From 83b91d67faab922e2e67de2142c43c9b3884f9d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Wed, 21 Dec 2022 13:40:51 +0100
Subject: [PATCH] changes in user management in TheHive and Cortex
- users can have any email, it's no longer bound to configured "domain" (configure.sh updated)
- "domain" parameter replaced by "org_name", it can be any string, used as org.name in The Hive and Crtex (and MISP in the future)
- users are not created automatically in The Hive and Cortex - they will be crated using user-mgmt-web
- email is used as login in both TheHive and Cortex
---
configure.sh | 30 +++++++++--------
group_vars/all/variables.template | 12 +++----
roles/cortex/tasks/configure.yml | 16 ++++++++++
roles/cortex/templates/application.conf.j2 | 15 +++++----
.../cortex/templates/cortex_organization.json | 2 +-
roles/cortex/templates/users.json | 6 ++++
.../templates/role.json.j2 | 2 +-
roles/thehive/tasks/organization.yml | 4 +--
roles/thehive/templates/application.conf.j2 | 32 ++++++-------------
roles/thehive/templates/kibanauser.json | 2 +-
roles/thehive/templates/users.json | 4 +--
11 files changed, 69 insertions(+), 56 deletions(-)
create mode 100644 roles/cortex/templates/users.json
diff --git a/configure.sh b/configure.sh
index 7204094..048a152 100755
--- a/configure.sh
+++ b/configure.sh
@@ -11,8 +11,8 @@ wait () {
done
}
-echo "By default, all services except HAProxy stats and OPENSEARCH are public!"
-echo "The configuration file: access.ips is used to configure external access to the services"
+echo "By default, all services except OPENSEARCH are public!"
+echo "The configuration file access.ips is used to limit access to the services only to the configured IP ranges."
echo "Do you want to modify/edit this file now?"
read -p "(yes|no) [no] : " MODIFY
MODIFY=${MODIFY:-no}
@@ -74,22 +74,22 @@ else
read -p "[$(hostname -f)]: " soctoolsproxy
soctoolsproxy=${soctoolsproxy:-$(hostname -f)}
echo
- echo "Organization's top level domain (will be used as organization name and organization domain in different services)"
- read -p 'domain: ' domain
- if [ -z $domain ]; then
- echo "Error: Empty string for domain! exiting..."
+ echo "Name of your organization (it will be used as organization name in MISP, The Hive and Cortex)"
+ read -p 'organization: ' organization
+ if [ -z $organization ]; then
+ echo "Error: Empty string for organization! exiting..."
exit 1
fi
echo
echo
echo
echo "Please provide the following parameters for the first SOCTools user, which will be created during the initialization with organization admin privileges:"
- echo "username - Username of the user"
+ echo "username - Username of the user"
echo "firstname - First name of the user"
- echo "lastname - Last name of the user"
- #echo "DN - Distinguished Name of the user, for user certificate"
- #echo "CN - Common Name of the user, for user certificate"
- echo "Email will be generated automatically in Username@Domain format because of format restrictions in some services"
+ echo "lastname - Last name of the user"
+ echo "email - Email of the user"
+ #echo "DN - Distinguished Name of the user, for user certificate"
+ #echo "CN - Common Name of the user, for user certificate"
echo ""
read -p "username: " username
if [ -z "$username" ]; then
@@ -98,6 +98,7 @@ else
fi
read -p "firstname: " firstname
read -p "lastname: " lastname
+ read -p "email: " email
#read -p "Enter CN for Certificate [${firstname}${lastname}]: " CN
#CN=${CN:-${firstname}${lastname}}
CN="$username"
@@ -106,11 +107,12 @@ else
echo
echo
echo "Please check the gathered variables and type 'yes' if everything is correct:"
- echo "soctoolsproxy: $soctoolsproxy"
- echo "domain: $domain"
+ echo "soctoolsproxy: $soctoolsproxy"
+ echo "organization: $organization"
echo "firstname: $firstname"
echo "lastname: $lastname"
echo "username: $username"
+ echo "email: $email"
echo "DN: $DN"
echo "CN: $CN"
echo
@@ -127,7 +129,7 @@ else
sed -i "11s/CHANGE_ME_FIRST_NAME/${firstname}/" group_vars/all/variables.yml
sed -i "12s/CHANGE_ME_LAST_NAME/${lastname}/" group_vars/all/variables.yml
sed -i "13s/soc_admin/${username}/" group_vars/all/variables.yml
- sed -i "14s/soc_admin/${username}/" group_vars/all/variables.yml
+ sed -i "14s/soc_admin@example.org/${email}/" group_vars/all/variables.yml
sed -i "15s/CN=soc_admin/${DN}/" group_vars/all/variables.yml
sed -i "16s/soc_admin/${CN}/" group_vars/all/variables.yml
sed -i "26s/soc_admin/${username}/" group_vars/all/variables.yml
diff --git a/group_vars/all/variables.template b/group_vars/all/variables.template
index 286875f..203f2f5 100644
--- a/group_vars/all/variables.template
+++ b/group_vars/all/variables.template
@@ -3,26 +3,26 @@
# set FQDN which will be used to access the soctools services. (the DNS record should already be in place.)
soctoolsproxy: "CHANGE_ME_TO_FQDN"
-# Organization's top level domain (will be used as organization name and organization domain in different services)
-domain: "soctools.test"
+# Short organization name (will be used as org. name in MISP, The Hive and Cortex)
+org_name: "SOCTools"
#List of users which will be created during the initialization with organization admin privileges
soctools_users:
- firstname: "CHANGE_ME_FIRST_NAME"
lastname: "CHANGE_ME_LAST_NAME"
username: "soc_admin"
- email: "soc_admin@{{domain}}"
+ email: "soc_admin@example.org"
DN: "CN=soc_admin"
CN: "soc_admin"
# - firstname: "SOC Admin 2"
# lastname: ""
# username: "soc_admin_2"
-# email: "soc_admin_2@{{domain}}"
+# email: "soc_admin_2@example.org"
# DN: "CN=soc_admin_2"
# CN: "soc_admin_2"
-# list of users(username) from previous step which will recive admin roles in OPENSEARCH. (Minimum one user is required)
-ODFE_ADMIN_USERS:
+# list of users(username) from previous step which will recive admin roles in OpenSearch Dashboards. (Minimum one user is required)
+OSD_ADMIN_USERS:
- soc_admin
# - soc_admin_2
diff --git a/roles/cortex/tasks/configure.yml b/roles/cortex/tasks/configure.yml
index 7e94fcb..a02b3a2 100644
--- a/roles/cortex/tasks/configure.yml
+++ b/roles/cortex/tasks/configure.yml
@@ -59,6 +59,22 @@
shell: "curl -XPOST -H 'Authorization: Bearer {{cortexadminuserapikey}}' -H 'Content-Type: application/json' 'http://127.0.0.1:9001/api/organization' -d @/tmp/cortex_organization.json"
run_once: True
+- name: generate json files for creating users
+ remote_user: root
+ template:
+ src: users.json
+ dest: /tmp/{{ item.username }}.json
+ with_items:
+ - "{{ soctools_users }}"
+
+- name: create users
+ remote_user: root
+ shell: "curl -XPOST -H 'Authorization: Bearer {{cortexadminuserapikey}}' -H 'Content-Type: application/json' http://127.0.0.1:9001/api/user -d @/tmp/{{item.username}}.json"
+ args:
+ warn: false
+ with_items:
+ - "{{ soctools_users }}"
+
- name: disable basic auth
remote_user: root
lineinfile:
diff --git a/roles/cortex/templates/application.conf.j2 b/roles/cortex/templates/application.conf.j2
index 4155af9..88f5333 100644
--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -127,7 +127,7 @@ auth {
# scope = "profile"
userIdField = "email"
- scope = ["openid email profile"]
+ scope = ["openid"]
}
ws.ssl.trustManager {
@@ -143,17 +143,18 @@ auth {
# Single-Sign On
sso {
- autocreate = true
- autoupdate = true
- autologin = true
+ #autocreate = true
+ #autoupdate = true
+ #autologin = true
defaultRoles = ["read", "analyze"]
- defaultOrganization = "{{domain}}"
+ defaultOrganization = "{{org_name}}"
mapper = simple
attributes {
login = "email"
- name = "email"
- roles = "roles"
+ name = "preferred_username"
+ # roles = "roles"
+ # organization = "organization"
}
}
}
diff --git a/roles/cortex/templates/cortex_organization.json b/roles/cortex/templates/cortex_organization.json
index f1c58ff..d094f76 100644
--- a/roles/cortex/templates/cortex_organization.json
+++ b/roles/cortex/templates/cortex_organization.json
@@ -1 +1 @@
-{"name": "{{domain}}", "description": "{{domain}}", "status": "Active"}
+{"name": "{{org_name}}", "description": "{{org_name}}", "status": "Active"}
diff --git a/roles/cortex/templates/users.json b/roles/cortex/templates/users.json
new file mode 100644
index 0000000..e9a8f8b
--- /dev/null
+++ b/roles/cortex/templates/users.json
@@ -0,0 +1,6 @@
+{
+ "login": "{{ item.email }}",
+ "name": "{{ item.firstname }} {{ item.lastname }}",
+ "roles": ["read", "analyze", "orgadmin"],
+ "organization": "{{ org_name }}"
+}
diff --git a/roles/opensearch-dashboards/templates/role.json.j2 b/roles/opensearch-dashboards/templates/role.json.j2
index 9d67a52..1e7c2ae 100644
--- a/roles/opensearch-dashboards/templates/role.json.j2
+++ b/roles/opensearch-dashboards/templates/role.json.j2
@@ -6,7 +6,7 @@
],
"users":[
-{% for user in ODFE_ADMIN_USERS %}
+{% for user in OSD_ADMIN_USERS %}
"{{ user }}",
{% endfor %}
"admin"
diff --git a/roles/thehive/tasks/organization.yml b/roles/thehive/tasks/organization.yml
index 03528a7..4477ab3 100644
--- a/roles/thehive/tasks/organization.yml
+++ b/roles/thehive/tasks/organization.yml
@@ -8,8 +8,8 @@
Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
body_format: form-urlencoded
body:
- name: "{{ domain }}"
- description: "{{ domain }}"
+ name: "{{ org_name }}"
+ description: "{{ org_name }}"
status_code: 201
ignore_errors: True
diff --git a/roles/thehive/templates/application.conf.j2 b/roles/thehive/templates/application.conf.j2
index 7dfc7e1..b9f0782 100644
--- a/roles/thehive/templates/application.conf.j2
+++ b/roles/thehive/templates/application.conf.j2
@@ -49,10 +49,6 @@ storage {
# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Authentication.md
auth {
providers: [
-// {name: session} # required !
-// {name: basic, realm: thehive}
-// {name: local}
-// {name: key}
{name: session} # required !
{name: basic, realm: thehive}
{name: local}
@@ -70,24 +66,9 @@ auth {
userUrl: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/userinfo"
// scope: ["openid", "email"]
scope: ["openid"]
- userIdField: "email"
-// userIdField: "name"
+ userIdField: "email" # TheHive requires user id to be an email address
}
]
- sso {
- autocreate: true
- autoupdate: true
- autologin: true
- mapper: "simple"
-// attributes {
-// login: "login"
-// name: "name"
-// roles: "role"
-// }
- defaultRoles: ["read", "write", "admin"]
- defaultOrganization: "{{domain}}"
-// defaultOrganization: "demo"
- }
ws.ssl.trustManager {
stores = [
{
@@ -99,10 +80,17 @@ auth {
}
# The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
# domain is automatically appended
- defaultUserDomain: "{{domain}}"
-# defaultUserDomain: "thehive.local"
+ defaultUserDomain: "thehive.local"
}
+# Automatically create new user when logged in using SSO and does not exist yet
+#user: {
+# autoCreateOnSso: true
+# defaults.profile: "analyst"
+# defaults.organisation: "{{ org_name }}"
+#}
+
+
## CORTEX configuration
# More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md
# Enable Cortex connector
diff --git a/roles/thehive/templates/kibanauser.json b/roles/thehive/templates/kibanauser.json
index 5f8a562..dd4f462 100644
--- a/roles/thehive/templates/kibanauser.json
+++ b/roles/thehive/templates/kibanauser.json
@@ -2,5 +2,5 @@
"login": "{{ THEHIVE_KIBANA_USER.username }}",
"name": "{{ THEHIVE_KIBANA_USER.name }} {{ THEHIVE_KIBANA_USER.surname }}",
"roles": {{ THEHIVE_KIBANA_USER.roles }},
- "organisation": "{{ domain }}"
+ "organisation": "{{ org_name }}"
}
diff --git a/roles/thehive/templates/users.json b/roles/thehive/templates/users.json
index 123f171..b8d5ac7 100644
--- a/roles/thehive/templates/users.json
+++ b/roles/thehive/templates/users.json
@@ -1,6 +1,6 @@
{
- "login": "{{ item.username }}",
+ "login": "{{ item.email }}",
"name": "{{ item.firstname }} {{ item.lastname }}",
"roles": ["read", "write", "admin"],
- "organisation": "{{ domain }}"
+ "organisation": "{{ org_name }}"
}
--
GitLab