Private CTIA returns a 401 when doing a GET on /ctia/judgement/external_id/{external_id}

[hshahman]

Env: INT/TEST

Steps to reproduce:

• Do a GET in Private CTIA (/ctia/judgement/external_id/{external_id}) for an External_ID using a valid JWT

There is no error in kibana and Nomad. Swagger returns a 401 response code with this body:

{
  "message": "Missing capability",
  "capabilities": [
    "read-judgement",
    "external-id"
  ],
  "owner": "db84....."
}

Swagger CURL: curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <JWT_TOKEN>' 'https://private.intel.test.iroh.site/ctia/judgement/external_id/0jDGbMEcEK9k5cf1'

External_ID on TEST: 0jDGbMEcEK9k5cf1

Judgement details:

{
  "valid_time": {
    "start_time": "2018-05-08T22:07:30.891Z",
    "end_time": "2018-05-08T22:07:30.891Z"
  },
  "schema_version": "0.4.29",
  "observable": {
    "value": "61ba2b2a508f59e18d5b530293ffc1c81c60bea83acda9e3d57d503fc97c6ee6",
    "type": "sha256"
  },
  "type": "judgement",
  "source": "C282889",
  "external_ids": [
    "0jDGbMEcEK9k5cf1"
  ],
  "disposition": 3,
  "reason": "C282889",
  "source_uri": "https://some.test/sighting/C282889",
  "disposition_name": "Suspicious",
  "priority": 0,
  "id": "https://private.intel.test.iroh.site:443/ctia/judgement/judgement-1a39ff63-d274-4fa7-8a82-50bc6ed79494",
  "severity": "Unknown",
  "tlp": "amber",
  "confidence": "Unknown"
}

[yogsototh]

The current JWT generation doesn't provide the following three capabilities: :developer, :specify-id :external-id which we currently consider as "IROH admin only". And the only way to get those capabilities is currently via API key. We plan to add those capabilities via JWT later.

[gbuisson]

if there's no objection I can add the :external-id capability by default

[gbuisson]

it's already there so should work:

(def default-capabilities
  {:user
   #{:read-actor
     :read-attack-pattern
     :read-campaign
     :read-coa
     :read-feedback
     :read-incident
     :read-indicator
     :list-indicators
     :read-judgement
     :list-judgements
     :read-malware
     :read-relationship
     :list-relationships
     :read-sighting
     :list-sightings
     :read-tool
     :read-verdict
     :read-weakness
     :list-weaknesses
     :import-bundle
     :external-id}
   :admin
   all-capabilities})

[hshahman]

Here you are, my JWT contains these scopes:

    "iroh-admin",
    "integration",
    "private-intel",
    "profile",
    "inspect",
    "iroh-auth",
    "sse",
    "cisco",
    "casebook",
    "enrich",
    "oauth",
    "global-intel",
    "collect",
    "response",
    "ui-settings",
    "global-intel:read"

[hshahman]

Verified in rel-v1.18