Merge branch 'master' into ftoppi-redis

core/files/configure_misp.sh

@@ -103,6 +103,7 @@ set_up_oidc() {
     fi
 
     # Check required variables
+    # OIDC_ISSUER may be empty
     check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
 
     sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
@@ -114,6 +115,7 @@ set_up_oidc() {
     sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
         \"OidcAuth\": {
             \"provider_url\": \"${OIDC_PROVIDER_URL}\",
+            ${OIDC_ISSUER:+\"issuer\": \"${OIDC_ISSUER}\",}
             \"client_id\": \"${OIDC_CLIENT_ID}\",
             \"client_secret\": \"${OIDC_CLIENT_SECRET}\",
             \"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
@@ -155,6 +157,54 @@ set_up_ldap() {
             \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
         }
     }" > /dev/null
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
+set_up_aad() {
+    if [[ "$AAD_ENABLE" != "true" ]]; then
+        echo "... Entra (AzureAD) authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
+
+    # Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because 
+    # existing loadAll() call in bootstrap.php already loads all available Cake plugins
+
+    # Set auth mechanism to AAD in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"auth\": [\"AadAuth.AadAuthenticate\"]
+        }
+    }" > /dev/null
+
+    # Configure AAD auth settings from environment variables in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"AadAuth\": {
+            \"client_id\": \"${AAD_CLIENT_ID}\",
+            \"ad_tenant\": \"${AAD_TENANT_ID}\",
+            \"client_secret\": \"${AAD_CLIENT_SECRET}\",
+            \"redirect_uri\": \"${AAD_REDIRECT_URI}\",
+            \"auth_provider\": \"${AAD_PROVIDER}\",
+            \"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
+            \"misp_user\": \"${AAD_MISP_USER}\",
+            \"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
+            \"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
+            \"check_ad_groups\": ${AAD_CHECK_GROUPS}
+        }
+    }" > /dev/null
+
+    # Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
+    # Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }
 
 apply_updates() {
@@ -323,5 +373,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc
 
 echo "MISP | Set Up LDAP ..." && set_up_ldap
 
+echo "MISP | Set Up AAD ..." && set_up_aad
+
 echo "MISP | Mark instance live"
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1

core/files/entrypoint_fpm.sh

@@ -19,7 +19,7 @@ change_php_vars() {
         sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE"
         sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE"
         sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
-        sed -i "s|.*session.save_path = .*|session.save_path = 'tcp://${REDIS_FQDN}:6379'|" "$FILE"
+        sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_FQDN | grep -E '^\w+://' || echo tcp://$REDIS_FQDN):6379'|" "$FILE"
     done
 }
 

core/files/entrypoint_nginx.sh

@@ -148,7 +148,7 @@ EOT
 
 update_misp_data_files(){
     for DIR in $(ls /var/www/MISP/app/files.dist); do
-        if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] ; then
+        if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] || [ "$DIR" == "taxonomies" ] ; then
             echo "... rsync -azh \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
             rsync -azh "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
         else

docker-compose.yml

@@ -117,6 +117,18 @@ services:
       - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
       - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
       - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
+      # AAD authentication settings
+      - "AAD_ENABLE=${AAD_ENABLE}"
+      - "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
+      - "AAD_TENANT_ID=${AAD_TENANT_ID}"
+      - "AAD_CLIENT_SECRET=${AAD_CLIENT_SECRET}"
+      - "AAD_REDIRECT_URI=${AAD_REDIRECT_URI}"
+      - "AAD_PROVIDER=${AAD_PROVIDER}"
+      - "AAD_PROVIDER_USER=${AAD_PROVIDER_USER}"
+      - "AAD_MISP_USER=${AAD_MISP_USER}"
+      - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
+      - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
+      - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
       # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
       - "SYNCSERVERS=${SYNCSERVERS}"
       - |

template.env

@@ -2,7 +2,7 @@
 # Build-time variables
 ##
 
-CORE_TAG=v2.4.188
+CORE_TAG=v2.4.191
 MODULES_TAG=v2.4.188
 PHP_VER=20190902
 LIBFAUP_COMMIT=3a26d0a
@@ -119,3 +119,16 @@ SYNCSERVERS_1_KEY=
 # LDAP_OPT_PROTOCOL_VERSION="3"
 # LDAP_OPT_NETWORK_TIMEOUT="-1"
 # LDAP_OPT_REFERRALS=false
+
+# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+# AAD_ENABLE=true
+# AAD_CLIENT_ID=
+# AAD_TENANT_ID=
+# AAD_CLIENT_SECRET=
+# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
+# AAD_PROVIDER="https://login.microsoftonline.com/"
+# AAD_PROVIDER_USER="https://graph.microsoft.com/"
+# AAD_MISP_USER="Misp Users"
+# AAD_MISP_ORGADMIN="Misp Org Admins"
+# AAD_MISP_SITEADMIN="Misp Site Admins"
+# AAD_CHECK_GROUPS=false