fully working MISP Keycloak integration

roles/misp/tasks/config.yml

 ---
 
+- name: Change password of default user
+  shell: "/var/www/MISP/app/Console/cake Password admin@admin.test {{ lookup('password', '/tmp/passwordfile') }}"
+
+- name: Configure MISP
+  shell: '/var/www/MISP/app/Console/cake Admin setSetting {{item.var}} {{item.value}}'
+  with_items:
+    - {"var":"Plugin.CustomAuth_enable","value":"true"}
+    - {"var":"Plugin.CustomAuth_header","value":"X_REMOTE_USER"}
+    - {"var":"Plugin.CustomAuth_disable_logout","value":"true"}
+    - {"var":"MISP.external_baseurl","value":"https://{{dslproxy}}:6443"}
+    - {"var":"MISP.live","value":"true"}
+
+- name: Init default user
+  shell: '/var/www/MISP/app/Console/cake user_init | /usr/bin/tail -n1'
+  register: command_output
+  ignore_errors: True
+
 - name: Get API key
-  shell: '/var/www/MISP/app/Console/cake Admin getAuthkey "admin@admin.test" | /usr/bin/tail -n1'
+  shell: '/var/www/MISP/app/Console/cake Admin getAuthkey admin@admin.test | /usr/bin/tail -n1'
   register: command_output
+  ignore_errors: True
+  when: '"initialised" in command_output.stdout'
 
 - name: Set API key fact
   set_fact:
    misp_api_key: "{{ command_output.stdout }}"
 
-- name: Change email of default admin
+- name: add users
   uri:
-   url: "https://{{dslproxy}}:6443/admin/users/edit/1"
+   url: "https://{{dslproxy}}:6443/admin/users/add/1"
    method: POST
    body_format: json
    headers:
     Authorization: "{{misp_api_key}}"
     Accept: "application/json"
     Content-type: "application/json"
-   body: '{"email": "{{soctools_users[0].email}}","external_auth_required":"true","change_pw":"false"}'    
-  ignore_errors: yes #Temporary while debugging
+   body: '{"email": "{{item.email}}","org_id": "1","role_id": "1","external_auth_key":"{{item.email}}","external_auth_required":"1","change_pw": "0","external_auth_key":"{{item.email}}"}'    
+  ignore_errors: yes #Ignore error when user already exists
\ No newline at end of file
+  with_items:
+    - "{{soctools_users}}"
+
+- name: Enable feed
+  uri:
+   url: "https://{{dslproxy}}:6443/feeds/edit/1"
+   method: POST
+   body_format: json
+   headers:
+    Authorization: "{{misp_api_key}}"
+    Accept: "application/json"
+    Content-type: "application/json"
+   body: '{"enabled": true, "caching_enabled": true, "distribution": "1","publish": true}'
+
+- name: Fetch feed
+  shell: '/var/www/MISP/app/Console/cake Server {{item}} 1 all&'
+  with_items:
+    - fetchFeed
+    - cacheFeed

roles/misp/tasks/start.yml

 ---
 
-#- name: Set php path
-#  copy:
-#    src: php_path.sh
-#    dest: /etc/profile.d/php_path.sh
-
 - name: Set PHP symbolic link
   file:
    src: /opt/rh/rh-php72/root/bin/php  
@@ -47,10 +42,11 @@
     src: database.php.j2
     dest: /var/www/MISP/app/Config/database.php
 
-- name: Configure MISP app
-  template:
-    src: config.php.j2
-    dest: /var/www/MISP/app/Config/config.php
+- name: Configure salt
+  lineinfile:
+    path: /var/www/MISP/app/Config/config.php
+    regexp: "'salt'.*=>"
+    line: "'salt' => '{{misp_salt}}',"
 
 - name: Configure MISP database initialization script
   template:

roles/misp/templates/config.php.j2

-<?php
-$config = array (
-  'debug' => 0,
-  'MISP' => 
-  array (
-    'baseurl' => 'https://{{dslproxy}}:6443',
-    'footermidleft' => '',
-    'footermidright' => '',
-    'org' => 'ORGNAME',
-    'showorg' => true,
-    'threatlevel_in_email_subject' => true,
-    'email_subject_TLP_string' => 'tlp:amber',
-    'email_subject_tag' => 'tlp',
-    'email_subject_include_tag_name' => true,
-    'background_jobs' => true,
-    'cached_attachments' => true,
-    'email' => 'email@address.com',
-    'contact' => 'email@address.com',
-    'cveurl' => 'https://cve.circl.lu/cve/',
-    'cweurl' => 'https://cve.circl.lu/cwe/',
-    'disablerestalert' => false,
-    'default_event_distribution' => '1',
-    'default_attribute_distribution' => 'event',
-    'tagging' => true,
-    'full_tags_on_event_index' => true,
-    'attribute_tagging' => true,
-    'full_tags_on_attribute_index' => true,
-    'footer_logo' => '',
-    'take_ownership_xml_import' => false,
-    'unpublishedprivate' => false,
-    'disable_emailing' => false,
-    'manage_workers' => true,
-    'Attributes_Values_Filter_In_Event' => 'id, uuid, value, comment, type, category, Tag.name',
-    'uuid' => '6ec3e533-99f9-42ac-952d-002664d1500f',
-    'live' => true,
-  ),
-  'GnuPG' => 
-  array (
-    'onlyencrypted' => false,
-    'email' => '',
-    'homedir' => '',
-    'password' => '',
-    'bodyonlyencrypted' => false,
-    'sign' => true,
-    'obscure_subject' => false,
-  ),
-  'SMIME' => 
-  array (
-    'enabled' => false,
-    'email' => '',
-    'cert_public_sign' => '',
-    'key_sign' => '',
-    'password' => '',
-  ),
-  'Proxy' => 
-  array (
-    'host' => '',
-    'port' => '',
-    'method' => '',
-    'user' => '',
-    'password' => '',
-  ),
-  'SecureAuth' => 
-  array (
-    'amount' => 5,
-    'expire' => 300,
-  ),
-  'Security' => 
-  array (
-    'level' => 'medium',
-    'salt' => '{{misp_salt}}',
-    'cipherSeed' => '',
-  ),
-  'Session.defaults' => 'php',
-  'Session.timeout' => 60,
-  'Session.cookieTimeout' => 60,
-  'Session.autoRegenerate' => false,
-  'Session.checkAgent' => false,
-  'site_admin_debug' => NULL,
-  'Plugin' => NULL,
-  'CertAuth' => NULL,
-  'ApacheShibbAuth' => NULL,
-  'ApacheSecureAuth' => NULL,
-);

roles/misp/templates/misp.conf.j2

@@ -12,6 +12,8 @@ DirectoryIndex index.php
 
 ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/MISP/app/webroot/$1
 
+SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+
 OIDCCryptoPassphrase {{misp_crypto_pass}}
 OIDCProviderMetadataURL https://{{dslproxy}}:12443/auth/realms/{{openid_realm}}/.well-known/openid-configuration
 OIDCRedirectURI https://{{dslproxy}}:6443/users/login/keycloak