From 526c47a6e8b92e1c761030b7a93a95c7b6c85bf3 Mon Sep 17 00:00:00 2001 From: Christos Arvanitis Date: Mon, 11 Dec 2023 11:23:04 +0100 Subject: [PATCH 1/2] Expose OIDC config parameters --- core/files/configure_misp.sh | 41 +++++++++++++++++++++++++++++++++++- docker-compose.yml | 7 ++++++ template.env | 9 ++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index e00191a..99537c1 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -6,10 +6,20 @@ source /rest_client.sh [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" [ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis" [ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" +[ -z "$OIDC_PROVIDER_URL" ] && OIDC_PROVIDER_URL="test_provider" +[ -z "$OIDC_CLIENT_ID" ] && OIDC_CLIENT_ID="test_client_id" +[ -z "$OIDC_CLIENT_SECRET" ] && OIDC_CLIENT_SECRET="test_client_secret" +[ -z "$OIDC_ROLES_PROPERTY" ] && OIDC_ROLES_PROPERTY="roles" +[ -z "$OIDC_ROLES_MAPPING" ] && OIDC_ROLES_MAPPING="{ + \"admin\": \"1\", + \"sync-user\": \"5\" +}" +[ -z "$OIDC_DEFAULT_ORG" ] && OIDC_DEFAULT_ORG="$ADMIN_ORG" # Switches to selectively disable configuration logic [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true" [ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true" +[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false" init_configuration(){ # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this @@ -93,6 +103,33 @@ GPGEOF sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)" } +set_up_oidc() { + if [[ "$OIDC_ENABLE" != "true" ]]; then + echo "... OIDC authentication disabled" + return + fi + + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"auth\": [\"OidcAuth.Oidc\"] + } + }" > /dev/null + + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"OidcAuth\": { + \"provider_url\": \"${OIDC_PROVIDER_URL}\", + \"client_id\": \"${OIDC_CLIENT_ID}\", + \"client_secret\": \"${OIDC_CLIENT_SECRET}\", + \"roles_property\": \"${OIDC_ROLES_PROPERTY}\", + \"role_mapper\": ${OIDC_ROLES_MAPPING}, + \"default_org\": \"${OIDC_DEFAULT_ORG}\" + } + }" > /dev/null + + # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116 + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false +} + apply_updates() { # Disable weird default sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false @@ -164,7 +201,7 @@ apply_critical_fixes() { apply_optional_fixes() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" "" sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" "" - + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}" # This is not necessary because we update the DB directly # sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}" @@ -254,5 +291,7 @@ echo "MISP | Create sync servers ..." && create_sync_servers echo "MISP | Update components ..." && update_components +echo "MISP | Set Up OIDC ..." && set_up_oidc + echo "MISP | Mark instance live" sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 diff --git a/docker-compose.yml b/docker-compose.yml index 98b0631..76731ad 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -69,6 +69,13 @@ services: - "ADMIN_KEY=${ADMIN_KEY}" - "ADMIN_ORG=${ADMIN_ORG}" - "GPG_PASSPHRASE=${GPG_PASSPHRASE}" + # authentication settings + - "OIDC_ENABLE=${OIDC_ENABLE}" + - "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}" + - "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}" + - "OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}" + - "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}" + - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}" # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options) - "SYNCSERVERS=${SYNCSERVERS}" - | diff --git a/template.env b/template.env index 773247b..f9280ed 100644 --- a/template.env +++ b/template.env @@ -87,3 +87,12 @@ SYNCSERVERS_1_KEY= # Disable IPv6 completely (this setting will persist until the container is removed) # DISABLE_IPV6=true + +# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md +# OIDC_ENABLE=true +# OIDC_PROVIDER_URL= +# OIDC_CLIENT_ID= +# OIDC_CLIENT_SECRET= +# OIDC_ROLES_PROPERTY= +# OIDC_ROLES_MAPPING= +# OIDC_DEFAULT_ORG="" From 2039141369463918d4349c0b8708b320fa0dcc18 Mon Sep 17 00:00:00 2001 From: Christos Arvanitis Date: Mon, 11 Dec 2023 12:19:49 +0100 Subject: [PATCH 2/2] Check for required env variables on OIDC --- core/files/configure_misp.sh | 13 ++++--------- core/files/utilities.sh | 18 ++++++++++++++++++ docker-compose.yml | 1 + template.env | 6 +++--- 4 files changed, 26 insertions(+), 12 deletions(-) create mode 100644 core/files/utilities.sh diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index 99537c1..cb1a633 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -1,20 +1,12 @@ #!/bin/bash source /rest_client.sh +source /utilities.sh [ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test" [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase" [ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis" [ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules" -[ -z "$OIDC_PROVIDER_URL" ] && OIDC_PROVIDER_URL="test_provider" -[ -z "$OIDC_CLIENT_ID" ] && OIDC_CLIENT_ID="test_client_id" -[ -z "$OIDC_CLIENT_SECRET" ] && OIDC_CLIENT_SECRET="test_client_secret" -[ -z "$OIDC_ROLES_PROPERTY" ] && OIDC_ROLES_PROPERTY="roles" -[ -z "$OIDC_ROLES_MAPPING" ] && OIDC_ROLES_MAPPING="{ - \"admin\": \"1\", - \"sync-user\": \"5\" -}" -[ -z "$OIDC_DEFAULT_ORG" ] && OIDC_DEFAULT_ORG="$ADMIN_ORG" # Switches to selectively disable configuration logic [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true" @@ -109,6 +101,9 @@ set_up_oidc() { return fi + # Check required variables + check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ \"Security\": { \"auth\": [\"OidcAuth.Oidc\"] diff --git a/core/files/utilities.sh b/core/files/utilities.sh new file mode 100644 index 0000000..7f691a9 --- /dev/null +++ b/core/files/utilities.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +# Check whether passed env variables are defined +check_env_vars() { + local required_vars=("$@") + + missing_vars=() + for i in "${required_vars[@]}" + do + test -n "${!i:+y}" || missing_vars+=("$i") + done + if [ ${#missing_vars[@]} -ne 0 ] + then + echo "The following env variables are not set:" + printf ' %q\n' "${missing_vars[@]}" + exit 1 + fi +} diff --git a/docker-compose.yml b/docker-compose.yml index 76731ad..dcd4f42 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -75,6 +75,7 @@ services: - "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}" - "OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}" - "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}" + - "OIDC_ROLES_MAPPING=${OIDC_ROLES_MAPPING}" - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}" # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options) - "SYNCSERVERS=${SYNCSERVERS}" diff --git a/template.env b/template.env index f9280ed..cc5106e 100644 --- a/template.env +++ b/template.env @@ -93,6 +93,6 @@ SYNCSERVERS_1_KEY= # OIDC_PROVIDER_URL= # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= -# OIDC_ROLES_PROPERTY= -# OIDC_ROLES_MAPPING= -# OIDC_DEFAULT_ORG="" +# OIDC_ROLES_PROPERTY="roles" +# OIDC_ROLES_MAPPING={"admin": "1","sync-user": "5"} +# OIDC_DEFAULT_ORG=