From 0c24160035c8368e255ad980ba5636cc85ba87bf Mon Sep 17 00:00:00 2001
From: shieldsurge <110939943+shieldsurge@users.noreply.github.com>
Date: Wed, 10 Apr 2024 11:56:44 -0400
Subject: [PATCH] Add AadAuth support in configure_misp.sh (#39)

---
 core/files/configure_misp.sh | 47 ++++++++++++++++++++++++++++++++++++
 docker-compose.yml           | 11 +++++++++
 template.env                 | 12 +++++++++
 3 files changed, 70 insertions(+)

diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh
index d0e620a..03e2302 100755
--- a/core/files/configure_misp.sh
+++ b/core/files/configure_misp.sh
@@ -157,6 +157,51 @@ set_up_ldap() {
     }" > /dev/null
 }
 
+set_up_aad() {
+    if [[ "$AAD_ENABLE" != "true" ]]; then
+        echo "... Entra (AzureAD) authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
+
+    # Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because 
+    # existing loadAll() call in bootstrap.php already loads all available Cake plugins
+
+    # Set auth mechanism to AAD in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"auth\": [\"AadAuth.AadAuthenticate\"]
+        }
+    }" > /dev/null
+
+    # Configure AAD auth settings from environment variables in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"AadAuth\": {
+            \"client_id\": \"${AAD_CLIENT_ID}\",
+            \"ad_tenant\": \"${AAD_TENANT_ID}\",
+            \"client_secret\": \"${AAD_CLIENT_SECRET}\",
+            \"redirect_uri\": \"${AAD_REDIRECT_URI}\",
+            \"auth_provider\": \"${AAD_PROVIDER}\",
+            \"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
+            \"misp_user\": \"${AAD_MISP_USER}\",
+            \"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
+            \"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
+            \"check_ad_groups\": ${AAD_CHECK_GROUPS}
+        }
+    }" > /dev/null
+
+    # Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
+    # Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
 apply_updates() {
     # Disable weird default
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
@@ -323,5 +368,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc
 
 echo "MISP | Set Up LDAP ..." && set_up_ldap
 
+echo "MISP | Set Up AAD ..." && set_up_aad
+
 echo "MISP | Mark instance live"
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
diff --git a/docker-compose.yml b/docker-compose.yml
index 96cdde7..1cc6440 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -97,6 +97,17 @@ services:
       - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
       - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
       - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
+      # AAD authentication settings
+      - "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
+      - "AAD_TENANT_ID=${AAD_TENANT_ID}"
+      - "AAD_CLIENT_SECRET=${AAD_CLIENT_SECRET}"
+      - "AAD_REDIRECT_URI=${AAD_REDIRECT_URI}"
+      - "AAD_PROVIDER=${AAD_PROVIDER}"
+      - "AAD_PROVIDER_USER=${AAD_PROVIDER_USER}"
+      - "AAD_MISP_USER=${AAD_MISP_USER}"
+      - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
+      - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
+      - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
       # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
       - "SYNCSERVERS=${SYNCSERVERS}"
       - |
diff --git a/template.env b/template.env
index fc70d63..6782cc1 100644
--- a/template.env
+++ b/template.env
@@ -119,3 +119,15 @@ SYNCSERVERS_1_KEY=
 # LDAP_OPT_PROTOCOL_VERSION="3"
 # LDAP_OPT_NETWORK_TIMEOUT="-1"
 # LDAP_OPT_REFERRALS=false
+
+# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+# AAD_CLIENT_ID=
+# AAD_TENANT_ID=
+# AAD_CLIENT_SECRET=
+# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
+# AAD_PROVIDER="https://login.microsoftonline.com/"
+# AAD_PROVIDER_USER="https://graph.microsoft.com/"
+# AAD_MISP_USER="Misp Users"
+# AAD_MISP_ORGADMIN="Misp Org Admins"
+# AAD_MISP_SITEADMIN="Misp Site Admins"
+# AAD_CHECK_GROUPS=false