From cb45e06ebc1e4067faa2bc79588728a958b09bf3 Mon Sep 17 00:00:00 2001
From: terrtia <or1994@hotmail.fr>
Date: Tue, 3 Sep 2024 16:27:02 +0200
Subject: [PATCH] chg: [module extractor] check tracker and retro hunt acl

---
 bin/lib/Tracker.py                   | 18 +++++++++++++++++-
 bin/lib/module_extractor.py          | 24 ++++++++++++++++--------
 var/www/blueprints/chats_explorer.py |  4 ++--
 var/www/blueprints/objects_item.py   |  4 ++--
 4 files changed, 37 insertions(+), 13 deletions(-)

diff --git a/bin/lib/Tracker.py b/bin/lib/Tracker.py
index 3e64957a..e528bd54 100755
--- a/bin/lib/Tracker.py
+++ b/bin/lib/Tracker.py
@@ -217,6 +217,15 @@ class Tracker:
             ail_orgs.remove_obj_to_org(old_org, 'tracker', self.uuid)
         self.set_level(new_level, new_org_uuid)
 
+    def check_level(self, user_org, user_id):
+        level = self.get_level()
+        if level == 1:
+            return True
+        elif level == 0:
+            return self.get_user() == user_id
+        elif level == 2:
+            return self.get_org() == user_org
+
     def is_level_user(self):
         return self.get_level() == 0
 
@@ -1454,7 +1463,7 @@ class RetroHunt:
     def get_level(self):
         level = int(self._get_field('level'))
         if not level:
-            level = 0
+            level = 1
         return int(level)
 
     def set_level(self, level, org_uuid):
@@ -1477,6 +1486,13 @@ class RetroHunt:
         self.delete_level(old_level)
         self.set_level(new_level, new_org_uuid)
 
+    def check_level(self, user_org):
+        level = self.get_level()
+        if level == 1:
+            return True
+        elif level == 2:
+            return self.get_org() == user_org
+
     ## ORG ##
 
     def get_creator_org(self):
diff --git a/bin/lib/module_extractor.py b/bin/lib/module_extractor.py
index f66ccb89..d4ccc5ee 100755
--- a/bin/lib/module_extractor.py
+++ b/bin/lib/module_extractor.py
@@ -14,8 +14,8 @@ sys.path.append(os.environ['AIL_BIN'])
 ##################################
 # Import Project packages
 ##################################
+from lib.ail_users import get_user_org
 from lib.objects import ail_objects
-from lib.objects.Items import Item
 from lib.objects.Titles import Title
 from lib import correlations_engine
 from lib import regex_helper
@@ -140,13 +140,16 @@ def convert_byte_offset_to_string(b_content, offset):
 
 # TODO RETRO HUNTS
 # TODO TRACKER TYPE IN UI
-def get_tracker_match(obj, content):
+def get_tracker_match(user_org, user_id, obj, content):
     extracted = []
     extracted_yara = []
     obj_gid = obj.get_global_id()
     trackers = Tracker.get_obj_trackers(obj.type, obj.get_subtype(r_str=True), obj.id)
     for tracker_uuid in trackers:
         tracker = Tracker.Tracker(tracker_uuid)
+        if not tracker.check_level(user_org, user_id):
+            continue
+
         tracker_type = tracker.get_type()
         # print(tracker_type)
         tracked = tracker.get_tracked()
@@ -182,6 +185,9 @@ def get_tracker_match(obj, content):
     retro_hunts = Tracker.get_obj_retro_hunts(obj.type, obj.get_subtype(r_str=True), obj.id)
     for retro_uuid in retro_hunts:
         retro_hunt = Tracker.RetroHunt(retro_uuid)
+        if not retro_hunt.check_level(user_org):
+            continue
+
         rule = retro_hunt.get_rule(r_compile=True)
         rule.match(data=content.encode(), callback=_get_yara_match,
                    which_callbacks=yara.CALLBACK_MATCHES, timeout=30)
@@ -209,23 +215,25 @@ def get_tracker_match(obj, content):
 # tag:iban
 # tracker:uuid
 # def extract(obj_id, content=None):
-def extract(obj_type, subtype, obj_id, content=None):
+def extract(user_id, obj_type, subtype, obj_id, content=None):
     obj = ail_objects.get_object(obj_type, subtype, obj_id)
     if not obj.exists():
         return []
     obj_gid = obj.get_global_id()
 
+    user_org = get_user_org(user_id)
+
     # CHECK CACHE
-    cached = r_cache.get(f'extractor:cache:{obj_gid}')
+    cached = r_cache.get(f'extractor:cache:{obj_gid}:{user_org}:{user_id}')
     # cached = None
     if cached:
-        r_cache.expire(f'extractor:cache:{obj_gid}', 300)
+        r_cache.expire(f'extractor:cache:{obj_gid}:{user_org}:{user_id}', 300)
         return json.loads(cached)
 
     if not content:
         content = obj.get_content()
 
-    extracted = get_tracker_match(obj, content)
+    extracted = get_tracker_match(user_org, user_id, obj, content)
 
     # print(item.get_tags())
     for tag in obj.get_tags():
@@ -249,8 +257,8 @@ def extract(obj_type, subtype, obj_id, content=None):
     # Save In Cache
     if extracted:
         extracted_dump = json.dumps(extracted)
-        r_cache.set(f'extractor:cache:{obj_gid}', extracted_dump)
-        r_cache.expire(f'extractor:cache:{obj_gid}', 300)  # TODO Reduce CACHE ???????????????
+        r_cache.set(f'extractor:cache:{obj_gid}:{user_org}:{user_id}', extracted_dump)
+        r_cache.expire(f'extractor:cache:{obj_gid}:{user_org}:{user_id}', 300)  # TODO Reduce CACHE ???????????????
 
     return extracted
 
diff --git a/var/www/blueprints/chats_explorer.py b/var/www/blueprints/chats_explorer.py
index 83126b1e..7ac3db7a 100644
--- a/var/www/blueprints/chats_explorer.py
+++ b/var/www/blueprints/chats_explorer.py
@@ -10,7 +10,7 @@ import sys
 import json
 
 from flask import Flask, render_template, jsonify, request, Blueprint, redirect, url_for, Response, abort
-from flask_login import login_required
+from flask_login import login_required, current_user
 
 # Import Role_Manager
 from Role_Manager import login_admin, login_analyst, login_read_only
@@ -236,7 +236,7 @@ def objects_message():
     else:
         message = message[0]
         languages = Language.get_translation_languages()
-        extracted = module_extractor.extract('message', '', message['id'], content=message['content'])
+        extracted = module_extractor.extract(current_user.get_user_id(), 'message', '', message['id'], content=message['content'])
         extracted_matches = module_extractor.get_extracted_by_match(extracted)
         message['extracted'] = extracted
         message['extracted_matches'] = extracted_matches
diff --git a/var/www/blueprints/objects_item.py b/var/www/blueprints/objects_item.py
index 2ce48e7f..92b7b9e1 100644
--- a/var/www/blueprints/objects_item.py
+++ b/var/www/blueprints/objects_item.py
@@ -10,7 +10,7 @@ import os
 import sys
 
 from flask import Flask, render_template, jsonify, request, Blueprint, redirect, url_for, Response, abort, send_file, send_from_directory
-from flask_login import login_required
+from flask_login import login_required, current_user
 
 # Import Role_Manager
 from Role_Manager import login_admin, login_analyst, login_read_only, no_cache
@@ -85,7 +85,7 @@ def showItem():  # # TODO: support post
     else:
         meta['investigations'] = []
 
-    extracted = module_extractor.extract('item', '', item.id, content=meta['content'])
+    extracted = module_extractor.extract(current_user.get_user_id(), 'item', '', item.id, content=meta['content'])
     extracted_matches = module_extractor.get_extracted_by_match(extracted)
 
     return render_template("show_item.html", bootstrap_label=bootstrap_label,