Add manage permission for input types (#22468)

* add restrict_input_types config parameter

* add `INPUT_TYPES_READ` permission and use it in `InputTypesResource`

* switch from name to type

* cl

* added integration test for input permissions

* added license

* Extended input permission IT to input types

* correct/add all necessary input types permissions

* remove config parameter

* add input types permission to InputsResource

* add missing check

* adjust IT

* fix license header

* fix InputsResourceMaskingPasswordsTest

* add input type permission checks

* add input type permission check

* remove jetbrain annotation

* add input type permission checks

* add input type permission checks

* add wait for roles cache in InputPermissionsIT

* add migration to add input type permissions to existing input permission roles

* fix license header

* add upgrading notice

* merge input type management permissions, remove read permission

* update changelog, UPGRADING.md

* cleanup

---------

Co-authored-by: Tomas Dvorak <[email protected]>

Author: moesterheld

UPGRADING.md

@@ -13,7 +13,14 @@ Upgrading to Graylog 6.3.x
 
 ## Default Configuration Changes
 
-- tbd
+- A permission `input_types:create` for creating input types has been introduced.
+
+  By granting only permissions for specific input types (e.g.
+  `input_types:create:org.graylog2.inputs.misc.jsonpath.JsonPathInput`),
+  users can be only allowed to manage inputs of specific types. Granting the permission without specifying input
+  types (as shown above) will allow management of all input types.
+  Existing roles and users are updated to automatically include the permissions for all input types if they contain a
+  manage permission for inputs.
 
 ## Java API Changes
 

changelog/unreleased/pr-22468.toml

@@ -0,0 +1,5 @@
+type = "a" # One of: a(dded), c(hanged), d(eprecated), r(emoved), f(ixed), s(ecurity)
+message = "Adds a permission to restrict creation of specified input types."
+
+issues = ["graylog-plugin-enterprise#10477"]
+pulls = ["22468"]

full-backend-tests/src/test/java/org/graylog2/inputs/InputPermissionsIT.java

@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.inputs;
+
+import net.bytebuddy.utility.RandomString;
+import org.assertj.core.api.Assertions;
+import org.graylog.testing.completebackend.Lifecycle;
+import org.graylog.testing.completebackend.apis.GraylogApiResponse;
+import org.graylog.testing.completebackend.apis.GraylogApis;
+import org.graylog.testing.completebackend.apis.Users;
+import org.graylog.testing.containermatrix.SearchServer;
+import org.graylog.testing.containermatrix.annotations.ContainerMatrixTest;
+import org.graylog.testing.containermatrix.annotations.ContainerMatrixTestsConfiguration;
+import org.graylog2.shared.security.RestPermissions;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import static org.hamcrest.CoreMatchers.equalTo;
+
+@ContainerMatrixTestsConfiguration(serverLifecycle = Lifecycle.VM, searchVersions = SearchServer.DATANODE_DEV)
+public class InputPermissionsIT {
+
+    private final GraylogApis apis;
+
+    private GraylogApiResponse roleInputsReader;
+    private GraylogApiResponse roleInputsCreator;
+    private GraylogApiResponse roleRestrictedInputsCreator;
+
+    private Users.User inputsReader;
+    private Users.User inputsCreator;
+    private Users.User restrictedInputsCreator;
+
+    public InputPermissionsIT(GraylogApis apis) {
+        this.apis = apis;
+    }
+
+    @BeforeAll
+    void setUp() {
+        roleInputsReader = apis.roles().create("custom_inputs_reader", "inputs reader can only see inputs", Set.of(
+                RestPermissions.INPUTS_READ
+        ), false);
+        inputsReader = createUser("inputs.reader", roleInputsReader);
+
+        roleInputsCreator = apis.roles().create("custom_inputs_creator", "inputs creator can only create inputs", Set.of(
+                RestPermissions.INPUTS_READ,
+                RestPermissions.INPUTS_CREATE,
+                RestPermissions.INPUT_TYPES_CREATE
+        ), false);
+        inputsCreator = createUser("inputs.creator", roleInputsCreator);
+
+        roleRestrictedInputsCreator = apis.roles().create("custom_restricted_inputs_creator", "inputs creator can only create certain inputs", Set.of(
+                RestPermissions.INPUTS_READ,
+                RestPermissions.INPUTS_CREATE,
+                RestPermissions.INPUT_TYPES_CREATE + ":org.graylog2.inputs.random.FakeHttpMessageInput",
+                RestPermissions.INPUT_TYPES_CREATE + ":org.graylog2.inputs.gelf.tcp.GELFTCPInput"
+
+        ), false);
+        restrictedInputsCreator = createUser("restricted.inputs.creator", roleRestrictedInputsCreator);
+
+        waitForRolesCacheRefresh();
+
+        apis.users().createUser(inputsReader);
+        apis.users().createUser(inputsCreator);
+        apis.users().createUser(restrictedInputsCreator);
+    }
+
+    /**
+     * Roles are stored in mongodb, but the auth backend is refreshing those only once every second. If we trigger a call
+     * before the role is refreshed, we may get weird results.
+     * @see org.graylog2.security.InMemoryRolePermissionResolver
+     */
+    private static void waitForRolesCacheRefresh() {
+        try {
+            // This is naive and wrong, but very simple to implement. Another approach would be to have a fingerprint of
+            // roles cache, similarly to StreamRouterEngine and its fingerprint.
+            Thread.sleep(1000);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private Users.User createUser(String username, GraylogApiResponse... roles) {
+        return new Users.User(username, RandomString.make(), "<Generated>", username,
+                username + "@graylog", false, 30_0000, "Europe/Vienna",
+                Arrays.stream(roles).map(role -> role.properJSONPath().read("name", String.class)).toList(), List.of());
+    }
+
+    @AfterAll
+    void tearDown() {
+        apis.users().deleteUser(inputsReader.username());
+        apis.users().deleteUser(inputsCreator.username());
+        apis.users().deleteUser(restrictedInputsCreator.username());
+
+        apis.roles().delete(roleInputsReader.properJSONPath().read("name", String.class));
+        apis.roles().delete(roleInputsCreator.properJSONPath().read("name", String.class));
+        apis.roles().delete(roleRestrictedInputsCreator.properJSONPath().read("name", String.class));
+    }
+
+    @ContainerMatrixTest
+    void testPermittedInputCreationAndReading() {
+        String inputId = apis.forUser(inputsCreator).inputs().createGlobalInput("testInput",
+                "org.graylog2.inputs.random.FakeHttpMessageInput",
+                Map.of("sleep", 30,
+                        "sleep_deviation", 30,
+                        "source", "example.org"));
+        apis.waitFor(() ->
+                        apis.inputs().getInputState(inputId)
+                                .extract().body().jsonPath().get("state")
+                                .equals("RUNNING"),
+                "Timed out waiting for HTTP Random Message Input to become available");
+
+        apis.forUser(inputsReader).inputs().getInput(inputId).assertThat().body("id", equalTo(inputId));
+
+        apis.inputs().deleteInput(inputId);
+
+        String inputId2 = apis.forUser(restrictedInputsCreator).inputs().createGlobalInput("testInput",
+                "org.graylog2.inputs.random.FakeHttpMessageInput",
+                Map.of("sleep", 30,
+                        "sleep_deviation", 30,
+                        "source", "example.org"));
+        apis.waitFor(() ->
+                        apis.inputs().getInputState(inputId2)
+                                .extract().body().jsonPath().get("state")
+                                .equals("RUNNING"),
+                "Timed out waiting for HTTP Random Message Input to become available");
+
+        apis.forUser(inputsReader).inputs().getInput(inputId2).assertThat().body("id", equalTo(inputId2));
+
+        apis.inputs().deleteInput(inputId2);
+    }
+
+    @ContainerMatrixTest
+    void testRestrictedInputCreationAndReading() {
+        String inputId = apis.forUser(inputsCreator).inputs().createGlobalInput("testInput",
+                "org.graylog2.inputs.misc.jsonpath.JsonPathInput",
+                Map.of("target_url", "https://example.org",
+                        "interval", 10,
+                        "timeunit", "MINUTES",
+                        "path", "$.data",
+                        "source", "messagesource"));
+        apis.waitFor(() ->
+                        apis.inputs().getInputState(inputId)
+                                .extract().body().jsonPath().get("state")
+                                .equals("RUNNING"),
+                "Timed out waiting for Json Input to become available");
+
+        apis.forUser(inputsReader).inputs().getInput(inputId).assertThat().body("id", equalTo(inputId));
+
+        apis.inputs().deleteInput(inputId);
+
+        Assertions.assertThatThrownBy(() -> apis.forUser(restrictedInputsCreator).inputs().createGlobalInput("testInput",
+                        "org.graylog2.inputs.misc.jsonpath.JsonPathInput",
+                        Map.of("target_url", "https://example.org",
+                                "interval", 10,
+                                "timeunit", "MINUTES",
+                                "path", "$.data",
+                                "source", "messagesource")))
+                .isInstanceOf(AssertionError.class)
+                .hasMessageContaining("Expected status code <201> but was <403>");
+
+    }
+
+    @ContainerMatrixTest
+    void testInputTypesRead() {
+        final GraylogApiResponse inputTypesForReader = apis.forUser(inputsReader).inputs().getInputTypes();
+        final Map<String, String> typesReader = inputTypesForReader.properJSONPath().read("types");
+        Assertions.assertThat(typesReader).isEmpty();
+
+        final GraylogApiResponse inputTypesForRestrictedCreator = apis.forUser(restrictedInputsCreator).inputs().getInputTypes();
+        final Map<String, String> typesRestricted = inputTypesForRestrictedCreator.properJSONPath().read("types");
+        Assertions.assertThat(typesRestricted).containsOnlyKeys(
+                "org.graylog2.inputs.random.FakeHttpMessageInput",
+                "org.graylog2.inputs.gelf.tcp.GELFTCPInput"
+        );
+
+        final GraylogApiResponse inputTypesForCreator = apis.forUser(inputsCreator).inputs().getInputTypes();
+        final Map<String, String> typesCreator = inputTypesForCreator.properJSONPath().read("types");
+        Assertions.assertThat(typesCreator).hasSizeGreaterThan(5);
+    }
+}

graylog2-server/src/main/java/org/graylog/integrations/aws/resources/AWSResource.java

@@ -125,12 +125,11 @@ public Response kinesisHealthCheck(@ApiParam(name = "JSON body", required = true
     @Timed
     @Path("/inputs")
     @ApiOperation(value = "Create a new AWS input.")
-    @RequiresPermissions(RestPermissions.INPUTS_CREATE)
     @AuditEvent(type = IntegrationsAuditEventTypes.KINESIS_INPUT_CREATE)
+    @RequiresPermissions({RestPermissions.INPUTS_CREATE, RestPermissions.INPUT_TYPES_CREATE + ":org.graylog.integrations.aws.inputs.AWSInput"})
     public Response create(@ApiParam @QueryParam("setup_wizard") @DefaultValue("false") boolean isSetupWizard,
                            @ApiParam(name = "JSON body", required = true)
                            @Valid @NotNull AWSInputCreateRequest saveRequest) throws Exception {
-
         Input input = awsService.saveInput(saveRequest, getCurrentUser(), isSetupWizard);
         return Response.ok().entity(getInputSummary(input)).build();
     }

graylog2-server/src/main/java/org/graylog2/migrations/MigrationsModule.java

@@ -75,5 +75,6 @@ protected void configure() {
         addMigration(V20250206105400_TokenManagementConfiguration.class);
         addMigration(V20250219134200_DefaultTTLForNewTokens.class);
         addMigration(V20250327120900_RenameDefaultPipeline.class);
+        addMigration(V20250506090000_AddInputTypesPermissions.class);
     }
 }

graylog2-server/src/main/java/org/graylog2/migrations/V20250506090000_AddInputTypesPermissions.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.migrations;
+
+import jakarta.inject.Inject;
+import org.apache.commons.collections4.CollectionUtils;
+import org.graylog2.plugin.cluster.ClusterConfigService;
+import org.graylog2.plugin.database.ValidationException;
+import org.graylog2.shared.security.RestPermissions;
+import org.graylog2.shared.users.UserService;
+import org.graylog2.users.RoleService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.ZonedDateTime;
+import java.util.List;
+import java.util.Set;
+
+public class V20250506090000_AddInputTypesPermissions extends Migration {
+
+    private static final Logger LOG = LoggerFactory.getLogger(V20250506090000_AddInputTypesPermissions.class);
+
+    private final ClusterConfigService clusterConfigService;
+    private final RoleService roleService;
+    private final UserService userService;
+
+    @Inject
+    public V20250506090000_AddInputTypesPermissions(final ClusterConfigService clusterConfigService,
+                                                    RoleService roleService, UserService userService) {
+        this.clusterConfigService = clusterConfigService;
+        this.roleService = roleService;
+        this.userService = userService;
+    }
+
+    @Override
+    public ZonedDateTime createdAt() {
+        return ZonedDateTime.parse("2025-05-06T09:00:00Z");
+    }
+
+    @Override
+    public void upgrade() {
+        if (clusterConfigService.get(V20250506090000_AddInputTypesPermissions.MigrationCompleted.class) != null) {
+            LOG.debug("Migration already completed.");
+            return;
+        }
+        LOG.debug("Starting migration to add input types permissions.");
+        roleService.loadAll().stream()
+                .filter(role -> !role.isReadOnly())
+                .filter(role -> CollectionUtils.containsAny(role.getPermissions(),
+                        RestPermissions.INPUTS_CHANGESTATE, RestPermissions.INPUTS_CREATE,
+                        RestPermissions.INPUTS_EDIT, RestPermissions.INPUTS_TERMINATE))
+                .peek(role -> {
+                    Set<String> permissions = role.getPermissions();
+                    permissions.add(RestPermissions.INPUT_TYPES_CREATE);
+                    role.setPermissions(permissions);
+                }).forEach(role -> {
+                    LOG.info("Updating role {} to include input type permission", role.getName());
+                    try {
+                        roleService.save(role);
+                    } catch (ValidationException e) {
+                        LOG.error("Error updating role.", e);
+                    }
+                });
+
+        userService.loadAll().stream()
+                .filter(user -> CollectionUtils.containsAny(user.getPermissions(),
+                        RestPermissions.INPUTS_CHANGESTATE, RestPermissions.INPUTS_CREATE,
+                        RestPermissions.INPUTS_EDIT, RestPermissions.INPUTS_TERMINATE))
+                .peek(user -> {
+                    List<String> permissions = user.getPermissions();
+                    permissions.add(RestPermissions.INPUT_TYPES_CREATE);
+                    user.setPermissions(permissions);
+                }).forEach(user -> {
+                    LOG.info("Updating user {} to include individual input type permission", user.getName());
+                    try {
+                        userService.save(user);
+                    } catch (ValidationException e) {
+                        LOG.error("Error updating user.", e);
+                    }
+                });
+
+        clusterConfigService.write(new V20250506090000_AddInputTypesPermissions.MigrationCompleted());
+    }
+
+    public record MigrationCompleted() {
+    }
+}

graylog2-server/src/main/java/org/graylog2/rest/resources/system/inputs/AbstractInputsResource.java

@@ -47,7 +47,8 @@ public AbstractInputsResource(Map<String, InputDescription> availableInputs) {
     protected InputSummary getInputSummary(Input input) {
         final InputDescription inputDescription = this.availableInputs.get(input.getType());
         final ConfigurationRequest configurationRequest = inputDescription != null ? inputDescription.getConfigurationRequest() : null;
-        final Map<String, Object> configuration = isPermitted(RestPermissions.INPUTS_EDIT, input.getId()) ?
+        // remove after sharing inputs implemented (input types check)
+        final Map<String, Object> configuration = isPermitted(RestPermissions.INPUTS_EDIT, input.getId()) && isPermitted(RestPermissions.INPUT_TYPES_CREATE, input.getType()) ?
                 input.getConfiguration() : maskPasswordsInConfiguration(input.getConfiguration(), configurationRequest);
         return InputSummary.create(input.getTitle(),
                 input.isGlobal(),