MISP
/
misp-docker
mirror of https://github.com/MISP/misp-docker
2
0
Fork 0
Code Issues Releases Wiki Activity

Add AadAuth support in configure_misp.sh (#39)

pull/43/head
shieldsurge 2024-04-10 11:56:44 -04:00 committed by GitHub
parent 0673b30b2d
commit 0c24160035
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
core/files/configure_misp.sh
View File

@ -157,6 +157,51 @@ set_up_ldap() {
}" > /dev/null }" > /dev/null
} }
set_up_aad() {
if [[ "$AAD_ENABLE" != "true" ]]; then
echo "... Entra (AzureAD) authentication disabled"
return
fi
# Check required variables
check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
# Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because
# existing loadAll() call in bootstrap.php already loads all available Cake plugins
# Set auth mechanism to AAD in config.php file
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"Security\": {
\"auth\": [\"AadAuth.AadAuthenticate\"]
}
}" > /dev/null
# Configure AAD auth settings from environment variables in config.php file
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
\"AadAuth\": {
\"client_id\": \"${AAD_CLIENT_ID}\",
\"ad_tenant\": \"${AAD_TENANT_ID}\",
\"client_secret\": \"${AAD_CLIENT_SECRET}\",
\"redirect_uri\": \"${AAD_REDIRECT_URI}\",
\"auth_provider\": \"${AAD_PROVIDER}\",
\"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
\"misp_user\": \"${AAD_MISP_USER}\",
\"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
\"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
\"check_ad_groups\": ${AAD_CHECK_GROUPS}
}
}" > /dev/null
# Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
# Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
}
apply_updates() { apply_updates() {
# Disable weird default # Disable weird default
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
@ -323,5 +368,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc
echo "MISP | Set Up LDAP ..." && set_up_ldap echo "MISP | Set Up LDAP ..." && set_up_ldap
echo "MISP | Set Up AAD ..." && set_up_aad
echo "MISP | Mark instance live" echo "MISP | Mark instance live"
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

11
docker-compose.yml
View File

@ -97,6 +97,17 @@ services:
- "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}" - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
- "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}" - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
- "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}" - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
# AAD authentication settings
- "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
- "AAD_TENANT_ID=${AAD_TENANT_ID}"
- "AAD_CLIENT_SECRET=${AAD_CLIENT_SECRET}"
- "AAD_REDIRECT_URI=${AAD_REDIRECT_URI}"
- "AAD_PROVIDER=${AAD_PROVIDER}"
- "AAD_PROVIDER_USER=${AAD_PROVIDER_USER}"
- "AAD_MISP_USER=${AAD_MISP_USER}"
- "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
- "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
- "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
# sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options) # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
- "SYNCSERVERS=${SYNCSERVERS}" - "SYNCSERVERS=${SYNCSERVERS}"
- | - |

12
template.env
View File

@ -119,3 +119,15 @@ SYNCSERVERS_1_KEY=
# LDAP_OPT_PROTOCOL_VERSION="3" # LDAP_OPT_PROTOCOL_VERSION="3"
# LDAP_OPT_NETWORK_TIMEOUT="-1" # LDAP_OPT_NETWORK_TIMEOUT="-1"
# LDAP_OPT_REFERRALS=false # LDAP_OPT_REFERRALS=false
# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
# AAD_CLIENT_ID=
# AAD_TENANT_ID=
# AAD_CLIENT_SECRET=
# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
# AAD_PROVIDER="https://login.microsoftonline.com/"
# AAD_PROVIDER_USER="https://graph.microsoft.com/"
# AAD_MISP_USER="Misp Users"
# AAD_MISP_ORGADMIN="Misp Org Admins"
# AAD_MISP_SITEADMIN="Misp Site Admins"
# AAD_CHECK_GROUPS=false