Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mark object as TLP:RED for limited sharing (restricted objects) #584

Open
8 tasks
psrok1 opened this issue Apr 12, 2022 · 1 comment
Open
8 tasks

Mark object as TLP:RED for limited sharing (restricted objects) #584

psrok1 opened this issue Apr 12, 2022 · 1 comment
Labels
type:discussion Issues that need to be discussed before implementation type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks zone:frontend MWDB frontend tasks

Comments

@psrok1
Copy link
Member

psrok1 commented Apr 12, 2022

Describe the problem

In current sharing model we have everything group with access_all_objects capability and all objects are automatically shared with that group. The main use-case for that feature is to make all objects in MWDB visible for repository owner. That group is created by default in new MWDB installations.

But sometimes we want to share all objects with some other participants as well, but still be able to limit sharing for some objects that are too sensitive to be shared with broader community (e.g. TLP:RED).

Marking object as TLP:RED will turn off all of additional sharing features and will share object during upload only with specified group. No shares will be removed during this operation, so if object was already shared with e.g. public, it won't be unshared during upload operation with tlp:red mark.

Describe the solution you'd like

Initial steps:

  • Create additional capability to give chosen users access to that feature e.g. adding_restricted_objects
  • Add additional argument in upload form restricted that limits sharing only to the chosen group
  • Don't allow to share with * and public when restricted is turned on

Sharing rules:

  • If uploaded object already exists in MWDB, just make sure if it's shared with chosen group and do nothing special
  • If uploaded object doesn't exist, share only with chosen group excluding access_all_objects groups

The tricky part is with children of restricted objects, because they can be uploaded without restriction options and be added to everything group. But if we're aware of these restriction options, we can upload artifacts from karton restricted by default. Shares to everything and other groups will be inherited in that case. If the only parent is restricted, descendant objects will be restricted as well.

We may also need special option in https://github.com/CERT-Polska/karton-mwdb-reporter to make it fully functional.

In frontend: option should be presented as additional checkbox under Share with. After checking that checkbox, the only possible Share with options should be Single group... and Only me.

So the other things in todo are:

  • Support in frontend part
  • Documentation
  • Automated tests

Describe alternatives you've considered

None

@psrok1 psrok1 added type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks zone:frontend MWDB frontend tasks labels Apr 12, 2022
@KWMORALE KWMORALE added the type:discussion Issues that need to be discussed before implementation label Oct 6, 2022
@Repumba
Copy link
Contributor

Repumba commented Dec 21, 2022

If I understand correctly - you want to mark some objects as restricted so users who have access to the object won't be able to share it? And only uploader would be able to share it with someone?

If yes:

  • Should we allow marking and unmarking objects as restricted after upload?
  • How would it work if one sample was uploaded by two different users and one would mark it as restricted and the other one didn't?

Instead of marking objects, I think it would be better to mark shares as restricted. In this scenario we would be able to determine if users access to the object is restricted or not:

  • if every share with the user is marked as restricted, the object cannot be shared further
  • if at least one share is not marked as restricted, the object can be shared further
    In this scenario the checkbox should be visible when object is being uploaded or shared.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:discussion Issues that need to be discussed before implementation type:feature New feature description e.g. which involves implementation of new components zone:backend MWDB backend core related tasks zone:frontend MWDB frontend tasks
Projects
None yet
Development

No branches or pull requests

3 participants