Skip to content
Snippets Groups Projects
Commit f8af65dc authored by Arne Øslebø's avatar Arne Øslebø
Browse files

misp keycloack integration

parent f709ae99
No related branches found
No related tags found
No related merge requests found
......@@ -106,7 +106,7 @@ odfeplugin_version: "1.4.0.0"
openid_realm: "SOCTOOLS1"
openid_scope: profile
openid_subjkey: preferred_username
openid_subjkey: email
keycloak_img: "{{repo}}/keycloak:{{version}}{{suffix}}"
keycloak_adminpass: "Pass005"
......@@ -121,4 +121,5 @@ misp_dbuser: "misp"
misp_dbpass: "Pass007"
# misp_salt generated with: openssl rand -base64 32
misp_salt: "wa2fJA2mGIn32IDl+uKrCJ069Mg3khDdGzFNv8DOwM0="
misp_odic_crypto_pass: 1234567890 #TODO: Generate dynamically
misp_crypto_pass: 1234567890 #TODO: Generate dynamically
\ No newline at end of file
......@@ -81,6 +81,8 @@ COPY misp_rh-php72-php-fpm /etc/logrotate.d/rh-php72-php-fpm
# 80/443 - MISP web server, 3306 - mysql, 6379 - redis, 6666 - MISP modules, 50000 - MISP ZeroMQ
EXPOSE 80 443 6443 6379 6666 50000
COPY mispsupervisord.conf /etc/supervisord.conf
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
ENV PATH "$PATH:/opt/rh/rh-php72/root/bin/"
COPY mispsupervisord.conf /etc/supervisord.conf
#ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
ENTRYPOINT ["/bin/bash"]
......@@ -7,6 +7,8 @@
image: "{{ misp_img }}"
networks:
- name: "{{ soctools_netname}}"
entrypoint: "/bin/bash"
interactive: "yes"
networks_cli_compatible: yes
published_ports:
- "6443:6443"
......
......@@ -82,6 +82,8 @@
local: "roles/nifi/files/nifisecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/kibanasecret"
local: "roles/odfekibana/files/kibanasecret"
- remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
local: "roles/misp/files/mispsecret"
tags:
- start
......
......@@ -28,7 +28,7 @@ kcadm.sh get realms/{{openid_realm}}/clients/${NIFICLIENT}/client-secret --field
KIBANACLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-kibana","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:5601","adminUrl": "","redirectUris": ["https://{{dslproxy}}:5601", "https://{{dslproxy}}:5601/auth/openid/login", "https://{{dslproxy}}:5601/app/kibana" ],"webOrigins": [], "publicClient": false }')
kcadm.sh get realms/{{openid_realm}}/clients/${KIBANACLIENT}/client-secret --fields value > /opt/jboss/keycloak/kibanasecret
MISPCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-misp","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:6443","adminUrl": "","redirectUris": ["https://{{dslproxy}}:6443/oauth2callback"],"webOrigins": [], "publicClient": false }')
MISPCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"dsoclab-misp","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{dslproxy}}:6443","adminUrl": "","redirectUris": ["https://{{dslproxy}}:6443/users/login/keycloak"],"webOrigins": [], "publicClient": false }')
kcadm.sh get realms/{{openid_realm}}/clients/${MISPCLIENT}/client-secret --fields value > /opt/jboss/keycloak/mispsecret
kcadm.sh config truststore --delete
......
---
- name: Get API key
shell: '/var/www/MISP/app/Console/cake Admin getAuthkey "admin@admin.test" | /usr/bin/tail -n1'
register: command_output
- name: Set API key fact
set_fact:
misp_api_key: "{{ command_output.stdout }}"
- name: Change email of default admin
uri:
url: "https://{{dslproxy}}:6443/admin/users/edit/1"
method: POST
body_format: json
headers:
Authorization: "{{misp_api_key}}"
Accept: "application/json"
Content-type: "application/json"
body: '{"email": "{{soctools_users[0].email}}","external_auth_required":"true","change_pw":"false"}'
ignore_errors: yes #Temporary while debugging
\ No newline at end of file
---
- name: Copy certificates in apache cert dir
copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/ssl/certs/ca.crt
mode: '0644'
- include: start.yml
tags:
- start
- name: Configure Apache web server for misp
template:
src: misp.conf.j2
dest: /etc/httpd/conf.d/misp.conf
tags:
- start
- name: Configure MISP database access
template:
src: database.php.j2
dest: /var/www/MISP/app/Config/database.php
tags:
- start
- name: Configure MISP app
template:
src: config.php.j2
dest: /var/www/MISP/app/Config/config.php
tags:
- start
- name: Configure MISP database initialization script
template:
src: checkdb.sh.j2
dest: /var/www/MISP/checkdb.sh
mode: '0700'
tags:
- start
- name: Check if database is initialized
command: /var/www/MISP/checkdb.sh
- start
- include: config.yml
tags:
- start
- name: Start MISP Services
command: "supervisorctl start all"
tags:
- start
- start
- config
- include: stop.yml
tags: stop
\ No newline at end of file
---
#- name: Set php path
# copy:
# src: php_path.sh
# dest: /etc/profile.d/php_path.sh
- name: Set PHP symbolic link
file:
src: /opt/rh/rh-php72/root/bin/php
dest: /usr/bin/php
state: link
- name: Copy certificates
copy:
src: "{{ item.local }}"
dest: "{{ item.remote }}"
mode: "{{ item.mode}}"
with_items:
- local: "files/{{ inventory_hostname }}.crt"
remote: /etc/ssl/certs/misp.crt
mode: '0644'
- local: "files/{{ inventory_hostname }}.key"
remote: /etc/ssl/certs/misp.key
mode: '0600'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/ssl/certs/ca.crt
mode: '0644'
- local: "files/{{ ca_cn }}.crt"
remote: /etc/pki/ca-trust/source/anchors/ca.crt
mode: '0644'
- name: Update CA trust
command: update-ca-trust
- name: Get openid authkey
set_fact:
mispsecret: "{{lookup('file', 'files/mispsecret',convert_data=False) | from_json }}"
- name: Configure Apache web server for misp
template:
src: misp.conf.j2
dest: /etc/httpd/conf.d/misp.conf
- name: Configure MISP database access
template:
src: database.php.j2
dest: /var/www/MISP/app/Config/database.php
- name: Configure MISP app
template:
src: config.php.j2
dest: /var/www/MISP/app/Config/config.php
- name: Configure MISP database initialization script
template:
src: checkdb.sh.j2
dest: /var/www/MISP/checkdb.sh
mode: '0700'
- name: Check if database is initialized
command: /var/www/MISP/checkdb.sh
- name: Start supervisord
shell: "/usr/bin/supervisord -c /etc/supervisord.conf &"
- name: Start MISP Services
command: "supervisorctl start all"
---
#!/bin/bash -x
MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
MISPINIT=$(echo "SELECT COUNT(DISTINCT 'table_name') FROM information_schema.columns WHERE table_schema = '{{misp_dbname}}';" | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}})
if [ ${MISPINIT} == "0" ]; then
cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{groups['mysql'][0]}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
cat /var/www/MISP/INSTALL/MYSQL.sql | mysql -s -h {{mysql_name}} -u {{misp_dbuser}} -p{{misp_dbpass}} {{misp_dbname}}
fi
......@@ -63,7 +63,7 @@ class DATABASE_CONFIG {
'datasource' => 'Database/Mysql',
//'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => '{{groups['mysql'][0]}}',
'host' => '{{mysql_name}}',
'login' => '{{misp_dbuser}}',
'port' => 3306, // MySQL & MariaDB
//'port' => 5432, // PostgreSQL
......
......@@ -10,15 +10,23 @@ AllowOverride all
DirectoryIndex index.php
# ProxyPassMatch ^/info$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/info.php
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/$1
#<FilesMatch "\.php$">
# SetHandler "proxy:fcgi://127.0.0.1:9000"
# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
# AddHandler php72-fcgi .php
# Action php72-fcgi /cgi-bin/php72.fcgi
#</FilesMatch>
OIDCCryptoPassphrase {{misp_crypto_pass}}
OIDCProviderMetadataURL https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
OIDCRedirectURI https://{{dslproxy}}:6443/users/login/keycloak
OIDCClientID dsoclab-misp
OIDCScope "openid profile"
OIDCClientSecret {{mispsecret.value}}
OIDCRemoteUserClaim email
OIDCProviderTokenEndpointAuth client_secret_basic
<Location /users/login>
AuthType openid-connect
Require valid-user
RequestHeader set X-Remote-User %{OIDC_CLAIM_email}e
</Location>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/misp.crt
......
......@@ -10,8 +10,8 @@
- name: Create misp user
mysql_user:
name: "{{misp_dbuser}}"
# host: "{{item}}.{{soctools_netname}}"
host: "gateway"
#host: "{{item}}.{{soctools_netname}}"
host: "%"
password: "{{misp_dbpass}}"
priv: "{{misp_dbname}}.*:ALL"
with_items: "{{groups['mispcontainers']}}"
......
......@@ -2,7 +2,7 @@
- name: Start soctools cluster
import_playbook: startsoctools.yml
when: "'start' in ansible_run_tags"
when: "'start' in ansible_run_tags or 'config' in ansible_run_tags"
- name: Stop soctools cluster
import_playbook: stopsoctools.yml
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment