[backend/frontend] Danger zone: Remove FF (#8284)

opencti-platform/opencti-front/src/private/components/common/danger_zone/DangerZoneBlock.tsx

@@ -28,7 +28,7 @@ const DangerZoneBlock: FunctionComponent<DangerZoneBlockProps> = ({ title, compo
   if (isSensitive) {
     currentTitle = (
       <>
-        {title}<DangerZoneChip style={{ marginTop: 0 }} />
+        {title}<DangerZoneChip />
       </>
     );
   }

opencti-platform/opencti-front/src/private/components/settings/RulesList.jsx

@@ -459,7 +459,7 @@ const RulesListComponent = ({ relay, data, keyword }) => {
                     <DangerZoneBlock
                       type={'rules'}
                       title={t_i18n(rule.name)}
-                      sx={{ title: { textWrap: 'nowrap' } }}
+                      sx={{ title: { textWrap: 'nowrap', display: 'flex', alignItems: 'center' } }}
                       component={({ disabled, style }) => (
                         <Paper
                           variant="outlined"
@@ -549,7 +549,7 @@ const RulesListComponent = ({ relay, data, keyword }) => {
                     <Paper
                       variant="outlined"
                       classes={{ root: classes.paper }}
-                      style={{ marginTop: 25 }}
+                      style={{ marginTop: 23, overflowX: 'auto' }}
                     >
                       <div className={classes.definition}>
                         <div className={classes.left}>

opencti-platform/opencti-front/src/private/components/settings/groups/Group.tsx

@@ -467,7 +467,7 @@ const Group = ({ groupData }: { groupData: Group_group$key }) => {
       </Grid>
       <GroupEdition
         groupId={group.id}
-        disabled={!isAllowed}
+        disabled={!isAllowed && isSensitive}
       />
     </div>
   );

opencti-platform/opencti-front/src/private/components/settings/roles/Role.tsx

@@ -177,7 +177,7 @@ const Role = ({
             return (
               <RoleEdition
                 role={props.role}
-                disabled={!isAllowed}
+                disabled={!isAllowed && isSensitive}
               />
             );
           }

opencti-platform/opencti-front/src/utils/hooks/useSensitiveModifications.test.ts

@@ -1,42 +1,15 @@
-import { describe, it, vi, expect, afterAll } from 'vitest';
+import { describe, it, expect } from 'vitest';
 import { UserContextType } from './useAuth';
 import { createMockUserContext, testRenderHook } from '../tests/test-render';
 import useSensitiveModifications from './useSensitiveModifications';
 
-let FEATURE_ENABLED = false;
-
-vi.mock('./useHelper.ts', () => {
-  return {
-    default: () => {
-      return {
-        isFeatureEnable: vi.fn().mockReturnValue(FEATURE_ENABLED),
-      };
-    },
-  };
-});
-
 describe('Hook: useSensitiveModifications', () => {
   const baseUserContext = {
     me: { can_manage_sensitive_config: false },
     settings: { platform_protected_sensitive_config: { enabled: true } },
   } as unknown as UserContextType;
 
-  afterAll(() => {
-    vi.restoreAllMocks();
-  });
-
-  it('should be allowed if sensitive feature disabled', () => {
-    const { hook } = testRenderHook(
-      () => useSensitiveModifications(),
-      { userContext: createMockUserContext(baseUserContext) },
-    );
-    const { isAllowed, isSensitive } = hook.result.current;
-    expect(isAllowed).toEqual(true);
-    expect(isSensitive).toEqual(false);
-  });
   it('should be allowed if sensitive config disabled', () => {
-    FEATURE_ENABLED = true;
-
     const { hook } = testRenderHook(
       () => useSensitiveModifications(),
       {

opencti-platform/opencti-front/src/utils/hooks/useSensitiveModifications.ts

@@ -1,16 +1,12 @@
 import useAuth from './useAuth';
-import useHelper from './useHelper';
-
-const PROTECT_SENSITIVE_CHANGES_FF = 'PROTECT_SENSITIVE_CHANGES';
 
 export type SensitiveConfigType = 'ce_ee_toggle' | 'file_indexing' | 'groups' | 'markings' | 'platform_organization' | 'roles' | 'rules';
 
 const useSensitiveModifications = (type?: SensitiveConfigType, id?: string) => {
   const { me, settings } = useAuth();
   const sensitiveConfig = settings.platform_protected_sensitive_config;
 
-  const { isFeatureEnable } = useHelper();
-  const isSensitiveConfigEnabled = isFeatureEnable(PROTECT_SENSITIVE_CHANGES_FF) && sensitiveConfig.enabled;
+  const isSensitiveConfigEnabled = sensitiveConfig.enabled;
 
   if (!isSensitiveConfigEnabled) {
     return {

opencti-platform/opencti-graphql/config/default.json

@@ -13,7 +13,6 @@
       "FILIGRAN_LOADER",
       "CONTAINERS_AUTHORIZED_MEMBERS",
       "TELEMETRY_COUNT_ACTIVE_USERS",
-      "PROTECT_SENSITIVE_CHANGES",
       "CONTENT_FROM_TEMPLATE"
     ],
     "https_cert": {

opencti-platform/opencti-graphql/src/database/data-initialization.js

@@ -1,4 +1,4 @@
-import { isFeatureEnabled, logApp } from '../config/conf';
+import { logApp } from '../config/conf';
 import { addSettings } from '../domain/settings';
 import { BYPASS, ROLE_ADMINISTRATOR, ROLE_DEFAULT, SYSTEM_USER } from '../utils/access';
 import { initCreateEntitySettings } from '../modules/entitySetting/entitySetting-domain';
@@ -10,7 +10,7 @@
 import { builtInOv, openVocabularies } from '../modules/vocabulary/vocabulary-utils';
 import { addVocabulary } from '../modules/vocabulary/vocabulary-domain';
 import { addAllowedMarkingDefinition } from '../domain/markingDefinition';
-import { addCapability, addGroup, addRole, PROTECT_SENSITIVE_CHANGES_FF } from '../domain/grant';
+import { addCapability, addGroup, addRole } from '../domain/grant';
 import { GROUP_DEFAULT, groupAddRelation } from '../domain/group';
 import { TAXIIAPI } from '../domain/user';
 import { KNOWLEDGE_COLLABORATION, KNOWLEDGE_DELETE, KNOWLEDGE_FRONTEND_EXPORT, KNOWLEDGE_MANAGE_AUTH_MEMBERS, KNOWLEDGE_UPDATE } from '../schema/general';
@@ -244,17 +244,12 @@
   await createCapabilities(context, CAPABILITIES);
 
   // Create Default(s) Role and Group
-  let defaultRoleInput = await addRole(context, SYSTEM_USER, {
+  const defaultRoleInput = await addRole(context, SYSTEM_USER, {
     name: ROLE_DEFAULT,
     description: 'Default role associated to the default group',
     capabilities: [KNOWLEDGE_CAPABILITY],
+    can_manage_sensitive_config: false,
   });
-  if (isFeatureEnabled((PROTECT_SENSITIVE_CHANGES_FF))) {
-    defaultRoleInput = {
-      ...defaultRoleInput,
-      can_manage_sensitive_config: false
-    };
-  }
 
   const defaultGroup = await addGroup(context, SYSTEM_USER, {
     name: GROUP_DEFAULT,
@@ -268,17 +263,13 @@
   await groupAddRelation(context, SYSTEM_USER, defaultGroup.id, defaultRoleRelationInput);
 
   // Create Administrator(s) Role and Group
-  let administratorRoleInput = {
+  const administratorRoleInput = {
     name: ROLE_ADMINISTRATOR,
     description: 'Administrator role that bypass every capabilities',
     capabilities: [BYPASS],
+    can_manage_sensitive_config: false,
   };
-  if (isFeatureEnabled((PROTECT_SENSITIVE_CHANGES_FF))) {
-    administratorRoleInput = {
-      ...administratorRoleInput,
-      can_manage_sensitive_config: false
-    };
-  }
+
   const administratorRole = await addRole(context, SYSTEM_USER, administratorRoleInput);
 
   const administratorGroup = await addGroup(context, SYSTEM_USER, {
@@ -293,7 +284,7 @@
   await groupAddRelation(context, SYSTEM_USER, administratorGroup.id, administratorRoleRelationInput);
 
   // Create Connector(s) Role and Group
-  let connectorRoleInput = {
+  const connectorRoleInput = {
     name: 'Connector',
     description: 'Connector role that has the recommended capabilities',
     capabilities: [
@@ -311,15 +302,9 @@
       'SETTINGS_SETMARKINGS',
       'SETTINGS_SETLABELS',
     ],
+    can_manage_sensitive_config: false
   };
 
-  if (isFeatureEnabled((PROTECT_SENSITIVE_CHANGES_FF))) {
-    connectorRoleInput = {
-      ...connectorRoleInput,
-      can_manage_sensitive_config: false
-    };
-  }
-
   const connectorRole = await addRole(context, SYSTEM_USER, connectorRoleInput);
   // Create default group with default role
 

opencti-platform/opencti-graphql/src/domain/grant.js

@@ -5,9 +5,6 @@ import { ENTITY_TYPE_CAPABILITY, ENTITY_TYPE_GROUP, ENTITY_TYPE_ROLE } from '../
 import { RELATION_HAS_CAPABILITY } from '../schema/internalRelationship';
 import { generateStandardId } from '../schema/identifier';
 import { publishUserAction } from '../listener/UserActionListener';
-import { isFeatureEnabled } from '../config/conf';
-
-export const PROTECT_SENSITIVE_CHANGES_FF = 'PROTECT_SENSITIVE_CHANGES';
 
 export const addCapability = async (context, user, capability) => {
   return createEntity(context, user, capability, ENTITY_TYPE_CAPABILITY);
@@ -20,17 +17,11 @@ export const addRole = async (context, user, role) => {
     dissoc('capabilities'),
   )(role);
 
-  let completeRoleToCreate;
-  if (isFeatureEnabled(PROTECT_SENSITIVE_CHANGES_FF)) {
-    completeRoleToCreate = {
-      ...roleToCreate,
-      can_manage_sensitive_config: role.can_manage_sensitive_config ?? false, // default when undefined is false
-    };
-  } else {
-    completeRoleToCreate = {
-      ...roleToCreate
-    };
-  }
+  const completeRoleToCreate = {
+    ...roleToCreate,
+    can_manage_sensitive_config: role.can_manage_sensitive_config ?? false, // default when undefined is false
+  };
+
   const { element, isCreation } = await createEntity(context, user, completeRoleToCreate, ENTITY_TYPE_ROLE, { complete: true });
   for (let index = 0; index < capabilities.length; index += 1) {
     const capability = capabilities[index];

opencti-platform/opencti-graphql/src/domain/user.js

@@ -64,7 +64,7 @@ import {
 } from '../utils/access';
 import { ASSIGNEE_FILTER, CREATOR_FILTER, PARTICIPANT_FILTER } from '../utils/filtering/filtering-constants';
 import { now, utcDate } from '../utils/format';
-import { addGroup, PROTECT_SENSITIVE_CHANGES_FF } from './grant';
+import { addGroup } from './grant';
 import { defaultMarkingDefinitionsFromGroups, findAll as findGroups } from './group';
 import { addIndividual } from './individual';
 import { ENTITY_TYPE_IDENTITY_ORGANIZATION } from '../modules/organization/organization-types';
@@ -1376,10 +1376,7 @@ export const buildCompleteUser = async (context, client) => {
   const no_creators = groups.filter((g) => g.no_creators).length === groups.length;
   const restrict_delete = !isByPass && groups.filter((g) => g.restrict_delete).length === groups.length;
 
-  let canManageSensitiveConfig = null;
-  if (isFeatureEnabled(PROTECT_SENSITIVE_CHANGES_FF)) {
-    canManageSensitiveConfig = { can_manage_sensitive_config: isSensitiveChangesAllowed(client.id, roles) };
-  }
+  const canManageSensitiveConfig = { can_manage_sensitive_config: isSensitiveChangesAllowed(client.id, roles) };
 
   return {
     ...client,

opencti-platform/opencti-graphql/src/modules/attributes/internalObject-registrationAttributes.ts

@@ -351,7 +351,7 @@ const internalObjectsAttributes: { [k: string]: Array<AttributeDefinition> } = {
   [ENTITY_TYPE_ROLE]: [
     { name: 'name', label: 'Name', type: 'string', format: 'short', mandatoryType: 'external', editDefault: true, multiple: false, upsert: false, isFilterable: true },
     { name: 'description', label: 'Description', type: 'string', format: 'text', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: true },
-    { name: 'can_manage_sensitive_config', label: 'Is sensitive changes allowed', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false, featureFlag: 'PROTECT_SENSITIVE_CHANGES' },
+    { name: 'can_manage_sensitive_config', label: 'Is sensitive changes allowed', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: false, isFilterable: false },
   ],
   [ENTITY_TYPE_RULE]: [
     { name: 'active', label: 'Status', type: 'boolean', mandatoryType: 'no', editDefault: false, multiple: false, upsert: true, isFilterable: true }

opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/role-test.js

@@ -4,8 +4,6 @@ import { ADMIN_USER, testContext, queryAsAdmin, TESTING_ROLES } from '../../util
 import { elLoadById } from '../../../src/database/engine';
 import { ENTITY_TYPE_CAPABILITY } from '../../../src/schema/internalObject';
 import { generateStandardId } from '../../../src/schema/identifier';
-import { isFeatureEnabled } from '../../../src/config/conf';
-import { PROTECT_SENSITIVE_CHANGES_FF } from '../../../src/domain/grant';
 
 const LIST_QUERY = gql`
   query roles($first: Int, $after: ID, $orderBy: RolesOrdering, $orderMode: OrderingMode, $search: String) {
@@ -59,11 +57,7 @@ describe('Role resolver standard behavior', () => {
     expect(role).not.toBeNull();
     expect(role.data.roleAdd).not.toBeNull();
     expect(role.data.roleAdd.name).toEqual('Role');
-    if (isFeatureEnabled(PROTECT_SENSITIVE_CHANGES_FF)) {
-      expect(role.data.roleAdd.can_manage_sensitive_config).toBeFalsy('New role should have the can_manage_sensitive_config to false by default');
-    } else {
-      expect(role.data.roleAdd.can_manage_sensitive_config).toBeUndefined('New role should not have the can_manage_sensitive_config when it is not enabled');
-    }
+    expect(role.data.roleAdd.can_manage_sensitive_config).toBeFalsy('New role should have the can_manage_sensitive_config to false by default');
 
     roleInternalId = role.data.roleAdd.id;
   });