From b31b83013e1cbd655c402a480cee2b1fb0175ec3 Mon Sep 17 00:00:00 2001 From: shieldsurge <110939943+shieldsurge@users.noreply.github.com> Date: Thu, 4 Apr 2024 23:01:47 -0400 Subject: [PATCH] Add AadAuth support in configure_misp.sh Add support for enabling Azure AD (aka Entra) authentication via the configure_misp.sh script. The function to enable Azure AD auth mirrors the code in the existing functions to enable OIDC and LDAP auth. Environment variables are provided to configure available options in the AadAuth plugin: https://github.com/MISP/MISP/tree/2.4/app/Plugin/AadAuth This commit addresses issue "AAD Auth not working" #34. https://github.com/MISP/misp-docker/issues/34 --- core/files/configure_misp.sh | 57 ++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index d0e620a..1a4762f 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -157,6 +157,61 @@ set_up_ldap() { }" > /dev/null } +set_up_aad() { + if [[ "$AAD_ENABLE" != "true" ]]; then + echo "... Entra (AzureAD) authentication disabled" + return + fi + + # Check required variables + check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET BASE_URL + + # Configure unset optional AAD environment variables to default values + [ -z "$AAD_REDIRECT_URI" ] && AAD_REDIRECT_URI="${BASE_URL}/users/login" + [ -z "$AAD_PROVIDER" ] && AAD_PROVIDER=https://login.microsoftonline.com/ + [ -z "$AAD_PROVIDER_USER" ] && AAD_PROVIDER_USER=https://graph.microsoft.com/ + [ -z "$AAD_MISP_USER" ] && AAD_MISP_USER="Misp Users" + [ -z "$AAD_MISP_ORGADMIN" ] && AAD_MISP_ORGADMIN="Misp Org Admins" + [ -z "$AAD_MISP_SITEADMIN" ] && AAD_MISP_SITEADMIN="Misp Site Admins" + [ -z "$AAD_CHECK_GROUPS" ] && AAD_CHECK_GROUPS=false + + # Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because + # existing loadAll() call in bootstrap.php already loads all available Cake plugins + + # Set auth mechanism to AAD in config.php file + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"Security\": { + \"auth\": [\"AadAuth.AadAuthenticate\"] + } + }" > /dev/null + + echo "hello" + # Configure AAD auth settings from environment variables in config.php file + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"AadAuth\": { + \"client_id\": \"${AAD_CLIENT_ID}\", + \"ad_tenant\": \"${AAD_TENANT_ID}\", + \"client_secret\": \"${AAD_CLIENT_SECRET}\", + \"redirect_uri\": \"${AAD_REDIRECT_URI}\", + \"auth_provider\": \"${AAD_PROVIDER}\", + \"auth_provider_user\": \"${AAD_PROVIDER_USER}\", + \"misp_user\": \"${AAD_MISP_USER}\", + \"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\", + \"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\", + \"check_ad_groups\": ${AAD_CHECK_GROUPS} + } + }" > /dev/null + + # Disable self-management, username change, and password change to prevent users from circumventing AAD login flow + # Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true + + # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116 + sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false +} + apply_updates() { # Disable weird default sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false @@ -323,5 +378,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc echo "MISP | Set Up LDAP ..." && set_up_ldap +echo "MISP | Set Up AAD ..." && set_up_aad + echo "MISP | Mark instance live" sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1