added sso for cortex

67aeef79 · Kiril KJiroski · e98df878 · 67aeef79 · 67aeef79 · 67aeef79
Commit 67aeef79 authored 4 years ago by Kiril KJiroski
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
 ---

-soctoolsproxy: "CHANGE_ME_TO_FQDN"
+soctoolsproxy: "dsoclab.gn4-3-wp8-soc.sunet.se"

 maxmind_key: ""


--- a/group_vars/all/users.yml
+++ b/group_vars/all/users.yml
 ---

-domain: "soctools.test"
+domain: "uninett.no"

 soctools_users:
  - firstname: "User1"
@@ -9,12 +9,12 @@ soctools_users:
    email: "user1@{{domain}}"
    DN: "CN=User1Soctools"
    CN: "User1Soctools"
-  - firstname: "User2"
-    lastname: "SOC"
-    username: "user2"
-    email: "user2@{{domain}}"
-    DN: "CN=User2Soctools"
-    CN: "User2Soctools"
+  - firstname: "Kiril"
+    lastname: "Kjiroski"
+    username: "kiril.kjiroski"
+    email: "kiril.kjiroski@{{domain}}"
+    DN: "CN=Kiril Kjiroski"
+    CN: "Kiril Kjiroski"

 # Minimum one user is required
 ODFE_ADMIN_USERS:

--- a/roles/build/templates/cortex/Dockerfile.j2
+++ b/roles/build/templates/cortex/Dockerfile.j2
@@ -5,13 +5,13 @@ RUN echo "[thehive-project]" > /etc/yum.repos.d/thehive.repo && \
    echo "enabled=1" >> /etc/yum.repos.d/thehive.repo && \
    echo "priority=1" >> /etc/yum.repos.d/thehive.repo && \
    echo "name=TheHive-Project RPM repository" >> /etc/yum.repos.d/thehive.repo && \
-    echo "baseurl=http://rpm.thehive-project.org/stable/noarch" >> /etc/yum.repos.d/thehive.repo && \
+    echo "baseurl=https://rpm.thehive-project.org/release/noarch" >> /etc/yum.repos.d/thehive.repo && \
    echo "gpgcheck=1" >> /etc/yum.repos.d/thehive.repo && \
    yum install -y epel-release && \
    rpm --import https://raw.githubusercontent.com/TheHive-Project/TheHive/master/PGP-PUBLIC-KEY && \
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch && \
    yum install -y cortex supervisor rsync daemonize vim net-tools telnet htop python3-pip.noarch git gcc python3-devel.x86_64 ssdeep-devel.x86_64 python3-wheel.noarch libexif-devel.x86_64 libexif.x86_64 perl-Image-ExifTool.noarch  gcc-c++ whois && \
-    rpm -Uvh https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-6.8.13.rpm && \
+    rpm -Uvh https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-oss-7.10.2-x86_64.rpm && \
    chown -R elasticsearch:elasticsearch /etc/elasticsearch && \
    mkdir -p /home/cortex && \
    chown -R cortex:cortex /home/cortex && \

--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -124,10 +124,10 @@ auth {

    # The endpoint from which to obtain user details using the OAuth token, after successful login
    userUrl = "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/userinfo"
-    scope = "profile"
+    # scope = "profile"
+    
    userIdField = "email"
-    #userUrl = "https://auth-site.com/api/User"
-    #scope = ["openid profile"]
+    scope = ["openid email profile offline_access User.Read"]
  }

  ws.ssl.trustManager {
@@ -143,48 +143,18 @@ auth {

  # Single-Sign On
  sso {
-    # Autocreate user in database?
-    autocreate = true
-
-    # Autoupdate its profile and roles?
-    autoupdate = true
-
-    # Autologin user using SSO?
+    autocreate = false
+    autoupdate = false
    autologin = true
-
-    # Name of mapping class from user resource to backend user ('simple' or 'group')
-    #mapper = group
-    #mapper = simple
-    #attributes {
-    #  login = "user"
-    #  name = "name"
-    #  groups = "groups"
-    #  organization = "org"
-    #}
-#    defaultRoles = ["read", "write", "admin"]
-#    defaultOrganization = "{{domain}}"
-    #defaultRoles = ["read"]
-    #defaultOrganization = "csirt"
-    #groups {
-    #  # URL to retreive groups (leave empty if you are using OIDC)
-    #  #url = "https://auth-site.com/api/Groups"
-    #  # Group mappings, you can have multiple roles for each group: they are merged
-    #  mappings {
-    #    admin-profile-name = ["admin"]
-    #    editor-profile-name = ["write"]
-    #    reader-profile-name = ["read"]
-    #  }
-    #}
+    defaultRoles = ["read"]
+    defaultOrganization = "uninett.no"

    mapper = simple
    attributes {
-      login = "user"
-      name = "name"
+      login = "email"
+      name = "email"
      roles = "roles"
-      organization = "org"
    }
-    defaultRoles = ["read", "analyze"]
-    defaultOrganization = "{{domain}}"
  }
 }