Merge branch 'master' into feat/forwarded-for-httpinput

Author: kroepke

.mvn/wrapper/maven-wrapper.properties

@@ -16,4 +16,4 @@
 # under the License.
 wrapperVersion=3.3.2
 distributionType=only-script
-distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.10/apache-maven-3.9.10-bin.zip

changelog/unreleased/ghsa-3m86-c9x3-vwm9.toml

@@ -0,0 +1,2 @@
+type = "security"
+message = "Fix permission check for creating a new API-token. See [GHSA-3m86-c9x3-vwm9](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3m86-c9x3-vwm9) for details."

changelog/unreleased/issue-21392.toml

@@ -0,0 +1,5 @@
+type = "f"
+message = "Improve structure of auto-correct suggestions in search query input."
+
+pulls = ["22944"]
+issues = ["21392"]

changelog/unreleased/pr-22918.toml

@@ -0,0 +1,5 @@
+type = "fixed"
+message = "Fix editing a existing Event Definition not showing update button."
+
+issues = ["22916"]
+pulls = ["22918"]

changelog/unreleased/pr-22942.toml

@@ -0,0 +1,4 @@
+type = "a"
+message = "Adding pluggable 'aside' element (`views.elements.aside`) which can be used to show right sidebar on search/dashboard pages."
+
+pulls = ["22942"]

data-node/src/main/java/org/graylog/datanode/docs/ConfigurationBeansSPI.java

@@ -16,20 +16,17 @@
  */
 package org.graylog.datanode.docs;
 
-import java.util.ArrayList;
-import java.util.Iterator;
+import java.util.Collection;
 import java.util.List;
 import java.util.ServiceLoader;
 
 public class ConfigurationBeansSPI {
     public static List<Object> loadConfigurationBeans() {
-        final ServiceLoader<DocumentedBeansService> configurationBeansLoader = ServiceLoader.load(DocumentedBeansService.class);
-        final Iterator<DocumentedBeansService> iterator = configurationBeansLoader.iterator();
-        List<Object> configurationBeans = new ArrayList<>();
-        while (iterator.hasNext()) {
-            final DocumentedBeansService service = iterator.next();
-            configurationBeans.addAll(service.getDocumentedConfigurationBeans());
-        }
-        return configurationBeans;
+        return ServiceLoader.load(DocumentedBeansService.class).stream()
+                .map(ServiceLoader.Provider::get)
+                .map(DocumentedBeansService::getDocumentedConfigurationBeans)
+                .flatMap(Collection::stream)
+                .distinct()
+                .toList();
     }
 }

graylog-project-parent/pom.xml

@@ -622,7 +622,7 @@
                                 <plugin>
                                     <groupId>com.mebigfatguy.fb-contrib</groupId>
                                     <artifactId>fb-contrib</artifactId>
-                                    <version>7.6.10</version>
+                                    <version>7.6.11</version>
                                 </plugin>
                             </plugins>
                         </configuration>

graylog2-server/pom.xml

@@ -793,10 +793,6 @@
             <groupId>io.grpc</groupId>
             <artifactId>grpc-services</artifactId>
         </dependency>
-        <dependency>
-            <groupId>io.opentelemetry.proto</groupId>
-            <artifactId>opentelemetry-proto</artifactId>
-        </dependency>
 
         <!-- our basic test libraries, please only add infrastructure dependencies here -->
         <dependency>

graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java

@@ -268,11 +268,11 @@ public record GetByIdRequest(List<String> eventDefinitionIds) {}
     @ApiOperation("Get multiple event definitions by id")
     @NoAuditEvent("Bulk retrieval, no data is changed.")
     public List<EventDefinitionDto> getById(@ApiParam(name = "JSON body") @Valid GetByIdRequest request) {
-        for (String id : request.eventDefinitionIds()) {
-            checkPermission(RestPermissions.EVENT_DEFINITIONS_READ, id);
-        }
+        final Set<String> permittedIds = request.eventDefinitionIds().stream()
+                .filter(id -> isPermitted(RestPermissions.EVENT_DEFINITIONS_READ, id))
+                .collect(Collectors.toSet());
 
-        return dbService.getByIds(request.eventDefinitionIds());
+        return dbService.getByIds(permittedIds);
     }
 
     @POST

graylog2-server/src/main/java/org/graylog/events/search/EventsSearchService.java

@@ -97,8 +97,8 @@ public EventsSearchResult search(EventsSearchParameters parameters, Subject subj
                 }).collect(Collectors.toList());
 
         final EventsSearchResult.Context context = EventsSearchResult.Context.create(
-                lookupEventDefinitions(eventDefinitionIdsBuilder.build()),
-                lookupStreams(streamIdsBuilder.build())
+                lookupEventDefinitions(eventDefinitionIdsBuilder.build(), subject),
+                lookupStreams(streamIdsBuilder.build(), subject)
         );
 
         return EventsSearchResult.builder()
@@ -157,14 +157,18 @@ private Set<String> forbiddenSourceStreams(Subject subject) {
                 .collect(Collectors.toSet());
     }
 
-    private Map<String, EventsSearchResult.ContextEntity> lookupStreams(Set<String> streams) {
-        return streamService.loadByIds(streams)
+    private Map<String, EventsSearchResult.ContextEntity> lookupStreams(Set<String> streams, final Subject subject) {
+        final var allowedStreams = streams.stream().filter(streamId -> subject.isPermitted(String.join(":", RestPermissions.STREAMS_READ, streamId))).collect(Collectors.toSet());
+
+        return streamService.loadByIds(allowedStreams)
                 .stream()
                 .collect(Collectors.toMap(Persisted::getId, s -> EventsSearchResult.ContextEntity.create(s.getId(), s.getTitle(), s.getDescription())));
     }
 
-    private Map<String, EventsSearchResult.ContextEntity> lookupEventDefinitions(Set<String> eventDefinitions) {
-        return eventDefinitionService.getByIds(eventDefinitions)
+    private Map<String, EventsSearchResult.ContextEntity> lookupEventDefinitions(Set<String> eventDefinitions, final Subject subject) {
+        final var allowedEventDefinitions = eventDefinitions.stream().filter(eventDefinitionId -> subject.isPermitted(String.join(":", RestPermissions.EVENT_DEFINITIONS_READ, eventDefinitionId))).collect(Collectors.toSet());
+
+        return eventDefinitionService.getByIds(allowedEventDefinitions)
                 .stream()
                 .collect(Collectors.toMap(EventDefinitionDto::id,
                         d -> EventsSearchResult.ContextEntity.create(d.id(), d.title(), d.description(), d.remediationSteps())));