2022-09-03 13:59:35 +02:00
|
|
|
#!/bin/bash
|
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
source /rest_client.sh
|
2023-12-11 12:19:49 +01:00
|
|
|
source /utilities.sh
|
2024-06-06 10:30:12 +02:00
|
|
|
[ -z "$ADMIN_EMAIL" ] && export ADMIN_EMAIL="admin@admin.test"
|
|
|
|
[ -z "$GPG_PASSPHRASE" ] && export GPG_PASSPHRASE="passphrase"
|
|
|
|
[ -z "$REDIS_FQDN" ] && export REDIS_FQDN="redis"
|
|
|
|
[ -z "$MISP_MODULES_FQDN" ] && export MISP_MODULES_FQDN="http://misp-modules"
|
2023-04-13 16:02:02 +02:00
|
|
|
|
2023-08-01 12:21:12 +02:00
|
|
|
# Switches to selectively disable configuration logic
|
|
|
|
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
|
|
|
|
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
|
2023-12-11 11:23:04 +01:00
|
|
|
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
|
2024-02-21 18:04:41 +01:00
|
|
|
[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false"
|
2024-06-06 10:30:12 +02:00
|
|
|
[ -z "$ENABLE_DB_SETTINGS" ] && ENABLE_DB_SETTINGS="false"
|
2024-06-11 13:36:39 +02:00
|
|
|
[ -z "$PROXY_ENABLE" ] && PROXY_ENABLE="false"
|
|
|
|
[ -z "$DEBUG" ] && DEBUG=0
|
2024-06-06 10:30:12 +02:00
|
|
|
|
|
|
|
# We now use envsubst for safe variable substitution with pseudo-json objects for env var enforcement
|
|
|
|
# envsubst won't evaluate anything like $() or conditional variable expansion so lets do that here
|
|
|
|
export PYTHON_BIN="$(which python3)"
|
|
|
|
export GPG_BINARY="$(which gpg)"
|
|
|
|
export SETTING_CONTACT="${MISP_CONTACT-$ADMIN_EMAIL}"
|
|
|
|
export SETTING_EMAIL="${MISP_EMAIL-$ADMIN_EMAIL}"
|
|
|
|
|
2024-06-14 14:41:55 +02:00
|
|
|
init_minimum_config() {
|
|
|
|
# Temporarily disable DB to apply config file settings, reenable after if needed
|
2024-06-06 10:30:12 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.system_setting_db" false
|
2024-06-14 14:41:55 +02:00
|
|
|
init_settings "minimum_config"
|
2024-06-06 10:30:12 +02:00
|
|
|
}
|
2023-08-01 12:21:12 +02:00
|
|
|
|
2024-06-14 14:41:55 +02:00
|
|
|
init_configuration() {
|
|
|
|
init_settings "db_enable"
|
2024-06-06 10:30:12 +02:00
|
|
|
init_settings "initialisation"
|
2023-04-13 16:02:02 +02:00
|
|
|
}
|
|
|
|
|
2024-06-14 14:41:55 +02:00
|
|
|
init_workers() {
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "... starting background workers"
|
2024-06-14 14:41:55 +02:00
|
|
|
stdbuf -oL supervisorctl start misp-workers:*
|
2023-04-13 16:02:02 +02:00
|
|
|
}
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
configure_gnupg() {
|
2023-08-01 12:21:12 +02:00
|
|
|
if [ "$AUTOCONF_GPG" != "true" ]; then
|
|
|
|
echo "... GPG auto configuration disabled"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
export GPG_DIR=/var/www/MISP/.gnupg
|
2022-09-03 13:59:35 +02:00
|
|
|
GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
|
|
|
|
GPG_TMP=/tmp/gpg.tmp
|
|
|
|
|
2022-11-04 18:22:12 +01:00
|
|
|
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "... generating new GPG key in ${GPG_DIR}"
|
2022-09-03 13:59:35 +02:00
|
|
|
cat >${GPG_TMP} <<GPGEOF
|
|
|
|
%echo Generating a basic OpenPGP key
|
|
|
|
Key-Type: RSA
|
|
|
|
Key-Length: 3072
|
|
|
|
Name-Real: MISP Admin
|
2023-08-01 17:59:47 +02:00
|
|
|
Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL}
|
2022-09-03 13:59:35 +02:00
|
|
|
Expire-Date: 0
|
|
|
|
Passphrase: $GPG_PASSPHRASE
|
|
|
|
%commit
|
|
|
|
%echo Done
|
|
|
|
GPGEOF
|
2023-06-02 14:44:23 +02:00
|
|
|
mkdir -p ${GPG_DIR}
|
2022-09-03 13:59:35 +02:00
|
|
|
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
|
|
|
|
rm -f ${GPG_TMP}
|
|
|
|
else
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "... found pre-generated GPG key in ${GPG_DIR}"
|
2022-09-03 13:59:35 +02:00
|
|
|
fi
|
|
|
|
|
2022-11-04 18:22:12 +01:00
|
|
|
# Fix permissions
|
|
|
|
chown -R www-data:www-data ${GPG_DIR}
|
|
|
|
find ${GPG_DIR} -type f -exec chmod 600 {} \;
|
|
|
|
find ${GPG_DIR} -type d -exec chmod 700 {} \;
|
|
|
|
|
2022-09-03 13:59:35 +02:00
|
|
|
if [ ! -f ${GPG_ASC} ]; then
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "... exporting GPG key"
|
2023-08-01 17:59:47 +02:00
|
|
|
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC}
|
2022-09-03 13:59:35 +02:00
|
|
|
else
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "... found exported key ${GPG_ASC}"
|
2022-09-03 13:59:35 +02:00
|
|
|
fi
|
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
init_settings "gpg"
|
2022-09-03 13:59:35 +02:00
|
|
|
}
|
|
|
|
|
2023-12-11 11:23:04 +01:00
|
|
|
set_up_oidc() {
|
|
|
|
if [[ "$OIDC_ENABLE" != "true" ]]; then
|
|
|
|
echo "... OIDC authentication disabled"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2024-05-09 11:03:55 +02:00
|
|
|
if [[ -z "$OIDC_ROLES_MAPPING" ]]; then
|
|
|
|
OIDC_ROLES_MAPPING="\"\""
|
|
|
|
fi
|
|
|
|
|
2023-12-11 12:19:49 +01:00
|
|
|
# Check required variables
|
2024-04-24 13:26:22 +02:00
|
|
|
# OIDC_ISSUER may be empty
|
2023-12-11 12:19:49 +01:00
|
|
|
check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
|
|
|
|
|
2023-12-11 11:23:04 +01:00
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"Security\": {
|
|
|
|
\"auth\": [\"OidcAuth.Oidc\"]
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
|
|
|
|
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"OidcAuth\": {
|
|
|
|
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
|
2024-04-24 13:26:22 +02:00
|
|
|
${OIDC_ISSUER:+\"issuer\": \"${OIDC_ISSUER}\",}
|
2023-12-11 11:23:04 +01:00
|
|
|
\"client_id\": \"${OIDC_CLIENT_ID}\",
|
|
|
|
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
|
|
|
|
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
|
|
|
|
\"role_mapper\": ${OIDC_ROLES_MAPPING},
|
|
|
|
\"default_org\": \"${OIDC_DEFAULT_ORG}\"
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
|
|
|
|
|
|
|
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
|
|
|
}
|
|
|
|
|
2024-02-21 18:04:41 +01:00
|
|
|
set_up_ldap() {
|
|
|
|
if [[ "$LDAP_ENABLE" != "true" ]]; then
|
|
|
|
echo "... LDAP authentication disabled"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Check required variables
|
|
|
|
# LDAP_SEARCH_FILTER may be empty
|
|
|
|
check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS
|
|
|
|
|
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"ApacheSecureAuth\": {
|
|
|
|
\"apacheEnv\": \"${LDAP_APACHE_ENV}\",
|
|
|
|
\"ldapServer\": \"${LDAP_SERVER}\",
|
|
|
|
\"starttls\": ${LDAP_STARTTLS},
|
|
|
|
\"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
|
|
|
|
\"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
|
2024-02-27 15:10:50 +01:00
|
|
|
\"ldapReaderUser\": \"${LDAP_READER_USER}\",
|
|
|
|
\"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
|
2024-02-21 18:04:41 +01:00
|
|
|
\"ldapDN\": \"${LDAP_DN}\",
|
|
|
|
\"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
|
|
|
|
\"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
|
|
|
|
\"ldapFilter\": ${LDAP_FILTER},
|
|
|
|
\"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
|
|
|
|
\"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
|
|
|
|
\"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
|
|
|
|
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
2024-04-11 09:45:25 +02:00
|
|
|
|
|
|
|
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
2024-02-21 18:04:41 +01:00
|
|
|
}
|
|
|
|
|
2024-04-10 17:56:44 +02:00
|
|
|
set_up_aad() {
|
|
|
|
if [[ "$AAD_ENABLE" != "true" ]]; then
|
|
|
|
echo "... Entra (AzureAD) authentication disabled"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Check required variables
|
|
|
|
check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
|
|
|
|
|
|
|
|
# Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because
|
|
|
|
# existing loadAll() call in bootstrap.php already loads all available Cake plugins
|
|
|
|
|
|
|
|
# Set auth mechanism to AAD in config.php file
|
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"Security\": {
|
|
|
|
\"auth\": [\"AadAuth.AadAuthenticate\"]
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
|
|
|
|
|
|
|
# Configure AAD auth settings from environment variables in config.php file
|
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"AadAuth\": {
|
|
|
|
\"client_id\": \"${AAD_CLIENT_ID}\",
|
|
|
|
\"ad_tenant\": \"${AAD_TENANT_ID}\",
|
|
|
|
\"client_secret\": \"${AAD_CLIENT_SECRET}\",
|
|
|
|
\"redirect_uri\": \"${AAD_REDIRECT_URI}\",
|
|
|
|
\"auth_provider\": \"${AAD_PROVIDER}\",
|
|
|
|
\"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
|
|
|
|
\"misp_user\": \"${AAD_MISP_USER}\",
|
|
|
|
\"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
|
|
|
|
\"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
|
|
|
|
\"check_ad_groups\": ${AAD_CHECK_GROUPS}
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
|
|
|
|
|
|
|
# Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
|
|
|
|
# Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
|
|
|
|
|
|
|
|
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
|
|
|
}
|
|
|
|
|
2024-06-06 13:41:12 +02:00
|
|
|
set_up_proxy() {
|
2024-06-11 13:36:39 +02:00
|
|
|
if [[ "$PROXY_ENABLE" == "true" ]]; then
|
|
|
|
echo "... configuring proxy settings"
|
|
|
|
init_settings "proxy"
|
|
|
|
else
|
2024-06-06 13:41:12 +02:00
|
|
|
echo "... Proxy disabled"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2022-09-03 13:59:35 +02:00
|
|
|
apply_updates() {
|
2024-06-12 16:28:38 +02:00
|
|
|
# Disable 'ZeroMQ_enable' to get better logs when applying updates
|
2024-06-14 14:41:55 +02:00
|
|
|
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
|
2023-08-01 12:21:12 +02:00
|
|
|
# Run updates (strip colors since output might end up in a log)
|
2024-06-14 14:41:55 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | stdbuf -oL sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
|
2024-06-12 16:28:38 +02:00
|
|
|
# Re-enable 'ZeroMQ_enable'
|
2024-06-14 14:41:55 +02:00
|
|
|
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
|
2022-09-03 13:59:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
init_user() {
|
|
|
|
# Create the main user if it is not there already
|
2024-06-14 14:41:55 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake user init -q > /dev/null 2>&1
|
2023-08-01 17:59:47 +02:00
|
|
|
|
2022-09-03 13:59:35 +02:00
|
|
|
echo "UPDATE misp.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQLCMD}
|
2023-08-01 17:59:47 +02:00
|
|
|
|
2022-09-03 13:59:35 +02:00
|
|
|
if [ ! -z "$ADMIN_ORG" ]; then
|
|
|
|
echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
|
|
|
|
fi
|
2023-08-01 12:21:12 +02:00
|
|
|
|
2023-08-01 17:59:47 +02:00
|
|
|
if [ -n "$ADMIN_KEY" ]; then
|
|
|
|
echo "... setting admin key to '${ADMIN_KEY}'"
|
|
|
|
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
|
|
|
|
elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then
|
|
|
|
echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
|
|
|
|
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
|
2022-09-03 13:59:35 +02:00
|
|
|
else
|
2023-08-01 17:59:47 +02:00
|
|
|
echo "... admin user key auto generation disabled"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ -v CHANGE_CMD[@] ]]; then
|
|
|
|
ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}')
|
|
|
|
echo "... admin user key set to '${ADMIN_KEY}'"
|
2022-09-03 13:59:35 +02:00
|
|
|
fi
|
2023-05-14 17:56:55 +02:00
|
|
|
|
|
|
|
if [ ! -z "$ADMIN_PASSWORD" ]; then
|
|
|
|
echo "... setting admin password to '${ADMIN_PASSWORD}'"
|
|
|
|
PASSWORD_POLICY=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_complexity" | jq ".value" -r)
|
2024-06-14 14:41:55 +02:00
|
|
|
PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value" -r)
|
2023-05-15 13:13:25 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/'
|
2023-08-01 17:59:47 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}"
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}"
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}"
|
2023-05-14 17:56:55 +02:00
|
|
|
else
|
2023-06-15 12:43:41 +02:00
|
|
|
echo "... setting admin password skipped"
|
2023-05-14 17:56:55 +02:00
|
|
|
fi
|
|
|
|
echo 'UPDATE misp.users SET change_pw = 0 WHERE id = 1;' | ${MYSQLCMD}
|
2022-09-03 13:59:35 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
apply_critical_fixes() {
|
2024-06-06 10:30:12 +02:00
|
|
|
init_settings "critical"
|
|
|
|
|
|
|
|
# Kludge for handling Security.auth array. Unrecognised by tools like cake admin setsetting.
|
|
|
|
local config_json=$(echo '<?php require_once "/var/www/MISP/app/Config/config.php"; echo json_encode($config, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); ?>'|/usr/bin/php)
|
|
|
|
if $(echo $config_json |jq -e 'getpath(("Security.auth" | split("."))) == null'); then
|
|
|
|
echo "Updating unset critical setting 'Security.auth' to 'Array()'..."
|
|
|
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
|
|
|
\"Security\": {
|
|
|
|
\"auth\": {}
|
|
|
|
}
|
|
|
|
}" > /dev/null
|
|
|
|
fi
|
2022-09-03 13:59:35 +02:00
|
|
|
}
|
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
apply_optional_fixes() {
|
2024-06-06 10:30:12 +02:00
|
|
|
init_settings "optional"
|
|
|
|
}
|
|
|
|
|
|
|
|
# Some settings return a value from cake Admin getSetting even if not set in config.php and database.
|
|
|
|
# This means we cannot rely on that tool which inspects both db and file.
|
|
|
|
# Leaving this here though in case the serverSettings model for those odd settings is fixed one day.
|
|
|
|
#setting_is_set() {
|
|
|
|
# local setting="$1"
|
|
|
|
# local current_value="$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting $setting)"
|
|
|
|
# local error_value="$(jq -r '.errorMessage' <<< $current_value)"
|
|
|
|
#
|
|
|
|
# if [[ "$current_value" =~ ^\{.*\}$ && "$error_value" != "Value not set." && "$error_value" != Invalid* ]]; then
|
|
|
|
# return 0
|
|
|
|
# else
|
|
|
|
# return 1
|
|
|
|
# fi
|
|
|
|
#}
|
|
|
|
|
|
|
|
# Kludgy alternative to using cake Admin getSetting.
|
|
|
|
setting_is_set_alt() {
|
|
|
|
local setting="$1"
|
|
|
|
local config_json=$(echo '<?php require_once "/var/www/MISP/app/Config/config.php"; echo json_encode($config, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); ?>'|/usr/bin/php)
|
|
|
|
local db_settings_enabled=$(jq -e 'getpath(("MISP.system_setting_db" | split("."))) // false' <<< $config_json)
|
|
|
|
local setting_in_config_file=$(jq -e 'getpath(("'"$setting"'" | split("."))) != null' <<< $config_json)
|
|
|
|
if $setting_in_config_file; then
|
|
|
|
return 0
|
|
|
|
elif $db_settings_enabled; then
|
|
|
|
local setting_in_db=$(echo "SELECT EXISTS(SELECT 1 FROM $MYSQL_DATABASE.system_settings WHERE setting = \"${setting}\");" | ${MYSQLCMD})
|
|
|
|
if [[ $setting_in_db -eq 1 ]]; then
|
|
|
|
return 0
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
|
|
|
|
set_default_settings() {
|
|
|
|
local settings_json="$1"
|
|
|
|
local description="$2"
|
2023-12-11 11:23:04 +01:00
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
for setting in $(jq -r 'keys[]' <<< $settings_json); do
|
|
|
|
local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)"
|
|
|
|
local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)"
|
2023-08-01 12:21:12 +02:00
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
set_safe_default "$setting" "$default_value" "$description" "$command_args"
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
enforce_env_settings() {
|
|
|
|
local settings_json="$1"
|
|
|
|
local description="$2"
|
|
|
|
for setting in $(jq -r 'keys[]' <<< $settings_json); do
|
|
|
|
local default_value="$(jq -r '."'"$setting"'"["default_value"]' <<< $settings_json)"
|
|
|
|
local command_args="$(jq -r '."'"$setting"'"["command_args"] // ""' <<< $settings_json)"
|
|
|
|
echo "Enforcing $description setting '$setting' to env var or default value '$default_value'..."
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value"
|
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
set_safe_default() {
|
|
|
|
local setting="$1"
|
|
|
|
local default_value="$2"
|
|
|
|
local description="$3"
|
|
|
|
local command_args="$4"
|
|
|
|
|
|
|
|
if ! setting_is_set_alt "$setting"; then
|
|
|
|
echo "Updating unset $description setting '$setting' to '$default_value'..."
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q $command_args "$setting" "$default_value"
|
|
|
|
fi
|
|
|
|
}
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
init_settings() {
|
|
|
|
local description="$1"
|
|
|
|
local enforced="/etc/misp-docker/${description}.envars.json"
|
|
|
|
local defaults="/etc/misp-docker/${description}.defaults.json"
|
|
|
|
|
|
|
|
if [[ -e "$enforced" ]]; then
|
|
|
|
echo "... enforcing env var settings"
|
|
|
|
local settings_json="$(envsubst < $enforced)"
|
|
|
|
enforce_env_settings "$settings_json" "$description"
|
|
|
|
fi
|
|
|
|
|
|
|
|
if [[ -e "$defaults" ]]; then
|
|
|
|
echo "... checking for unset default settings"
|
|
|
|
local settings_json="$(cat $defaults)"
|
|
|
|
set_default_settings "$settings_json" "$description"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
update_components() {
|
2023-04-13 16:02:02 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateGalaxies
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateTaxonomies
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateWarningLists
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateNoticeLists
|
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
|
2022-09-03 13:59:35 +02:00
|
|
|
}
|
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
update_ca_certificates() {
|
|
|
|
# Upgrade host os certificates
|
|
|
|
update-ca-certificates
|
|
|
|
# Upgrade cake cacert.pem file from Mozilla project
|
|
|
|
echo "Updating /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem..."
|
|
|
|
sudo -u www-data curl -s --etag-compare /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt --etag-save /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt https://curl.se/ca/cacert.pem -o /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem
|
|
|
|
}
|
2023-05-15 13:13:25 +02:00
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
create_sync_servers() {
|
2023-08-01 12:21:12 +02:00
|
|
|
if [ -z "$ADMIN_KEY" ]; then
|
|
|
|
echo "... admin key auto configuration is required to configure sync servers"
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
|
|
|
|
for ID in $SPLITTED_SYNCSERVERS; do
|
|
|
|
DATA="SYNCSERVERS_${ID}_DATA"
|
2023-05-13 15:17:53 +02:00
|
|
|
|
|
|
|
# Validate #1
|
|
|
|
NAME=$(echo "${!DATA}" | jq -r '.name')
|
|
|
|
if [[ -z $NAME ]]; then
|
|
|
|
echo "... error missing sync server name"
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Skip sync server if we can
|
|
|
|
echo "... searching sync server ${NAME}"
|
2023-12-22 11:02:20 +01:00
|
|
|
SERVER_ID=$(get_server ${BASE_URL} ${ADMIN_KEY} ${NAME})
|
2023-05-15 13:13:25 +02:00
|
|
|
if [[ -n "$SERVER_ID" ]]; then
|
|
|
|
echo "... found existing sync server ${NAME} with id ${SERVER_ID}"
|
2023-05-13 15:17:53 +02:00
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Validate #2
|
|
|
|
UUID=$(echo "${!DATA}" | jq -r '.remote_org_uuid')
|
2023-05-15 13:13:25 +02:00
|
|
|
if [[ -z "$UUID" ]]; then
|
2023-05-13 15:17:53 +02:00
|
|
|
echo "... error missing sync server remote_org_uuid"
|
|
|
|
continue
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Get remote organization
|
|
|
|
echo "... searching remote organization ${UUID}"
|
2023-12-22 11:02:20 +01:00
|
|
|
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
|
2023-05-15 13:13:25 +02:00
|
|
|
if [[ -z "$ORG_ID" ]]; then
|
2023-05-13 15:17:53 +02:00
|
|
|
# Add remote organization if missing
|
|
|
|
echo "... adding missing organization ${UUID}"
|
2023-12-22 11:02:20 +01:00
|
|
|
add_organization ${BASE_URL} ${ADMIN_KEY} ${NAME} false ${UUID} > /dev/null
|
|
|
|
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
|
2023-04-13 16:02:02 +02:00
|
|
|
fi
|
2023-05-13 15:17:53 +02:00
|
|
|
|
|
|
|
# Add sync server
|
|
|
|
echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
|
|
|
|
JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id}')
|
2023-12-22 11:02:20 +01:00
|
|
|
add_server ${BASE_URL} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
|
2023-08-01 12:21:12 +02:00
|
|
|
done
|
2023-04-13 16:02:02 +02:00
|
|
|
}
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2024-06-06 10:30:12 +02:00
|
|
|
echo "MISP | Update CA certificates ..." && update_ca_certificates
|
|
|
|
|
2024-06-14 14:41:55 +02:00
|
|
|
echo "MISP | Apply minimum configuration directives ..." && init_minimum_config
|
|
|
|
|
|
|
|
echo "MISP | Apply DB updates ..." && apply_updates
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Initialize configuration ..." && init_configuration
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Initialize workers ..." && init_workers
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Configure GPG key ..." && configure_gnupg
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "MISP | Init default user and organization ..." && init_user
|
2022-09-03 13:59:35 +02:00
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
|
2022-11-18 00:15:56 +01:00
|
|
|
|
2023-04-13 16:02:02 +02:00
|
|
|
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
|
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Create sync servers ..." && create_sync_servers
|
2022-11-04 18:22:12 +01:00
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Update components ..." && update_components
|
2022-12-06 18:13:23 +01:00
|
|
|
|
2023-12-11 11:23:04 +01:00
|
|
|
echo "MISP | Set Up OIDC ..." && set_up_oidc
|
|
|
|
|
2024-02-21 18:04:41 +01:00
|
|
|
echo "MISP | Set Up LDAP ..." && set_up_ldap
|
|
|
|
|
2024-04-10 17:56:44 +02:00
|
|
|
echo "MISP | Set Up AAD ..." && set_up_aad
|
|
|
|
|
2024-06-06 13:41:12 +02:00
|
|
|
echo "MISP | Set Up Proxy ..." && set_up_proxy
|
|
|
|
|
2023-05-09 16:11:07 +02:00
|
|
|
echo "MISP | Mark instance live"
|
2024-06-11 13:36:39 +02:00
|
|
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|