From c8cebcfdab618df8c2cc481c614178f0ee423d32 Mon Sep 17 00:00:00 2001 From: phil Date: Wed, 21 Feb 2024 18:04:41 +0100 Subject: [PATCH] Add ApacheSecureAuth configuration option --- README.md | 21 +++++++++++++++++++++ core/Dockerfile | 2 ++ core/files/configure_misp.sh | 35 +++++++++++++++++++++++++++++++++++ docker-compose.yml | 21 ++++++++++++++++++++- template.env | 20 ++++++++++++++++++++ 5 files changed, 98 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 113e27b..6e4423b 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,27 @@ New options are added on a regular basis. - `./gnupg`: `/var/www/MISP/.gnupg/` - If you need to automatically run additional steps each time the container starts, create a new file `files/customize_misp.sh`, and replace the variable `${CUSTOM_PATH}` inside `docker-compose.yml` with its parent path. +## Installing custom root CA certificates + +Custom root CA certificates can be mounted under `/usr/local/share/ca-certificates` and will be installed during the `misp-core` container start. + +**Note:** It is important to have the .crt extension on the file, otherwise it will not be processed. + +```yaml + misp-core: + # ... + volumes: + - "./configs/:/var/www/MISP/app/Config/" + - "./logs/:/var/www/MISP/app/tmp/logs/" + - "./files/:/var/www/MISP/app/files/" + - "./ssl/:/etc/nginx/certs/" + - "./gnupg/:/var/www/MISP/.gnupg/" + # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh' + # - "${CUSTOM_PATH}/:/custom/" + # mount custom ca root certificates + - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt" +``` + ## Troubleshooting - Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/) diff --git a/core/Dockerfile b/core/Dockerfile index ff762bc..938bc0a 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -169,6 +169,8 @@ FROM "${DOCKER_HUB_PROXY}debian:bullseye-slim" php-gd \ php-fpm \ php-zip \ + php-ldap \ + libldap-common \ librdkafka1 \ libbrotli1 \ libsimdjson5 \ diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh index 33316ca..fd96929 100755 --- a/core/files/configure_misp.sh +++ b/core/files/configure_misp.sh @@ -12,6 +12,7 @@ source /utilities.sh [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true" [ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true" [ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false" +[ -z "$LDAP_ENABLE" ] && LDAP_ENABLE="false" init_configuration(){ # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this @@ -125,6 +126,37 @@ set_up_oidc() { sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false } +set_up_ldap() { + if [[ "$LDAP_ENABLE" != "true" ]]; then + echo "... LDAP authentication disabled" + return + fi + + # Check required variables + # LDAP_SEARCH_FILTER may be empty + check_env_vars LDAP_APACHE_ENV LDAP_SERVER LDAP_STARTTLS LDAP_READER_USER LDAP_READER_PASSWORD LDAP_DN LDAP_SEARCH_ATTRIBUTE LDAP_FILTER LDAP_DEFAULT_ROLE_ID LDAP_DEFAULT_ORG LDAP_OPT_PROTOCOL_VERSION LDAP_OPT_NETWORK_TIMEOUT LDAP_OPT_REFERRALS + + sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{ + \"ApacheSecureAuth\": { + \"apacheEnv\": \"${LDAP_APACHE_ENV}\", + \"ldapServer\": \"${LDAP_SERVER}\", + \"starttls\": ${LDAP_STARTTLS}, + \"ldapProtocol\": ${LDAP_OPT_PROTOCOL_VERSION}, + \"ldapNetworkTimeout\": ${LDAP_OPT_NETWORK_TIMEOUT}, + \"ldapReaderUser\": \"${LDAP_READ_USER}\", + \"ldapReaderPassword\": \"${LDAP_READ_PASSWORD}\", + \"ldapDN\": \"${LDAP_DN}\", + \"ldapSearchFilter\": \"${LDAP_SEARCH_FILTER}\", + \"ldapSearchAttribut\": \"${LDAP_SEARCH_ATTRIBUTE}\", + \"ldapFilter\": ${LDAP_FILTER}, + \"ldapDefaultRoleId\": ${LDAP_DEFAULT_ROLE_ID}, + \"ldapDefaultOrg\": \"${LDAP_DEFAULT_ORG}\", + \"ldapAllowReferrals\": ${LDAP_OPT_REFERRALS}, + \"ldapEmailField\": ${LDAP_EMAIL_FIELD} + } + }" > /dev/null +} + apply_updates() { # Disable weird default sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false @@ -267,6 +299,7 @@ create_sync_servers() { done } +echo "MISP | Update CA certificates ..." && update-ca-certificates echo "MISP | Initialize configuration ..." && init_configuration @@ -288,5 +321,7 @@ echo "MISP | Update components ..." && update_components echo "MISP | Set Up OIDC ..." && set_up_oidc +echo "MISP | Set Up LDAP ..." && set_up_ldap + echo "MISP | Mark instance live" sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1 diff --git a/docker-compose.yml b/docker-compose.yml index 9271ac2..83817de 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -59,6 +59,8 @@ services: - "./gnupg/:/var/www/MISP/.gnupg/" # customize by replacing ${CUSTOM_PATH} with a path containing 'files/customize_misp.sh' # - "${CUSTOM_PATH}/:/custom/" + # mount custom ca root certificates + # - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt" environment: - "BASE_URL=${BASE_URL}" - "CRON_USER_ID=${CRON_USER_ID}" @@ -69,7 +71,7 @@ services: - "ADMIN_KEY=${ADMIN_KEY}" - "ADMIN_ORG=${ADMIN_ORG}" - "GPG_PASSPHRASE=${GPG_PASSPHRASE}" - # authentication settings + # OIDC authentication settings - "OIDC_ENABLE=${OIDC_ENABLE}" - "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}" - "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}" @@ -77,6 +79,23 @@ services: - "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}" - "OIDC_ROLES_MAPPING=${OIDC_ROLES_MAPPING}" - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}" + # LDAP authentication settings + - "LDAP_ENABLE=${LDAP_ENABLE}" + - "LDAP_APACHE_ENV=${LDAP_APACHE_ENV}" + - "LDAP_SERVER=${LDAP_SERVER}" + - "LDAP_STARTTLS=${LDAP_STARTTLS}" + - "LDAP_READER_USER=${LDAP_READER_USER}" + - "LDAP_READER_PASSWORD=${LDAP_READER_PASSWORD}" + - "LDAP_DN=${LDAP_DN}" + - "LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER}" + - "LDAP_SEARCH_ATTRIBUTE=${LDAP_SEARCH_ATTRIBUTE}" + - "LDAP_FILTER=${LDAP_FILTER}" + - "LDAP_DEFAULT_ROLE_ID=${LDAP_DEFAULT_ROLE_ID}" + - "LDAP_DEFAULT_ORG=${LDAP_DEFAULT_ORG}" + - "LDAP_EMAIL_FIELD=${LDAP_EMAIL_FIELD}" + - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}" + - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}" + - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}" # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options) - "SYNCSERVERS=${SYNCSERVERS}" - | diff --git a/template.env b/template.env index 1747c20..f544d0b 100644 --- a/template.env +++ b/template.env @@ -96,3 +96,23 @@ SYNCSERVERS_1_KEY= # OIDC_ROLES_PROPERTY="roles" # OIDC_ROLES_MAPPING={"admin": "1","sync-user": "5"} # OIDC_DEFAULT_ORG= + +# Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189 +# NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component, users should not be able to control the HTTP header configured in LDAP_APACHE_ENV (e.g. REMOTE_USER). +# This means you must not allow direct access to MISP. +# LDAP_ENABLE=true +# LDAP_APACHE_ENV="REMOTE_USER" +# LDAP_SERVER="ldap://your_domain_controller" +# LDAP_STARTTLS=true +# LDAP_READER_USER="CN=service_account_name,OU=Users,DC=domain,DC=net" +# LDAP_READER_PASSWORD="password" +# LDAP_DN="OU=Users,DC=domain,DC=net" +# LDAP_SEARCH_FILTER="" +# LDAP_SEARCH_ATTRIBUTE="uid" +# LDAP_FILTER="[\"mail\", \"uid\", \"cn\" ]" +# LDAP_DEFAULT_ROLE_ID="3" +# LDAP_DEFAULT_ORG="1" +# LDAP_EMAIL_FIELD="[\"mail\"]" +# LDAP_OPT_PROTOCOL_VERSION="3" +# LDAP_OPT_NETWORK_TIMEOUT="-1" +# LDAP_OPT_REFERRALS=false