#1557 Correct format for detail.customFields in webhook

TheHive-Project · Oct 27, 2020 · 958b9d0 · 958b9d0
1 parent d25867c
commit 958b9d0
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 11 deletions.
diff --git a/thehive/app/org/thp/thehive/services/AlertSrv.scala b/thehive/app/org/thp/thehive/services/AlertSrv.scala
@@ -273,20 +273,21 @@ class AlertSrv @Inject() (
 
   def mergeInCase(alert: Alert with Entity, `case`: Case with Entity)(implicit graph: Graph, authContext: AuthContext): Try[Case with Entity] = {
     auditSrv.mergeAudits {
-      // No audit for markAsRead and observables
-      markAsRead(alert._id)
-      importObservables(alert, `case`)
-      importCustomFields(alert, `case`)
-
-      // Audits for customFields, description and tags
       val customFields = get(alert).richCustomFields.toSeq.map(_.toOutput.toJson)
       val description = `case`.description + s"\n  \n#### Merged with alert #${alert.sourceRef} ${alert.title}\n\n${alert.description.trim}"
       val tags = get(alert).tags.toSeq.map(_.toString)
 
-      caseSrv.get(`case`).update(_.description, description).getOrFail("Case")
-      caseSrv.addTags(`case`, tags.toSet)
-      Success(Json.obj("customFields" -> customFields, "description" -> description, "tags" -> tags))
-    } (audits => auditSrv.alertToCase.merge(alert, `case`, Some(audits)))
+      for {
+        _ <- markAsRead(alert._id)
+        _ <- importObservables(alert, `case`)
+        _ <- importCustomFields(alert, `case`)
+        _ <- caseSrv.get(`case`).update(_.description, description).getOrFail("Case")
+        _ <- caseSrv.addTags(`case`, tags.toSet)
+        // No audit for markAsRead and observables
+        // Audits for customFields, description and tags
+        details <- Success(Json.obj("customFields" -> customFields, "description" -> description, "tags" -> tags))
+      } yield details
+    } (details => auditSrv.alertToCase.merge(alert, `case`, Some(details)))
 
     caseSrv.get(`case`).getOrFail("Case")
   }

diff --git a/thehive/app/org/thp/thehive/services/AuditSrv.scala b/thehive/app/org/thp/thehive/services/AuditSrv.scala
@@ -174,7 +174,7 @@ class AuditSrv @Inject() (
       auditSrv.create(Audit(Audit.delete, entity, None), context, None)
 
     def merge(entity: E with Entity, destination: C with Entity, details: Option[JsObject] = None)(implicit graph: Graph, authContext: AuthContext): Try[Unit] =
-      auditSrv.create(Audit(Audit.merge, destination, details.map(_.toString())), Some(destination), None)
+      auditSrv.create(Audit(Audit.merge, destination, details.map(_.toString())), Some(destination), Some(destination))
   }
 
   class SelfContextObjectAudit[E <: Product] {

diff --git a/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala b/thehive/app/org/thp/thehive/services/notification/notifiers/Webhook.scala
@@ -184,6 +184,17 @@ class Webhook(
               customFieldSrv
                 .getOrFail(EntityIdOrName(fieldName))
                 .fold(_ => keyValue, cf => "customFields" -> Json.obj(fieldName -> Json.obj(cf.`type`.toString -> value)))
+            case ("customFields", JsArray(cfs)) =>
+              "customFields" -> cfs
+                .flatMap { cf =>
+                  for {
+                    name <- (cf \ "name").asOpt[String]
+                    tpe  <- (cf \ "type").asOpt[String]
+                    value = (cf \ "value").asOpt[JsValue]
+                    order = (cf \ "order").asOpt[Int]
+                  } yield Json.obj(name -> Json.obj(tpe -> value, "order" -> order))
+                }
+                .foldLeft(JsObject.empty)(_ ++ _)
             case keyValue => keyValue
           })
         }