From 0c84e0b71b9e7502ae84e3e1900b557767bac96d Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Wed, 7 Apr 2021 16:42:20 +0200
Subject: [PATCH 1/6] Configuring nginx for cert authentication

If the user enables cert authentication on the docker-compose file we must do the following changes to allow CertAuth to work
- Pass on SSL_CLIENT_I_DN and SSL_CLIENT_S_DN to PHP
- Enable ssl_client_certificate using  /etc/nginx/certs/ca.pem
- Enable the CertAuth ( https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth ) plugin on the bootstrap.php file
---
 server/files/entrypoint_nginx.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 6bb0495..559c27f 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -168,6 +168,17 @@ if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
     openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
 fi
 
+if [[ $CERTAUTH = @(optional|on) ]]; then
+    echo "Configure NGINX | Enabling SSL Cert Authentication"
+    grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
+    grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
+
+    echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" 
+    sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php
+fi
+
 if [[ "$DISIPV6" == true ]]; then
     echo "Configure NGINX | Disabling IPv6"
     sed -i "s/listen \[\:\:\]/\#listen \[\:\:\]/" /etc/nginx/sites-enabled/misp80

From 2ab1940bea926c5500a31a04ef97dea3ef818908 Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Wed, 7 Apr 2021 16:46:05 +0200
Subject: [PATCH 2/6] Add new option CERTAUTH

---
 docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 659aad2..6c3eb68 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,6 +50,7 @@ services:
       # Optional Settings
 #      - "NOREDIR=true" # Do not redirect port 80
 #      - "DISIPV6=true" # Disable IPV6 in nginx
+#      - "CERTAUTH=optional" # Can be set to optional or on - Step 2 of https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth is still required
 #      - "SECURESSL=true" # Enable higher security SSL in nginx
 #      - "MISP_MODULES_FQDN=http://misp-modules" # Set the MISP Modules FQDN, used for Enrichment_services_url/Import_services_url/Export_services_url
   misp-modules:

From a7f426c0586a2a8ca5613a951cd4c3afedc01246 Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Wed, 7 Apr 2021 16:46:59 +0200
Subject: [PATCH 3/6] Added reference to ca.pem

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 4963565..3bf44c1 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,7 @@ Updating the images should be as simple as `docker-compose pull` which, unless c
 -   Directory volume mount SSL Certs `./ssl`: `/etc/ssl/certs`
     -   Certificate File: `cert.pem`
     -   Certificate Key File: `key.pem`
+    -   CA File for Cert Authentication (optional) `ca.pem`
 
 -   Directory volume mount and create configs: `/var/www/MISP/app/Config/`
 

From 2acb7d4a972f058a353dcb0449d308f6d29e9ec4 Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Thu, 8 Apr 2021 08:26:44 +0200
Subject: [PATCH 4/6] Making codacy happy

---
 server/files/entrypoint_nginx.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 559c27f..25be604 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -170,8 +170,8 @@ fi
 
 if [[ $CERTAUTH = @(optional|on) ]]; then
     echo "Configure NGINX | Enabling SSL Cert Authentication"
-    grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' >> /etc/nginx/snippets/fastcgi-php.conf
-    grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
     grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
     grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
 

From a0c35d7720cfd6fb83c63de4a6a7f97c9529280c Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Thu, 8 Apr 2021 08:34:57 +0200
Subject: [PATCH 5/6] Making codacy happy take 2

---
 server/files/entrypoint_nginx.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 25be604..2d80fc1 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -170,8 +170,8 @@ fi
 
 if [[ $CERTAUTH = @(optional|on) ]]; then
     echo "Configure NGINX | Enabling SSL Cert Authentication"
-    grep -qxF 'fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
-    grep -qxF 'fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;' /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
+    grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
     grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
     grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
 

From 42a936b3d44bd9c676c06484c09c9a7c3ee40bcf Mon Sep 17 00:00:00 2001
From: Eduardo Balsa <ebalsa@ebserver.org>
Date: Thu, 8 Apr 2021 08:40:57 +0200
Subject: [PATCH 6/6] Spacing OCD

---
 server/files/entrypoint_nginx.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 2d80fc1..c3021b7 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -172,8 +172,8 @@ if [[ $CERTAUTH = @(optional|on) ]]; then
     echo "Configure NGINX | Enabling SSL Cert Authentication"
     grep -qF "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_I_DN \$ssl_client_i_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
     grep -qF "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" /etc/nginx/snippets/fastcgi-php.conf || echo "fastcgi_param SSL_CLIENT_S_DN \$ssl_client_s_dn;" >> /etc/nginx/snippets/fastcgi-php.conf
-    grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
-    grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
+    grep -qF 'ssl_client_certificate' /etc/nginx/sites-enabled/misp || sed -i '/ssl_prefer_server_ciphers/a \\    ssl_client_certificate /etc/nginx/certs/ca.pem;' /etc/nginx/sites-enabled/misp
+    grep -qF 'ssl_verify_client' /etc/nginx/sites-enabled/misp || sed -i "/ssl_prefer_server_ciphers/a \\    ssl_verify_client $CERTAUTH;" /etc/nginx/sites-enabled/misp 
 
     echo "Configure bootstrap | Enabling Cert Auth Plugin - Don't forget to configure it https://github.com/MISP/MISP/tree/2.4/app/Plugin/CertAuth (Step 2)" 
     sed -i "s/\/\/ CakePlugin::load('CertAuth');/CakePlugin::load('CertAuth');/" $MISP_APP_CONFIG_PATH/bootstrap.php