From 3429540b782ac8d7e80ddabc455bed54532b24b7 Mon Sep 17 00:00:00 2001
From: Stefano Ortolani <ortolanis@vmware.com>
Date: Tue, 1 Aug 2023 11:21:12 +0100
Subject: [PATCH] Bump version and allow selectively disabling auto
 configuration

---
 server/files/configure_misp.sh   | 45 +++++++++++++++++++++++---------
 server/files/entrypoint_nginx.sh |  6 +++--
 template.env                     |  4 +--
 3 files changed, 38 insertions(+), 17 deletions(-)

diff --git a/server/files/configure_misp.sh b/server/files/configure_misp.sh
index 7d9c901..b156a1e 100755
--- a/server/files/configure_misp.sh
+++ b/server/files/configure_misp.sh
@@ -7,11 +7,15 @@ source /rest_client.sh
 [ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
 [ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
 
+# Switches to selectively disable configuration logic
+[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
+[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
+
 init_configuration(){
     # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
     echo "... configuring default settings"
-    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.baseurl" "$HOSTNAME"
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.redis_host" "$REDIS_FQDN"
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.python_bin" $(which python3)
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q -f "MISP.ca_path" "/etc/ssl/certs/ca-certificates.crt"
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_redis_host" "$REDIS_FQDN"
@@ -40,6 +44,11 @@ init_workers(){
 }
 
 configure_gnupg() {
+    if [ "$AUTOCONF_GPG" != "true" ]; then
+        echo "... GPG auto configuration disabled"
+        return
+    fi
+
     GPG_DIR=/var/www/MISP/.gnupg
     GPG_ASC=/var/www/MISP/app/webroot/gpg.asc
     GPG_TMP=/tmp/gpg.tmp
@@ -79,15 +88,14 @@ GPGEOF
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.email" "${ADMIN_EMAIL}"
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.homedir" "${GPG_DIR}"
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.password" "${GPG_PASSPHRASE}"
-    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.obscure_subject" false
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
 }
 
 apply_updates() {
     # Disable weird default
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
-    # Run updates
-    sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates
+    # Run updates (strip colors since output might end up in a log)
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin runUpdates | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g"
 }
 
 init_user() {
@@ -99,15 +107,21 @@ init_user() {
     if [ ! -z "$ADMIN_ORG" ]; then
         echo "UPDATE misp.organisations SET name = \"${ADMIN_ORG}\" where id = 1;" | ${MYSQLCMD}
     fi
-    if [ ! -z "$ADMIN_KEY" ]; then
-        echo "... setting admin key to '${ADMIN_KEY}'"
-        CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
+
+    if [ "$AUTOCONF_ADMIN_KEY" == "true" ]; then
+        if [ ! -z "$ADMIN_KEY" ]; then
+            echo "... setting admin key to '${ADMIN_KEY}'"
+            CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1 "${ADMIN_KEY}")
+        else
+            echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
+            CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
+        fi
+        ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
+        echo "... admin user key set to '${ADMIN_KEY}'"
     else
-        echo "... regenerating admin key (set \$ADMIN_KEY if you want it to change)"
-        CHANGE_CMD=(sudo -u www-data /var/www/MISP/app/Console/cake User change_authkey 1)
+        ADMIN_KEY=""
+        echo "... admin user key auto configuration disabled"
     fi
-    ADMIN_KEY=`${CHANGE_CMD[@]} | awk 'END {print $NF; exit}'`
-    echo "... admin user key set to '${ADMIN_KEY}'"
 
     if [ ! -z "$ADMIN_PASSWORD" ]; then
         echo "... setting admin password to '${ADMIN_PASSWORD}'"
@@ -150,7 +164,7 @@ apply_optional_fixes() {
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
     # This is not necessary because we update the DB directly
     # sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
-    
+
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_client_ip" true
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips" true
     sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.log_user_ips_authkeys" true
@@ -169,6 +183,11 @@ update_components() {
 
 
 create_sync_servers() {
+    if [ -z "$ADMIN_KEY" ]; then
+        echo "... admin key auto configuration is required to configure sync servers"
+        return
+    fi
+
     SPLITTED_SYNCSERVERS=$(echo $SYNCSERVERS | tr ',' '\n')
     for ID in $SPLITTED_SYNCSERVERS; do
         DATA="SYNCSERVERS_${ID}_DATA"
@@ -209,7 +228,7 @@ create_sync_servers() {
         echo "... adding new sync server ${NAME} with organization id ${ORG_ID}"
         JSON_DATA=$(echo "${!DATA}" | jq --arg org_id ${ORG_ID} 'del(.remote_org_uuid) | . + {remote_org_id: $org_id}')
         add_server ${HOSTNAME} ${ADMIN_KEY} "$JSON_DATA" > /dev/null
-    done   
+    done
 }
 
 
diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 059e298..8971746 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -185,14 +185,16 @@ flip_nginx() {
 }
 
 init_nginx() {
-    if [[ ! -L "/etc/nginx/sites-enabled/misp80" ]]; then
+    # Testing for files also test for links, and generalize better to mounted files
+    if [[ ! -f "/etc/nginx/sites-enabled/misp80" ]]; then
         echo "... enabling port 80 redirect"
         ln -s /etc/nginx/sites-available/misp80 /etc/nginx/sites-enabled/misp80
     else
         echo "... port 80 already configured"
     fi
 
-    if [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
+    # Testing for files also test for links, and generalize better to mounted files
+    if [[ ! -f "/etc/nginx/sites-enabled/misp" ]]; then
         echo "... enabling port 443"
         ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
     else
diff --git a/template.env b/template.env
index 53d734a..c1812e2 100644
--- a/template.env
+++ b/template.env
@@ -1,5 +1,5 @@
-MISP_TAG=v2.4.173
-MODULES_TAG=v2.4.173
+MISP_TAG=v2.4.174
+MODULES_TAG=v2.4.174
 PHP_VER=20190902
 # MISP_COMMIT takes precedence over MISP_TAG
 # MISP_COMMIT=c56d537