Skip to content
Snippets Groups Projects
Commit f8af65dc authored by Arne Øslebø's avatar Arne Øslebø
Browse files

misp keycloack integration

parent f709ae99
No related branches found
No related tags found
No related merge requests found
...@@ -106,7 +106,7 @@ odfeplugin_version: "1.4.0.0" ...@@ -106,7 +106,7 @@ odfeplugin_version: "1.4.0.0"
openid_realm: "SOCTOOLS1" openid_realm: "SOCTOOLS1"
openid_scope: profile openid_scope: profile
openid_subjkey: preferred_username openid_subjkey: email
keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}" keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
keycloak_adminpass: "Pass005" keycloak_adminpass: "Pass005"
...@@ -121,4 +121,5 @@ misp_dbuser: "misp" ...@@ -121,4 +121,5 @@ misp_dbuser: "misp"
misp_dbpass: "Pass007" misp_dbpass: "Pass007"
# misp_salt generated with: openssl rand -base64 32 # misp_salt generated with: openssl rand -base64 32
misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0=" misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
misp_crypto_pass: 1234567890 #TODO: Generate dynamically
\ No newline at end of file
...@@ -81,6 +81,8 @@ COPY misp_rh-php72-php-fpm /etc/logrotate.d/rh-php72-php-fpm ...@@ -81,6 +81,8 @@ COPY misp_rh-php72-php-fpm /etc/logrotate.d/rh-php72-php-fpm
# 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ # 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ
EXPOSE 80 443 6443 6379 6666 50000 EXPOSE 80 443 6443 6379 6666 50000
COPY mispsupervisord.conf /etc/supervisord.conf ENV PATH "$PATH:/opt/rh/rh-php72/root/bin/"
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
COPY mispsupervisord.conf /etc/supervisord.conf
#ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
ENTRYPOINT ["/bin/bash"]
...@@ -7,6 +7,8 @@ ...@@ -7,6 +7,8 @@
image: "{{ misp_img }}" image: "{{ misp_img }}"
networks: networks:
- name: "{{ soctools_netname}}" - name: "{{ soctools_netname}}"
entrypoint: "/bin/bash"
interactive: "yes"
networks_cli_compatible: yes networks_cli_compatible: yes
published_ports: published_ports:
- "6443:6443" - "6443:6443"
......
...@@ -82,6 +82,8 @@ ...@@ -82,6 +82,8 @@
local: "roles/nifi/files/nifisecret" local: "roles/nifi/files/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret" - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
local: "roles/odfekibana/files/kibanasecret" local: "roles/odfekibana/files/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
local: "roles/misp/files/mispsecret"
tags: tags:
- start - start
......
...@@ -28,7 +28,7 @@ kcadm.sh get realms/{{openid_realm}}/clients/${NIFICLIENT}/client-secret --field ...@@ -28,7 +28,7 @@ kcadm.sh get realms/{{openid_realm}}/clients/${NIFICLIENT}/client-secret --field
KIBANACLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-kibana","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:5601","adminUrl": "","redirectUris": ["https://{{dslproxy}}:5601", "https://{{dslproxy}}:5601/auth/openid/login", "https://{{dslproxy}}:5601/app/kibana" ],"webOrigins": [], "publicClient": false }') KIBANACLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-kibana","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:5601","adminUrl": "","redirectUris": ["https://{{dslproxy}}:5601", "https://{{dslproxy}}:5601/auth/openid/login", "https://{{dslproxy}}:5601/app/kibana" ],"webOrigins": [], "publicClient": false }')
kcadm.sh get realms/{{openid_realm}}/clients/${KIBANACLIENT}/client-secret --fields value > /opt/jboss/keycloak/kibanasecret kcadm.sh get realms/{{openid_realm}}/clients/${KIBANACLIENT}/client-secret --fields value > /opt/jboss/keycloak/kibanasecret
MISPCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-misp","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:6443","adminUrl": "","redirectUris": ["https://{{dslproxy}}:6443/oauth2callback"],"webOrigins": [], "publicClient": false }') MISPCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-misp","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:6443","adminUrl": "","redirectUris": ["https://{{dslproxy}}:6443/users/login/keycloak"],"webOrigins": [], "publicClient": false }')
kcadm.sh get realms/{{openid_realm}}/clients/${MISPCLIENT}/client-secret --fields value > /opt/jboss/keycloak/mispsecret kcadm.sh get realms/{{openid_realm}}/clients/${MISPCLIENT}/client-secret --fields value > /opt/jboss/keycloak/mispsecret
kcadm.sh config truststore --delete kcadm.sh config truststore --delete
......
---
- name: Get API key
shell: '/var/www/MISP/app/Console/cake Admin getAuthkey "admin@admin.test" | /usr/bin/tail -n1'
register: command_output
- name: Set API key fact
set_fact:
misp_api_key: "{{ command_output.stdout }}"
- name: Change email of default admin
uri:
url: "https://{{dslproxy}}:6443/admin/users/edit/1"
method: POST
body_format: json
headers:
Authorization: "{{misp_api_key}}"
Accept: "application/json"
Content-type: "application/json"
body: '{"email": "{{soctools_users[0].email}}","external_auth_required":"true","change_pw":"false"}'
ignore_errors: yes #Temporary while debugging
\ No newline at end of file
--- ---
- name: Copy certificates in apache cert dir - include: start.yml
copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/ssl/certs/ca.crt
mode: '0644'
tags: tags:
- start - start
- include: config.yml
- name: Configure Apache web server for misp
template:
src: misp.conf.j2
dest: /etc/httpd/conf.d/misp.conf
tags:
- start
- name: Configure MISP database access
template:
src: database.php.j2
dest: /var/www/MISP/app/Config/database.php
tags:
- start
- name: Configure MISP app
template:
src: config.php.j2
dest: /var/www/MISP/app/Config/config.php
tags:
- start
- name: Configure MISP database initialization script
template:
src: checkdb.sh.j2
dest: /var/www/MISP/checkdb.sh
mode: '0700'
tags:
- start
- name: Check if database is initialized
command: /var/www/MISP/checkdb.sh
tags: tags:
- start - start
- config
- name: Start MISP Services - include: stop.yml
command: "supervisorctl start all" tags: stop
tags: \ No newline at end of file
- start
---
#- name: Set php path
# copy:
# src: php_path.sh
# dest: /etc/profile.d/php_path.sh
- name: Set PHP symbolic link
file:
src: /opt/rh/rh-php72/root/bin/php
dest: /usr/bin/php
state: link
- name: Copy certificates
copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/ssl/certs/ca.crt
mode: '0644'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/pki/ca-trust/source/anchors/ca.crt
mode: '0644'
- name: Update CA trust
command: update-ca-trust
- name: Get openid authkey
set_fact:
mispsecret: "{{lookup('file', 'files/mispsecret',convert_data=False) | from_json }}"
- name: Configure Apache web server for misp
template:
src: misp.conf.j2
dest: /etc/httpd/conf.d/misp.conf
- name: Configure MISP database access
template:
src: database.php.j2
dest: /var/www/MISP/app/Config/database.php
- name: Configure MISP app
template:
src: config.php.j2
dest: /var/www/MISP/app/Config/config.php
- name: Configure MISP database initialization script
template:
src: checkdb.sh.j2
dest: /var/www/MISP/checkdb.sh
mode: '0700'
- name: Check if database is initialized
command: /var/www/MISP/checkdb.sh
- name: Start supervisord
shell: "/usr/bin/supervisord -c /etc/supervisord.conf &"
- name: Start MISP Services
command: "supervisorctl start all"
---
#!/bin/bash -x #!/bin/bash -x
MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}) MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
if [ ${MISPINIT} == "0" ]; then if [ ${MISPINIT} == "0" ]; then
cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}} cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
fi fi
...@@ -63,7 +63,7 @@ class DATABASE_CONFIG { ...@@ -63,7 +63,7 @@ class DATABASE_CONFIG {
'datasource' => 'Database/Mysql', 'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres', //'datasource' => 'Database/Postgres',
'persistent' => false, 'persistent' => false,
'host' => '{{groups['mysql'][0]}}', 'host' => '{{mysql_name}}',
'login' => '{{misp_dbuser}}', 'login' => '{{misp_dbuser}}',
'port' => 3306, // MySQL & MariaDB 'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL //'port' => 5432, // PostgreSQL
......
...@@ -10,15 +10,23 @@ AllowOverride all ...@@ -10,15 +10,23 @@ AllowOverride all
DirectoryIndex index.php DirectoryIndex index.php
# ProxyPassMatch ^/info$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/info.php
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/$1 ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/$1
#<FilesMatch "\.php$"> OIDCCryptoPassphrase {{misp_crypto_pass}}
# SetHandler "proxy:fcgi://127.0.0.1:9000" OIDCProviderMetadataURL https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" OIDCRedirectURI https://{{dslproxy}}:6443/users/login/keycloak
# AddHandler php72-fcgi .php OIDCClientID dsoclab-misp
# Action php72-fcgi /cgi-bin/php72.fcgi OIDCScope "openid profile"
#</FilesMatch> OIDCClientSecret {{mispsecret.value}}
OIDCRemoteUserClaim email
OIDCProviderTokenEndpointAuth client_secret_basic
<Location /users/login>
AuthType openid-connect
Require valid-user
RequestHeader set X-Remote-User %{OIDC_CLAIM_email}e
</Location>
SSLEngine On SSLEngine On
SSLCertificateFile /etc/ssl/certs/misp.crt SSLCertificateFile /etc/ssl/certs/misp.crt
......
...@@ -10,8 +10,8 @@ ...@@ -10,8 +10,8 @@
- name: Create misp user - name: Create misp user
mysql_user: mysql_user:
name: "{{misp_dbuser}}" name: "{{misp_dbuser}}"
# host: "{{item}}.{{soctools_netname}}" #host: "{{item}}.{{soctools_netname}}"
host: "gateway" host: "%"
password: "{{misp_dbpass}}" password: "{{misp_dbpass}}"
priv: "{{misp_dbname}}.*:ALL" priv: "{{misp_dbname}}.*:ALL"
with_items: "{{groups['mispcontainers']}}" with_items: "{{groups['mispcontainers']}}"
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
- name: Start soctools cluster - name: Start soctools cluster
import_playbook: startsoctools.yml import_playbook: startsoctools.yml
when: "'start' in ansible_run_tags" when: "'start' in ansible_run_tags or 'config' in ansible_run_tags"
- name: Stop soctools cluster - name: Stop soctools cluster
import_playbook: stopsoctools.yml import_playbook: stopsoctools.yml
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment