misp-docker/core/files/configure_misp.sh

440 lines
18 KiB
Bash
Raw Normal View History

2022-09-03 13:59:35 +02:00
#!/bin/bash
source /rest_client.sh
source /utilities.sh
# We now use envsubst for safe variable substitution with pseudo-json objects for env var enforcement
# envsubst won't evaluate anything like $() or conditional variable expansion so lets do that here
export PYTHON_BIN="$(which python3)"
export GPG_BINARY="$(which gpg)"
export SETTING_CONTACT="${MISP_CONTACT-$ADMIN_EMAIL}"
export SETTING_EMAIL="${MISP_EMAIL-$ADMIN_EMAIL}"
init_minimum_config() {
# Temporarily disable DB to apply config file settings, reenable after if needed
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.system_setting_db" false
init_settings "minimum_config"
}
init_configuration() {
init_settings "db_enable"
init_settings "initialisation"
}
init_workers() {
echo "... starting background workers"
stdbuf -oL supervisorctl start misp-workers:*
}
2022-09-03 13:59:35 +02:00
configure_gnupg() {
if [ "$AUTOCONF_GPG" != "true" ]; then
echo "... GPG auto configuration disabled"
return
fi
export GPG_DIR=/var/www/MISP/.gnupg
2022-09-03 13:59:35 +02:00
GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
GPG_TMP=/tmp/gpg.tmp
2022-11-04 18:22:12 +01:00
if [ ! -f "${GPG_DIR}/trustdb.gpg" ]; then
echo "... generating new GPG key in ${GPG_DIR}"
2022-09-03 13:59:35 +02:00
cat >${GPG_TMP} <<GPGEOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 3072
Name-Real: MISP Admin
Name-Email: ${MISP_EMAIL-$ADMIN_EMAIL}
2022-09-03 13:59:35 +02:00
Expire-Date: 0
Passphrase: $GPG_PASSPHRASE
%commit
%echo Done
GPGEOF
mkdir -p ${GPG_DIR}
2022-09-03 13:59:35 +02:00
gpg --homedir ${GPG_DIR} --gen-key --batch ${GPG_TMP}
rm -f ${GPG_TMP}
else
echo "... found pre-generated GPG key in ${GPG_DIR}"
2022-09-03 13:59:35 +02:00
fi
2022-11-04 18:22:12 +01:00
# Fix permissions
chown -R www-data:www-data ${GPG_DIR}
find ${GPG_DIR} -type f -exec chmod 600 {} \;
find ${GPG_DIR} -type d -exec chmod 700 {} \;
2022-09-03 13:59:35 +02:00
if [ ! -f ${GPG_ASC} ]; then
echo "... exporting GPG key"
sudo -u www-data gpg --homedir ${GPG_DIR} --export --armor ${MISP_EMAIL-$ADMIN_EMAIL} > ${GPG_ASC}
2022-09-03 13:59:35 +02:00
else
echo "... found exported key ${GPG_ASC}"
2022-09-03 13:59:35 +02:00
fi
init_settings "gpg"
2022-09-03 13:59:35 +02:00
}
2023-12-11 11:23:04 +01:00
set_up_oidc() {
if [[ "$OIDC_ENABLE" == "true" ]]; then
if [[ -z "$OIDC_ROLES_MAPPING" ]]; then
OIDC_ROLES_MAPPING="\"\""
fi
# Check required variables
# OIDC_ISSUER may be empty
check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
# Configure OIDC in MISP
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": [\"OidcAuth.Oidc\"]
}
}" > /dev/null
# Set OIDC authentication details in MISP
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"OidcAuth\": {
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
${OIDC_ISSUER:+\"issuer\": \"${OIDC_ISSUER}\",}
\"client_id\": \"${OIDC_CLIENT_ID}\",
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
\"role_mapper\": ${OIDC_ROLES_MAPPING},
\"default_org\": \"${OIDC_DEFAULT_ORG}\"
}
}" > /dev/null
# Set the custom logout URL for OIDC if it is defined
if [[ -n "${OIDC_LOGOUT_URL}" ]]; then
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.CustomAuth_custom_logout" "${OIDC_LOGOUT_URL}&post_logout_redirect_uri=${BASE_URL}/users/login"
else
echo "OIDC_LOGOUT_URL is not set"
fi
# Disable password confirmation as recommended in https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
echo "... OIDC authentication enabled"
else
# Reset OIDC authentication settings to empty values
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"OidcAuth\": {
\"provider_url\": \"\",
\"issuer\": \"\",
\"client_id\": \"\",
\"client_secret\": \"\",
\"roles_property\": \"\",
\"role_mapper\": \"\",
\"default_org\": \"\"
}
}" > /dev/null
# Use sed to remove the OidcAuth.Oidc entry from the 'auth' array in the config.php
sudo -u www-data sed -i "/'auth' =>/,/)/ { /0 => 'OidcAuth.Oidc',/d; }" /var/www/MISP/app/Config/config.php
# Remove the custom logout URL
sudo -u www-data sed -i "/'CustomAuth_custom_logout' =>/d" /var/www/MISP/app/Config/config.php
# Re-enable password confirmation if necessary
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" true
echo "... OIDC authentication disabled"
fi
2023-12-11 11:23:04 +01:00
}
set_up_ldap() {
if [[ "$LDAP_ENABLE" != "true" ]]; then
echo "... LDAP authentication disabled"
return
fi
# Check required variables
# LDAP_SEARCH_FILTER may be empty
check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"ApacheSecureAuth\": {
\"apacheEnv\": \"${LDAP_APACHE_ENV}\",
\"ldapServer\": \"${LDAP_SERVER}\",
\"starttls\": ${LDAP_STARTTLS},
\"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION},
\"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT},
\"ldapReaderUser\": \"${LDAP_READER_USER}\",
\"ldapReaderPassword\": \"${LDAP_READER_PASSWORD}\",
\"ldapDN\": \"${LDAP_DN}\",
\"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\",
\"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\",
\"ldapFilter\": ${LDAP_FILTER},
\"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID},
\"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\",
\"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS},
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
}
}" > /dev/null
2024-04-11 09:45:25 +02:00
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
}
set_up_aad() {
if [[ "$AAD_ENABLE" != "true" ]]; then
echo "... Entra (AzureAD) authentication disabled"
return
fi
# Check required variables
check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
# Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because
# existing loadAll() call in bootstrap.php already loads all available Cake plugins
# Set auth mechanism to AAD in config.php file
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": [\"AadAuth.AadAuthenticate\"]
}
}" > /dev/null
# Configure AAD auth settings from environment variables in config.php file
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"AadAuth\": {
\"client_id\": \"${AAD_CLIENT_ID}\",
\"ad_tenant\": \"${AAD_TENANT_ID}\",
\"client_secret\": \"${AAD_CLIENT_SECRET}\",
\"redirect_uri\": \"${AAD_REDIRECT_URI}\",
\"auth_provider\": \"${AAD_PROVIDER}\",
\"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
\"misp_user\": \"${AAD_MISP_USER}\",
\"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
\"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
\"check_ad_groups\": ${AAD_CHECK_GROUPS}
}
}" > /dev/null
# Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
# Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
}
set_up_session() {
# Command to modify MISP session configuration
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Session\": {
\"timeout\": ${PHP_SESSION_TIMEOUT},
\"cookie_timeout\": ${PHP_SESSION_COOKIE_TIMEOUT},
\"defaults\": \"${PHP_SESSION_DEFAULTS}\",
\"autoRegenerate\": ${PHP_SESSION_AUTO_REGENERATE},
\"checkAgent\": ${PHP_SESSION_CHECK_AGENT},
\"ini\": {
\"session.cookie_secure\": ${PHP_SESSION_COOKIE_SECURE},
\"session.cookie_domain\": \"${PHP_SESSION_COOKIE_DOMAIN}\",
\"session.cookie_samesite\": \"${PHP_SESSION_COOKIE_SAMESITE}\"
}
}
}" > /dev/null
echo "... Session configured"
}
set_up_proxy() {
if [[ "$PROXY_ENABLE" == "true" ]]; then
echo "... configuring proxy settings"
init_settings "proxy"
else
echo "... Proxy disabled"
fi
}
2022-09-03 13:59:35 +02:00
apply_updates() {
# Disable 'ZeroMQ_enable' to get better logs when applying updates
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
# Run updates (strip colors since output might end up in a log)
sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | stdbuf -oL sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
# Re-enable 'ZeroMQ_enable'
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" true
2022-09-03 13:59:35 +02:00
}
init_user() {
# Create the main user if it is not there already
sudo -u www-data /var/www/MISP/app/Console/cake user init -q > /dev/null 2>&1
echo "UPDATE $MYSQL_DATABASE.users SET email = \"${ADMIN_EMAIL}\" WHERE id = 1;" | ${MYSQL_CMD}
2022-09-03 13:59:35 +02:00
if [ ! -z "$ADMIN_ORG" ]; then
echo "UPDATE $MYSQL_DATABASE.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQL_CMD}
2022-09-03 13:59:35 +02:00
fi
if [ -n "$ADMIN_KEY" ]; then
echo "... setting admin key to '${ADMIN_KEY}'"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
elif [ -z "$ADMIN_KEY" ] && [ "$AUTOGEN_ADMIN_KEY" == "true" ]; then
echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
2022-09-03 13:59:35 +02:00
else
echo "... admin user key auto generation disabled"
fi
if [[ -v CHANGE_CMD[@] ]]; then
ADMIN_KEY=$("${CHANGE_CMD[@]}" | awk 'END {print $NF; exit}')
echo "... admin user key set to '${ADMIN_KEY}'"
2022-09-03 13:59:35 +02:00
fi
if [ ! -z "$ADMIN_PASSWORD" ]; then
echo "... setting admin password to '${ADMIN_PASSWORD}'"
PASSWORD_POLICY=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_complexity" | jq ".value" -r)
PASSWORD_LENGTH=$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting "Security.password_policy_length" | jq ".value" -r)
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" 1
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" '/.*/'
sudo -u www-data /var/www/MISP/app/Console/cake User change_pw "${ADMIN_EMAIL}" "${ADMIN_PASSWORD}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_complexity" "${PASSWORD_POLICY}"
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.password_policy_length" "${PASSWORD_LENGTH}"
else
2023-06-15 12:43:41 +02:00
echo "... setting admin password skipped"
fi
echo "UPDATE $MYSQL_DATABASE.users SET change_pw = 0 WHERE id = 1;" | ${MYSQL_CMD}
2022-09-03 13:59:35 +02:00
}
apply_critical_fixes() {
init_settings "critical"
# Kludge for handling Security.auth array. Unrecognised by tools like cake admin setsetting.
local config_json=$(echo '<?php require_once "/var/www/MISP/app/Config/config.php"; echo json_encode($config, JSON_THROW_ON_ERROR | JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES); ?>'|/usr/bin/php)
if $(echo $config_json |jq -e 'getpath(("Security.auth" | split("."))) == null'); then
echo "Updating unset critical setting 'Security.auth' to 'Array()'..."
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": {}
}
}" > /dev/null
fi
2022-09-03 13:59:35 +02:00
}
apply_optional_fixes() {
init_settings "optional"
}
# Some settings return a value from cake Admin getSetting even if not set in config.php and database.
# This means we cannot rely on that tool which inspects both db and file.
# Leaving this here though in case the serverSettings model for those odd settings is fixed one day.
#setting_is_set() {
# local setting="$1"
# local current_value="$(sudo -u www-data /var/www/MISP/app/Console/cake Admin getSetting $setting)"
# local error_value="$(jq -r '.errorMessage' <<< $current_value)"
#
# if [[ "$current_value" =~ ^\{.*\}$ && "$error_value" != "Value not set." && "$error_value" != Invalid* ]]; then
# return 0
# else
# return 1
# fi
#}
update_components() {
UPDATE_SUDO_CMD="sudo -u www-data"
if [ ! -z "${DB_ALREADY_INITIALISED}" ]; then
if [[ "$ENABLE_BACKGROUND_UPDATES" = "true" ]]; then
echo "... updates will run in the background"
UPDATE_SUDO_CMD="sudo -b -u www-data"
fi
fi
${UPDATE_SUDO_CMD} /var/www/MISP/app/Console/cake Admin updateGalaxies
${UPDATE_SUDO_CMD} /var/www/MISP/app/Console/cake Admin updateTaxonomies
${UPDATE_SUDO_CMD} /var/www/MISP/app/Console/cake Admin updateWarningLists
${UPDATE_SUDO_CMD} /var/www/MISP/app/Console/cake Admin updateNoticeLists
${UPDATE_SUDO_CMD} /var/www/MISP/app/Console/cake Admin updateObjectTemplates "$CRON_USER_ID"
2022-09-03 13:59:35 +02:00
}
update_ca_certificates() {
# Upgrade host os certificates
update-ca-certificates
# Upgrade cake cacert.pem file from Mozilla project
echo "Updating /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem..."
sudo -E -u www-data curl -s --etag-compare /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt --etag-save /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/etag.txt https://curl.se/ca/cacert.pem -o /var/www/MISP/app/Lib/cakephp/lib/Cake/Config/cacert.pem
}
create_sync_servers() {
if [ -z "$ADMIN_KEY" ]; then
echo "... admin key auto configuration is required to configure sync servers"
return
fi
SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
for ID in $SPLITTED_SYNCSERVERS; do
DATA="SYNCSERVERS_${ID}_DATA"
# Validate #1
NAME=$(echo "${!DATA}" | jq -r '.name')
if [[ -z $NAME ]]; then
echo "... error missing sync server name"
continue
fi
# Skip sync server if we can
echo "... searching sync server ${NAME}"
SERVER_ID=$(get_server ${BASE_URL} ${ADMIN_KEY} ${NAME})
if [[ -n "$SERVER_ID" ]]; then
echo "... found existing sync server ${NAME} with id ${SERVER_ID}"
continue
fi
# Validate #2
UUID=$(echo "${!DATA}" | jq -r '.remote_org_uuid')
if [[ -z "$UUID" ]]; then
echo "... error missing sync server remote_org_uuid"
continue
fi
# Get remote organization
echo "... searching remote organization ${UUID}"
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
if [[ -z "$ORG_ID" ]]; then
# Add remote organization if missing
echo "... adding missing organization ${UUID}"
add_organization ${BASE_URL} ${ADMIN_KEY} ${NAME} false ${UUID} > /dev/null
ORG_ID=$(get_organization ${BASE_URL} ${ADMIN_KEY} ${UUID})
fi
# Add sync server
echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
2024-08-06 14:18:32 +02:00
JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id} | del(..|select(. == ""))')
add_server ${BASE_URL} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
done
}
2022-09-03 13:59:35 +02:00
echo "MISP | Update CA certificates ..." && update_ca_certificates
echo "MISP | Apply minimum configuration directives ..." && init_minimum_config
echo "MISP | Initialize configuration ..." && init_configuration
2022-09-03 13:59:35 +02:00
echo "MISP | Initialize workers ..." && init_workers
2022-09-03 13:59:35 +02:00
2024-08-25 13:32:36 +02:00
echo "MISP | Apply DB updates ..." && apply_updates
echo "MISP | Configure GPG key ..." && configure_gnupg
2022-09-03 13:59:35 +02:00
echo "MISP | Init default user and organization ..." && init_user
2022-09-03 13:59:35 +02:00
echo "MISP | Resolve critical issues ..." && apply_critical_fixes
echo "MISP | Start component updates ..." && update_components
2024-08-25 13:32:36 +02:00
echo "MISP | Resolve non-critical issues ..." && apply_optional_fixes
echo "MISP | Create sync servers ..." && create_sync_servers
2022-11-04 18:22:12 +01:00
2023-12-11 11:23:04 +01:00
echo "MISP | Set Up OIDC ..." && set_up_oidc
echo "MISP | Set Up LDAP ..." && set_up_ldap
echo "MISP | Set Up AAD ..." && set_up_aad
echo "MISP | Set Up Session ..." && set_up_session
echo "MISP | Set Up Proxy ..." && set_up_proxy
echo "MISP | Mark instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1