changes in user management in TheHive and Cortex

- users can have any email, it's no longer bound to configured "domain" (configure.sh updated)
- "domain" parameter replaced by "org_name", it can be any string, used as org.name in The Hive and Crtex (and MISP in the future)
- users are not created automatically in The Hive and Cortex - they will be crated using user-mgmt-web
- email is used as login in both TheHive and Cortex

configure.sh

@@ -11,8 +11,8 @@ wait () {
 	done
 }
 
-echo "By default, all services except HAProxy stats and OPENSEARCH are public!"
-echo "The configuration file: access.ips is used to configure external access to the services"
+echo "By default, all services except OPENSEARCH are public!"
+echo "The configuration file access.ips is used to limit access to the services only to the configured IP ranges."
 echo "Do you want to modify/edit this file now?"
 read -p "(yes|no) [no] : " MODIFY
 MODIFY=${MODIFY:-no}
@@ -74,22 +74,22 @@ else
 	read -p "[$(hostname -f)]: " soctoolsproxy
 	soctoolsproxy=${soctoolsproxy:-$(hostname -f)}
 	echo
-	echo "Organization's top level domain (will be used as organization name and organization domain in different services)"
-	read -p 'domain: ' domain
-		if [ -z $domain ]; then
-			echo "Error: Empty string for domain! exiting..."
+	echo "Name of your organization (it will be used as organization name in MISP, The Hive and Cortex)"
+	read -p 'organization: ' organization
+		if [ -z $organization ]; then
+			echo "Error: Empty string for organization! exiting..."
 			exit 1
 		fi
 	echo
 	echo
 	echo
 	echo "Please provide the following parameters for the first SOCTools user, which will be created during the initialization with organization admin privileges:"
-	echo "username 	- Username of the user"
+	echo "username  - Username of the user"
 	echo "firstname - First name of the user"
-	echo "lastname 	- Last name of the user"
-	#echo "DN 	- Distinguished Name of the user, for user certificate"
-	#echo "CN 	- Common Name of the user, for user certificate"
-	echo "Email will be generated automatically in Username@Domain format because of format restrictions in some services"
+	echo "lastname  - Last name of the user"
+	echo "email     - Email of the user"
+	#echo "DN       - Distinguished Name of the user, for user certificate"
+	#echo "CN       - Common Name of the user, for user certificate"
 	echo ""
 	read -p "username: " username
 	if [ -z "$username" ]; then
@@ -98,6 +98,7 @@ else
   fi
 	read -p "firstname: " firstname
 	read -p "lastname: " lastname
+	read -p "email: " email
 	#read -p "Enter CN for Certificate [${firstname}${lastname}]: " CN
 	#CN=${CN:-${firstname}${lastname}}
 	CN="$username"
@@ -106,11 +107,12 @@ else
 	echo
 	echo
 	echo "Please check the gathered variables and type 'yes' if everything is correct:"
-	echo "soctoolsproxy:	$soctoolsproxy"
-	echo "domain:     $domain"
+	echo "soctoolsproxy:  $soctoolsproxy"
+	echo "organization:   $organization"
 	echo "firstname:  $firstname"
 	echo "lastname:   $lastname"
 	echo "username:   $username"
+	echo "email:      $email"
 	echo "DN:         $DN"
 	echo "CN:         $CN"
 	echo
@@ -127,7 +129,7 @@ else
 			sed -i "11s/CHANGE_ME_FIRST_NAME/${firstname}/" group_vars/all/variables.yml
 			sed -i "12s/CHANGE_ME_LAST_NAME/${lastname}/" group_vars/all/variables.yml
 			sed -i "13s/soc_admin/${username}/" group_vars/all/variables.yml
-			sed -i "14s/soc_admin/${username}/" group_vars/all/variables.yml
+			sed -i "14s/soc_admin@example.org/${email}/" group_vars/all/variables.yml
 			sed -i "15s/CN=soc_admin/${DN}/" group_vars/all/variables.yml
 			sed -i "16s/soc_admin/${CN}/" group_vars/all/variables.yml
 			sed -i "26s/soc_admin/${username}/" group_vars/all/variables.yml

group_vars/all/variables.template

@@ -3,26 +3,26 @@
 # set FQDN which will be used to access the soctools services. (the DNS record should already be in place.)
 soctoolsproxy: "CHANGE_ME_TO_FQDN"
 
-# Organization's top level domain (will be used as organization name and organization domain in different services)
-domain: "soctools.test"
+# Short organization name (will be used as org. name in MISP, The Hive and Cortex)
+org_name: "SOCTools"
 
 #List of users which will be created during the initialization with organization admin privileges
 soctools_users:
   - firstname: "CHANGE_ME_FIRST_NAME"
     lastname: "CHANGE_ME_LAST_NAME"
     username: "soc_admin"
-    email: "soc_admin@{{domain}}"
+    email: "soc_admin@example.org"
     DN: "CN=soc_admin"
     CN: "soc_admin"
 #  - firstname: "SOC Admin 2"
 #    lastname: ""
 #    username: "soc_admin_2"
-#    email: "soc_admin_2@{{domain}}"
+#    email: "soc_admin_2@example.org"
 #    DN: "CN=soc_admin_2"
 #    CN: "soc_admin_2"
     
-# list of users(username) from previous step which will recive admin roles in OPENSEARCH. (Minimum one user is required)
-ODFE_ADMIN_USERS:
+# list of users(username) from previous step which will recive admin roles in OpenSearch Dashboards. (Minimum one user is required)
+OSD_ADMIN_USERS:
   - soc_admin
 #  -   soc_admin_2
 

roles/cortex/tasks/configure.yml

@@ -59,6 +59,22 @@
   shell: "curl -XPOST -H 'Authorization: Bearer {{cortexadminuserapikey}}' -H 'Content-Type: application/json' 'http://127.0.0.1:9001/api/organization' -d  @/tmp/cortex_organization.json"
   run_once: True
 
+- name: generate json files for creating users
+  remote_user: root
+  template:
+    src: users.json
+    dest: /tmp/{{ item.username }}.json
+  with_items:
+    - "{{ soctools_users }}"
+
+- name: create users
+  remote_user: root
+  shell: "curl -XPOST -H 'Authorization: Bearer {{cortexadminuserapikey}}' -H 'Content-Type: application/json' http://127.0.0.1:9001/api/user -d @/tmp/{{item.username}}.json"
+  args:
+    warn: false
+  with_items:
+    - "{{ soctools_users }}"
+
 - name: disable basic auth
   remote_user: root
   lineinfile:

roles/cortex/templates/application.conf.j2

@@ -127,7 +127,7 @@ auth {
     # scope = "profile"
 
     userIdField = "email"
-    scope = ["openid email profile"]
+    scope = ["openid"]
   }
 
   ws.ssl.trustManager {
@@ -143,17 +143,18 @@ auth {
 
   # Single-Sign On
   sso {
-    autocreate = true
-    autoupdate = true
-    autologin = true
+    #autocreate = true
+    #autoupdate = true
+    #autologin = true
     defaultRoles = ["read", "analyze"]
-    defaultOrganization = "{{domain}}"
+    defaultOrganization = "{{org_name}}"
 
     mapper = simple
     attributes {
       login = "email"
-      name = "email"
-      roles = "roles"
+      name = "preferred_username"
+    #  roles = "roles"
+    #  organization = "organization"
     }
   }
 }

roles/cortex/templates/cortex_organization.json

-{"name": "{{domain}}", "description": "{{domain}}", "status": "Active"}
+{"name": "{{org_name}}", "description": "{{org_name}}", "status": "Active"}

roles/cortex/templates/users.json

+{
+  "login": "{{ item.email }}",
+  "name": "{{ item.firstname }} {{ item.lastname }}",
+  "roles": ["read", "analyze", "orgadmin"],
+  "organization": "{{ org_name }}"
+}

roles/opensearch-dashboards/templates/role.json.j2

@@ -6,7 +6,7 @@
       
    ],
    "users":[
-{% for user in ODFE_ADMIN_USERS %}
+{% for user in OSD_ADMIN_USERS %}
       "{{ user }}",
 {% endfor %}
       "admin"

roles/thehive/tasks/organization.yml

@@ -8,8 +8,8 @@
       Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
     body_format: form-urlencoded
     body:
-      name: "{{ domain }}"
-      description: "{{ domain }}"
+      name: "{{ org_name }}"
+      description: "{{ org_name }}"
     status_code: 201
   ignore_errors: True
 

roles/thehive/templates/application.conf.j2

@@ -49,10 +49,6 @@ storage {
 # More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Authentication.md
 auth {
   providers: [
-//    {name: session}               # required !
-//    {name: basic, realm: thehive}
-//    {name: local}
-//    {name: key}
     {name: session}               # required !
     {name: basic, realm: thehive}
     {name: local}
@@ -70,24 +66,9 @@ auth {
       userUrl: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/userinfo"
 //      scope: ["openid", "email"]
       scope: ["openid"]
-      userIdField: "email"
-//      userIdField: "name"
+      userIdField: "email" # TheHive requires user id to be an email address
     }
   ]
-  sso {
-    autocreate: true
-    autoupdate: true
-    autologin: true
-    mapper: "simple"
-//    attributes {
-//     login: "login"
-//      name: "name"
-//      roles: "role"
-//    }
-    defaultRoles: ["read", "write", "admin"]
-    defaultOrganization: "{{domain}}"
-//    defaultOrganization: "demo"
-  } 
   ws.ssl.trustManager {
     stores = [
       {
@@ -99,10 +80,17 @@ auth {
   }
 # The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
 # domain is automatically appended
-  defaultUserDomain: "{{domain}}"
-#  defaultUserDomain: "thehive.local"
+  defaultUserDomain: "thehive.local"
 }
 
+# Automatically create new user when logged in using SSO and does not exist yet
+#user: {
+#  autoCreateOnSso: true
+#  defaults.profile: "analyst"
+#  defaults.organisation: "{{ org_name }}"
+#}
+
+
 ## CORTEX configuration
 # More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
 # Enable Cortex connector

roles/thehive/templates/kibanauser.json

@@ -2,5 +2,5 @@
   "login": "{{ THEHIVE_KIBANA_USER.username }}",
   "name": "{{ THEHIVE_KIBANA_USER.name }} {{ THEHIVE_KIBANA_USER.surname }}",
   "roles": {{ THEHIVE_KIBANA_USER.roles }},
-  "organisation": "{{ domain }}"
+  "organisation": "{{ org_name }}"
 }

roles/thehive/templates/users.json

 {
-  "login": "{{ item.username }}",
+  "login": "{{ item.email }}",
   "name": "{{ item.firstname }} {{ item.lastname }}",
   "roles": ["read", "write", "admin"],
-  "organisation": "{{ domain }}"
+  "organisation": "{{ org_name }}"
 }