before?

Thank you in advance for your help

mbgonzalez commented 1 year ago

I had the same error, you have to set a template in "Case Template" in Shuffle. I know it says "optional" but it is not. Sorry for the late answer

joeylarosa17 commented 5 months ago

what do you mean case template? I have the same error, from my end its just creating alerts. - new to this.