When using live streams with platform organizations, a user who is not in the platform organization will not receive events

[samczsun]

Description

I just spent 2 hours debugging this.

I have an instance with the platform organization set to Acme Inc. I have two users who are both part of Contonso Corp. User A is creating knowledge, while User B is consuming knowledge using a live stream.

When User A creates knowledge, it is automatically shared with Contonso Corp. This is calculated here:

opencti/opencti-platform/opencti-graphql/src/database/data-builder.js

Line 29 in 8573c5c

export const buildEntityData = async (context, user, input, type, opts = {}) => {

Note that this function returns an object where element is the STIX entity, and relations is the relationships to create. The entire dataEntity is then passed to indexCreatedElement which persists the STIX entity and its relationships into Elastic.

However, the returned createdElement only contains dataEntity.element, not dataEntity.relations. This means that when the created entity is pushed into the Redis stream, it does not contain the correct granted_refs.

Now, when User B attempts to load the stream, checkUserCanAccessStixElement returns false due to the missing granted_refs:

opencti/opencti-platform/opencti-graphql/src/utils/access.ts

Line 572 in 8573c5c

export const checkUserCanAccessStixElement = (user: AuthUser, instance: StixObject, hasPlatformOrg: boolean) => {

Environment

1. OS (where OpenCTI server runs): Ubuntu
2. OpenCTI version: 6.4.11
3. OpenCTI client: N/A
4. Other environment details: N/A

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Set platform organization
2. Create two users who are not in the platform organization
3. Create a live stream that filters on some knowledge
4. Subscribe to the live stream from User B
5. Create knowledge from User A, observe that the knowledge is automatically restricted to the user's organization
6. Observe that the live stream does not push a create or update event
7. Grant User B bypass permission, repeat steps 4-5, observe that the live stream now contains the create event

Expected Output

Live streams should work while using platform organizations

Actual Output

Live streams do not work

Additional information

Screenshots (optional)

[nino-filigran]

@samczsun I've not been able to reproduce your bug. Maybe I did not use the correct repro steps?
Let me write here the steps I have taken, to see if there is any variation with what you mentioned.

Stream set up
On my platform 1:

• I've set the org segregation, by setting filigran as the main platform org
• created two users A & B, both belonging to a another org
• with a user belonging to filigran, I created a stream, filtering on intrusion set & a specific label.

On my platform 2:

• I've set the org segregation, by setting filigran as the main platform org
• created two users A & B, both belonging to a another org (same users & orgs that in platform 1)
• I've made user A responsible of the ingestion of my stream.

Reproduction

• In my platform 1, with user B, I created an intrusion with the specific label (intrusion set called "intrusionSet stream) & then edited it
• I looked at the stream, it took a bit of time, but I saw the edit event
• In my platform 2, I logged in with user A, and my intrusionSet was in my platform.

Output:
In my platform 2, I had all the intrusion sets created in my platform1.

The odd thing that I've noticed however is that

• If I create my intrusion set directly with the label, I do not see a create even in my stream, but the entity gets created in my platform 2.
• If I add the label after the creation of the intrusion set then I get the create message.

[samczsun]

Are you using User B on Platform 1 to authenticate with the stream? If you don't edit the knowledge, only create it initially, does the stream still record the event? Using your terminology, what I'm observing is that when User A on Platform 1 creates some knowledge while User B is authenticated to the stream, the knowledge won't be visible on the stream at all. However, subsequent updates are visible. Because there are no guarantees that knowledge might be edited, it's not a viable workaround unless I create automation to edit every piece of knowledge as it arrives.

The odd thing you're referring to sounds like what I'm experiencing, I'm curious how the data is making it's way to Platform 2 if the stream doesn't contain the create event.

[nino-filigran]

I'll add more details to what I just shared, to ensure I can provide all answers. I slightly changed the setup compare to what I write before (I've highligted the changes)

Stream set up
On my platform 1:

• I've set the org segregation, by setting filigran as the main platform org
• created two users A & B, both belonging to a another org named github
• with a user A belonging to filigran to github, I created a stream in my platform 1 (authenticated using user's A token) filtering on intrusion set & a specific label.

On my platform 2:

• I've set the org segregation, by setting filigran as the main platform org
• created two users A & B, both belonging to a another org (same users & orgs that in platform 1) github (same org)
• I've made user A responsible of the ingestion of my stream.

Reproduction
In my platform 1, with user B, I created an intrusion with the specific label (intrusion set called "intrusionSet stream) & then edited it
I looked at the stream, it took a bit of time, but I saw the edit event
In my platform 2, I logged in with user A, and my intrusionSet was in my platform.
As previously, when I create my intrusion directly with the label, I still receive it my platform 2, but this creation does not appear in the stream.

Overall result
As a result, I'm receiving in all cases the entity created in the first platform, even if the user that created the entity does not pertain to the main platform og.

Questions for you

• What are the capabilities that the user in charge of creating the knowledge in your second platform has?
• What is the confidence level of your user in charge of creating the knowledge in your second paltform?
• What is the marking definition of the user in charge of creating the knowledge in your second platform? Does the user has the same marking than the entities that are supposed to be ingested (I mean would he have access to them anyway)?

**Side note **

• my users markings & conf level:

• my users capabilities:

[samczsun]

Hi @nino-filigran,

I just spent some time creating a full minimal reproduction on 6.4.11 (unfortunately, I don't have an EE license for 6.5.x). If you have time, I'm happy to demonstrate this on a call with you.

Here are the exact steps to follow:

1. git clone https://github.com/OpenCTI-Platform/docker.git
2. git checkout 6e20afecc6e5f52d8c36fa1d2588f8f8a247c283 to switch version to 6.4.11
3. cp .env.sample .env
4. Edit .env to ensure a valid admin token is set
5. docker compose up -d
6. Visit http://localhost:8080 in your browser and log in with admin@opencti.io/changeme
7. Create the following organizations: Platform Internal Organization and Acme Inc
8. Go to Settings > Paramters and enable Enterprise Edition
9. Go to Settings > Security > Policies and set Platform organization to Platform Internal Organization
10. Go to Settings > Security > Roles and edit Default to grant the following permissions:
    a. Create / Update knowledge
    b. Restrict organization access
    c. Access data sharing
11. Go to Settings > Security > User and create two new users
    a. Create alice with email alice@opencti.io, password password, and organizations Acme Inc
    a. Create bob with email bob@opencti.io, password password, and organizations Acme Inc. Copy Bob's API token for later.
12. Go to Data > Data Sharing > Live streams and create a new stream titled All Observables access to the Default group with the filter Entity type = Observable
13. Using the API token for the administrator account and for Bob's account, authenticate to the live stream from both users: curl "http://localhost:8080/stream/$STREAM_ID" -H "Authorization: Bearer $TOKEN"
14. Log in using alice@opencti.io/password
15. From Alice's account, create a new IPv4 observable for 1.1.1.1
16. Notice that the live stream authenticated using the administrator token received the create event, while the live stream authenticated using Bob's token did not receive any events
17. Log in using bob@opencti.io/password
18. From Bob's account, notice that Bob has access to the newly created observable, despite Bob not seeing the create event
19. From Alice's account, edit the IPv4 observable's description
20. Notice that both live streams receive an update event

Let me know if you're able to reproduce the behavior noted in step 16. I believe that Bob's live stream should have been sent the create events. Here are some screenshots to help you validate your setup