Implement entity share request for collection (#22945)

* Add "Valid" annotation to CreateEntityRequest#entity (#22820)

Enables cascading validations.

* Expose MongoCollection#findOneAndUpdate method with update pipeline (#22820)

This is required to use update aggregation pipelines.

* Add more helper methods to PluginModule (#22820)

- addGRNTypeProvider
- addCapabilityPermissions
- addSyncedEntitiesResolver

* Map USERS_READ and USERS_EDIT to capabilities (#22820)

This makes it possible to create working grants for users/teams.

* Expose another ObjectMapper constructor for testing (#22820)

We need to be able to customize the GRN registry.

* Fix TestUserService#loadByIds method (#22820)

The given IDs must be converted to ObjectIDs.

* checkpoint

* add collections to create request

* license header

* use utility methods

* adjust stream create to new api

* adjust eventDefinition create to new endpoint

- add create event definition hook

* adjust event definition types

* adjust Notication create to new api

* adjust view endpoint to new API

* fix linter

* use pluggable entitshare form group

* add hook

* add license

- renaming

* update test

* adjust label

* rename hook

* add collection binding for backend test

* fix test

* adjust tests for modified entity creation request

* fix merge conflict

* adjust more backend tests to modified signature

* check for selected_grantee_capabilities

* cleanup merge

* upgrading.md and remove unneeded default implementation

---------

Co-authored-by: Bernd Ahlers <[email protected]>
Co-authored-by: Bernd Ahlers <[email protected]>
Co-authored-by: Othello Maurer <[email protected]>
Co-authored-by: patrickmann <[email protected]>
Co-authored-by: Patrick Mann <[email protected]>
Co-authored-by: Laura Bergenthal-Grotlüschen <[email protected]>
Co-authored-by: Anton Ebel <[email protected]>

Author: 6 people

UPGRADING.md

@@ -27,7 +27,37 @@ can only talk to Kafka brokers with version 2.1 or newer.
 
 - In Graylog 7.0, an issue was fixed that previously allowed additional unknown JSON properties to be accepted 
   (and ignored) in API requests on the Graylog leader node. Now that the issue has been fixed, API requests on the 
-  leader node will once again only accept JSON payloads that contain explicitly mapped/supported properties.  
+  leader node will once again only accept JSON payloads that contain explicitly mapped/supported properties.
+- APIs for entity creation now use a parameter `CreateEntityRequest` to keep entity fields separated from sharing 
+  information. This is a breaking change for all API requests that create entities, such as streams, dashboards, etc.
+  <br> Affected entities: 
+  - Search / Dashboard 
+  - Search Filter 
+  - Report
+  - Event Definition
+  - Stream
+  - Notifications
+  - Sigma rules
+  - Event procedure
+  - Event step
+  
+  <br> For example, the request payload to create a stream might now look like this:
+
+```json
+{
+    "entity":{
+        "index_set_id":"65b7ba138cdb8c534a953fef",
+        "description":"An example stream",
+        "title":"My Stream",
+        "remove_matches_from_default_stream":false
+    },
+    "share_request":{
+        "selected_grantee_capabilities":{
+            "grn::::search:684158906442150b2eefb78c":"own"
+        }
+    }
+}
+```
 
 ## REST API Endpoint Changes
 
@@ -36,3 +66,4 @@ The following REST API changes have been made.
 | Endpoint                                                              | Description                                                                             |
 |-----------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
 | `GET /<endpoint>`                                                     | description                                                                             |
+| `GET /<endpoint>`                                                     | description                                                                             |

full-backend-tests/src/test/java/org/graylog/exceptionmappers/JsonParsingErrorsIT.java

@@ -101,18 +101,15 @@ void returnsSpecificErrorForJsonParsingError() {
     @ContainerMatrixTest
     void extractsReferencePathFromMissingProperty() {
         assertErrorResponse(STREAMS, "{}")
-                .body("reference_path", equalTo("org.graylog2.rest.resources.streams.requests.CreateStreamRequest"));
+                .body("reference_path", equalTo("org.graylog.security.shares.CreateEntityRequest"));
 
         assertErrorResponse(STREAMS, """
                 {
                     "title": "Foo",
                     "rules": [{}]
                 }
                 """)
-                .body("reference_path", equalTo(
-                        "org.graylog2.rest.resources.streams.requests.CreateStreamRequest[\"rules\"]" +
-                                "->java.util.ArrayList[0]" +
-                                "->org.graylog2.rest.resources.streams.rules.requests.CreateStreamRuleRequest"));
+                .body("reference_path", equalTo("org.graylog.security.shares.CreateEntityRequest"));
     }
 
     @ContainerMatrixTest

full-backend-tests/src/test/java/org/graylog/testing/utils/StreamUtils.java

@@ -19,7 +19,7 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.restassured.response.ValidatableResponse;
 import io.restassured.specification.RequestSpecification;
-import org.graylog.testing.completebackend.apis.GraylogApis;
+import org.graylog.security.shares.CreateEntityRequest;
 
 import java.util.Collection;
 import java.util.List;
@@ -41,7 +41,8 @@ record CreateStreamRequest(@JsonProperty("title") String title,
                                @JsonProperty("index_set_id") String indexSetId) {}
 
     public static String createStream(Supplier<RequestSpecification> spec, String title, String indexSetId, StreamRule... streamRules) {
-        final CreateStreamRequest body = new CreateStreamRequest(title, List.of(streamRules), indexSetId);
+        final CreateEntityRequest<CreateStreamRequest> body = CreateEntityRequest.create(
+                new CreateStreamRequest(title, List.of(streamRules), indexSetId), null);
         final String streamId = given()
                 .spec(spec.get())
                 .when()

full-backend-tests/src/test/resources/org/graylog/plugins/views/startpage-views-request.json

@@ -1,41 +1,44 @@
 {
-  "id": "6141d45bd3a6b9d73c8ac55c",
-  "type": "DASHBOARD",
-  "title": "test",
-  "search_id": "6141d457d3a6b9d73c8ac55b",
-  "state": {
-    "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
-      "titles": {},
-      "widgets": [
-        {
-          "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
-          "type": "logs",
-          "config": {
-            "fields": [
-              "timestamp",
-              "source",
-              "message"
-            ],
-            "size": 100,
-            "sort": "DESC"
-          },
-          "streams": []
-        }
-      ],
-      "widget_mapping": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
-          "967d2217-fd99-48a6-b829-5acdab906807"
-        ]
-      },
-      "positions": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
-          "col": 1,
-          "row": 1,
-          "height": 4,
-          "width": 12
+  "entity":
+  {
+    "id": "6141d45bd3a6b9d73c8ac55c",
+    "type": "DASHBOARD",
+    "title": "test",
+    "search_id": "6141d457d3a6b9d73c8ac55b",
+    "state": {
+      "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
+        "titles": {},
+        "widgets": [
+          {
+            "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
+            "type": "logs",
+            "config": {
+              "fields": [
+                "timestamp",
+                "source",
+                "message"
+              ],
+              "size": 100,
+              "sort": "DESC"
+            },
+            "streams": []
+          }
+        ],
+        "widget_mapping": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
+            "967d2217-fd99-48a6-b829-5acdab906807"
+          ]
+        },
+        "positions": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
+            "col": 1,
+            "row": 1,
+            "height": 4,
+            "width": 12
+          }
         }
       }
-    }
-  },
-  "created_at": "2021-09-15T11:08:42.248Z"
+    },
+    "created_at": "2021-09-15T11:08:42.248Z"
+  }
 }

full-backend-tests/src/test/resources/org/graylog/plugins/views/views-request-invalid-search-type.json

@@ -1,41 +1,43 @@
 {
-  "id": "6141d45bd3a6b9d73c8ac55b",
-  "type": "DASHBOARD",
-  "title": "test",
-  "search_id": "6141d457d3a6b9d73c8ac55c",
-  "state": {
-    "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
-      "titles": {},
-      "widgets": [
-        {
-          "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
-          "type": "logs",
-          "config": {
-            "fields": [
-              "timestamp",
-              "source",
-              "message"
-            ],
-            "size": 100,
-            "sort": "DESC"
-          },
-          "streams": []
-        }
-      ],
-      "widget_mapping": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
-          "967d2217-fd99-48a6-b829-5acdab906808"
-        ]
-      },
-      "positions": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
-          "col": 1,
-          "row": 1,
-          "height": 4,
-          "width": 12
+  "entity": {
+    "id": "6141d45bd3a6b9d73c8ac55b",
+    "type": "DASHBOARD",
+    "title": "test",
+    "search_id": "6141d457d3a6b9d73c8ac55c",
+    "state": {
+      "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
+        "titles": {},
+        "widgets": [
+          {
+            "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
+            "type": "logs",
+            "config": {
+              "fields": [
+                "timestamp",
+                "source",
+                "message"
+              ],
+              "size": 100,
+              "sort": "DESC"
+            },
+            "streams": []
+          }
+        ],
+        "widget_mapping": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
+            "967d2217-fd99-48a6-b829-5acdab906808"
+          ]
+        },
+        "positions": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
+            "col": 1,
+            "row": 1,
+            "height": 4,
+            "width": 12
+          }
         }
       }
-    }
-  },
-  "created_at": "2021-09-15T11:08:42.248Z"
+    },
+    "created_at": "2021-09-15T11:08:42.248Z"
+  }
 }

full-backend-tests/src/test/resources/org/graylog/plugins/views/views-request.json

@@ -1,41 +1,43 @@
 {
-  "id": "6141d45bd3a6b9d73c8ac55b",
-  "type": "DASHBOARD",
-  "title": "test",
-  "search_id": "6141d457d3a6b9d73c8ac55a",
-  "state": {
-    "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
-      "titles": {},
-      "widgets": [
-        {
-          "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
-          "type": "logs",
-          "config": {
-            "fields": [
-              "timestamp",
-              "source",
-              "message"
-            ],
-            "size": 100,
-            "sort": "DESC"
-          },
-          "streams": []
-        }
-      ],
-      "widget_mapping": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
-          "967d2217-fd99-48a6-b829-5acdab906807"
-        ]
-      },
-      "positions": {
-        "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
-          "col": 1,
-          "row": 1,
-          "height": 4,
-          "width": 12
+  "entity": {
+      "id": "6141d45bd3a6b9d73c8ac55b",
+    "type": "DASHBOARD",
+    "title": "test",
+    "search_id": "6141d457d3a6b9d73c8ac55a",
+    "state": {
+      "278992f6-8930-43f5-9dd7-11bbc4e3b797": {
+        "titles": {},
+        "widgets": [
+          {
+            "id": "34316a67-3dca-4994-a061-2fc6a9bf7f0b",
+            "type": "logs",
+            "config": {
+              "fields": [
+                "timestamp",
+                "source",
+                "message"
+              ],
+              "size": 100,
+              "sort": "DESC"
+            },
+            "streams": []
+          }
+        ],
+        "widget_mapping": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": [
+            "967d2217-fd99-48a6-b829-5acdab906807"
+          ]
+        },
+        "positions": {
+          "34316a67-3dca-4994-a061-2fc6a9bf7f0b": {
+            "col": 1,
+            "row": 1,
+            "height": 4,
+            "width": 12
+          }
         }
       }
-    }
-  },
-  "created_at": "2021-09-15T11:08:42.248Z"
+    },
+    "created_at": "2021-09-15T11:08:42.248Z"
+  }
 }

graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java

@@ -66,8 +66,8 @@
 import org.graylog.plugins.views.startpage.recentActivities.RecentActivityService;
 import org.graylog.scheduler.schedule.CronUtils;
 import org.graylog.security.UserContext;
+import org.graylog.security.shares.CreateEntityRequest;
 import org.graylog.security.shares.EntitySharesService;
-import org.graylog.security.shares.UnwrappedCreateEntityRequest;
 import org.graylog2.audit.AuditEventSender;
 import org.graylog2.audit.jersey.AuditEvent;
 import org.graylog2.audit.jersey.NoAuditEvent;
@@ -281,8 +281,8 @@ public List<EventDefinitionDto> getById(@ApiParam(name = "JSON body") @Valid Get
     @AuditEvent(type = EventsAuditEventTypes.EVENT_DEFINITION_CREATE)
     @RequiresPermissions(RestPermissions.EVENT_DEFINITIONS_CREATE)
     public Response create(@ApiParam("schedule") @QueryParam("schedule") @DefaultValue("true") boolean schedule,
-                           @ApiParam(name = "JSON Body") UnwrappedCreateEntityRequest<EventDefinitionDto> unwrappedCreateEntityRequest, @Context UserContext userContext) {
-        final EventDefinitionDto dto = unwrappedCreateEntityRequest.getEntity();
+                           @ApiParam(name = "JSON Body") CreateEntityRequest<EventDefinitionDto> createEntityRequest, @Context UserContext userContext) {
+        final EventDefinitionDto dto = createEntityRequest.entity();
         checkEventDefinitionPermissions(dto, "create");
 
         final ValidationResult result = dto.validate(null, eventDefinitionConfiguration, userContext);
@@ -293,7 +293,7 @@ public Response create(@ApiParam("schedule") @QueryParam("schedule") @DefaultVal
                 eventDefinitionHandler.create(dto, Optional.of(userContext.getUser())) :
                 eventDefinitionHandler.createWithoutSchedule(dto.toBuilder().state(EventDefinition.State.DISABLED).build(), Optional.of(userContext.getUser()));
         recentActivityService.create(entity.id(), GRNTypes.EVENT_DEFINITION, userContext.getUser());
-        unwrappedCreateEntityRequest.getShareRequest().ifPresent(shareRequest -> {
+        createEntityRequest.shareRequest().ifPresent(shareRequest -> {
             entitySharesService.updateEntityShares(GRNTypes.EVENT_DEFINITION, entity.id(), shareRequest, userContext.getUser());
         });
 

graylog2-server/src/main/java/org/graylog/events/rest/EventNotificationsResource.java

@@ -50,8 +50,8 @@
 import org.graylog.grn.GRNTypes;
 import org.graylog.plugins.views.startpage.recentActivities.RecentActivityService;
 import org.graylog.security.UserContext;
+import org.graylog.security.shares.CreateEntityRequest;
 import org.graylog.security.shares.EntitySharesService;
-import org.graylog.security.shares.UnwrappedCreateEntityRequest;
 import org.graylog2.alarmcallbacks.EmailAlarmCallback;
 import org.graylog2.audit.jersey.AuditEvent;
 import org.graylog2.audit.jersey.NoAuditEvent;
@@ -185,8 +185,8 @@ public NotificationDto get(@ApiParam(name = "notificationId") @PathParam("notifi
     @ApiOperation("Create new notification definition")
     @AuditEvent(type = EventsAuditEventTypes.EVENT_NOTIFICATION_CREATE)
     @RequiresPermissions(RestPermissions.EVENT_NOTIFICATIONS_CREATE)
-    public Response create(@ApiParam(name = "JSON Body") UnwrappedCreateEntityRequest<NotificationDto> unwrappedCreateEntityRequest, @Context UserContext userContext) {
-        final NotificationDto dto = unwrappedCreateEntityRequest.getEntity();
+    public Response create(@ApiParam(name = "JSON Body") CreateEntityRequest<NotificationDto> createEntityRequest, @Context UserContext userContext) {
+        final NotificationDto dto = createEntityRequest.entity();
         final ValidationResult validationResult = dto.validate();
         validateEmailConfiguration(dto, validationResult);
         if (validationResult.failed()) {
@@ -195,7 +195,7 @@ public Response create(@ApiParam(name = "JSON Body") UnwrappedCreateEntityReques
         var entity = resourceHandler.create(dto, java.util.Optional.ofNullable(userContext.getUser()));
         recentActivityService.create(entity.id(), GRNTypes.EVENT_NOTIFICATION, userContext.getUser());
 
-        unwrappedCreateEntityRequest.getShareRequest().ifPresent(shareRequest -> {
+        createEntityRequest.shareRequest().ifPresent(shareRequest -> {
             entitySharesService.updateEntityShares(GRNTypes.EVENT_NOTIFICATION, entity.id(), shareRequest, userContext.getUser());
         });
 

graylog2-server/src/main/java/org/graylog/grn/GRN.java

@@ -71,6 +71,10 @@ static GRN parse(String grn, GRNRegistry grnRegistry) {
         return builder.build();
     }
 
+    public boolean isType(GRNType grnType) {
+        return this.grnType().equals(grnType);
+    }
+
     public static Builder builder() {
         return new AutoValue_GRN.Builder().cluster("").tenant("").scope("");
     }