mirror of https://github.com/MISP/misp-docker
Expose OIDC config parameters
parent
fffaa51572
commit
526c47a6e8
|
@ -6,10 +6,20 @@ source /rest_client.sh
|
||||||
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
|
[ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
|
||||||
[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
|
[ -z "$REDIS_FQDN" ] && REDIS_FQDN="redis"
|
||||||
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
|
[ -z "$MISP_MODULES_FQDN" ] && MISP_MODULES_FQDN="http://misp-modules"
|
||||||
|
[ -z "$OIDC_PROVIDER_URL" ] && OIDC_PROVIDER_URL="test_provider"
|
||||||
|
[ -z "$OIDC_CLIENT_ID" ] && OIDC_CLIENT_ID="test_client_id"
|
||||||
|
[ -z "$OIDC_CLIENT_SECRET" ] && OIDC_CLIENT_SECRET="test_client_secret"
|
||||||
|
[ -z "$OIDC_ROLES_PROPERTY" ] && OIDC_ROLES_PROPERTY="roles"
|
||||||
|
[ -z "$OIDC_ROLES_MAPPING" ] && OIDC_ROLES_MAPPING="{
|
||||||
|
\"admin\": \"1\",
|
||||||
|
\"sync-user\": \"5\"
|
||||||
|
}"
|
||||||
|
[ -z "$OIDC_DEFAULT_ORG" ] && OIDC_DEFAULT_ORG="$ADMIN_ORG"
|
||||||
|
|
||||||
# Switches to selectively disable configuration logic
|
# Switches to selectively disable configuration logic
|
||||||
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
|
[ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
|
||||||
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
|
[ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
|
||||||
|
[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
|
||||||
|
|
||||||
init_configuration(){
|
init_configuration(){
|
||||||
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
# Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
|
||||||
|
@ -93,6 +103,33 @@ GPGEOF
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_up_oidc() {
|
||||||
|
if [[ "$OIDC_ENABLE" != "true" ]]; then
|
||||||
|
echo "... OIDC authentication disabled"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
|
\"Security\": {
|
||||||
|
\"auth\": [\"OidcAuth.Oidc\"]
|
||||||
|
}
|
||||||
|
}" > /dev/null
|
||||||
|
|
||||||
|
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||||
|
\"OidcAuth\": {
|
||||||
|
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
|
||||||
|
\"client_id\": \"${OIDC_CLIENT_ID}\",
|
||||||
|
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
|
||||||
|
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
|
||||||
|
\"role_mapper\": ${OIDC_ROLES_MAPPING},
|
||||||
|
\"default_org\": \"${OIDC_DEFAULT_ORG}\"
|
||||||
|
}
|
||||||
|
}" > /dev/null
|
||||||
|
|
||||||
|
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
||||||
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||||
|
}
|
||||||
|
|
||||||
apply_updates() {
|
apply_updates() {
|
||||||
# Disable weird default
|
# Disable weird default
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
|
||||||
|
@ -164,7 +201,7 @@ apply_critical_fixes() {
|
||||||
apply_optional_fixes() {
|
apply_optional_fixes() {
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
|
||||||
|
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
|
||||||
# This is not necessary because we update the DB directly
|
# This is not necessary because we update the DB directly
|
||||||
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
|
# sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
|
||||||
|
@ -254,5 +291,7 @@ echo "MISP | Create sync servers ..." && create_sync_servers
|
||||||
|
|
||||||
echo "MISP | Update components ..." && update_components
|
echo "MISP | Update components ..." && update_components
|
||||||
|
|
||||||
|
echo "MISP | Set Up OIDC ..." && set_up_oidc
|
||||||
|
|
||||||
echo "MISP | Mark instance live"
|
echo "MISP | Mark instance live"
|
||||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
||||||
|
|
|
@ -69,6 +69,13 @@ services:
|
||||||
- "ADMIN_KEY=${ADMIN_KEY}"
|
- "ADMIN_KEY=${ADMIN_KEY}"
|
||||||
- "ADMIN_ORG=${ADMIN_ORG}"
|
- "ADMIN_ORG=${ADMIN_ORG}"
|
||||||
- "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
|
- "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
|
||||||
|
# authentication settings
|
||||||
|
- "OIDC_ENABLE=${OIDC_ENABLE}"
|
||||||
|
- "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}"
|
||||||
|
- "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}"
|
||||||
|
- "OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}"
|
||||||
|
- "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}"
|
||||||
|
- "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
|
||||||
# sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
|
# sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
|
||||||
- "SYNCSERVERS=${SYNCSERVERS}"
|
- "SYNCSERVERS=${SYNCSERVERS}"
|
||||||
- |
|
- |
|
||||||
|
|
|
@ -87,3 +87,12 @@ SYNCSERVERS_1_KEY=
|
||||||
|
|
||||||
# Disable IPv6 completely (this setting will persist until the container is removed)
|
# Disable IPv6 completely (this setting will persist until the container is removed)
|
||||||
# DISABLE_IPV6=true
|
# DISABLE_IPV6=true
|
||||||
|
|
||||||
|
# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
|
||||||
|
# OIDC_ENABLE=true
|
||||||
|
# OIDC_PROVIDER_URL=
|
||||||
|
# OIDC_CLIENT_ID=
|
||||||
|
# OIDC_CLIENT_SECRET=
|
||||||
|
# OIDC_ROLES_PROPERTY=
|
||||||
|
# OIDC_ROLES_MAPPING=
|
||||||
|
# OIDC_DEFAULT_ORG=""
|
||||||
|
|
Loading…
Reference in New Issue