Merge branch 'master' into ftoppi-redis

Bump MISP
Support optional OIDC_ISSUER parameter (#52 )
2024-04-24 12:59:12 +01:00 · 2024-04-24 12:37:49 +01:00 · 2024-04-24 12:26:22 +01:00 · 2024-04-22 09:20:59 +01:00 · 2024-04-21 13:18:11 +01:00 · 2024-04-20 19:54:43 +01:00
5 changed files with 80 additions and 3 deletions
--- a/core/files/configure_misp.sh
+++ b/core/files/configure_misp.sh
@ -103,6 +103,7 @@ set_up_oidc() {
    fi

    # Check required variables
+    # OIDC_ISSUER may be empty
    check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG

    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
@ -114,6 +115,7 @@ set_up_oidc() {
    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
        \"OidcAuth\": {
            \"provider_url\": \"${OIDC_PROVIDER_URL}\",
+            ${OIDC_ISSUER:+\"issuer\": \"${OIDC_ISSUER}\",}
            \"client_id\": \"${OIDC_CLIENT_ID}\",
            \"client_secret\": \"${OIDC_CLIENT_SECRET}\",
            \"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
@ -155,6 +157,54 @@ set_up_ldap() {
            \"ldapEmailField\": ${LDAP_EMAIL_FIELD}
        }
    }" > /dev/null
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
+set_up_aad() {
+    if [[ "$AAD_ENABLE" != "true" ]]; then
+        echo "... Entra (AzureAD) authentication disabled"
+        return
+    fi
+
+    # Check required variables
+    check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
+
+    # Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because 
+    # existing loadAll() call in bootstrap.php already loads all available Cake plugins
+
+    # Set auth mechanism to AAD in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"Security\": {
+            \"auth\": [\"AadAuth.AadAuthenticate\"]
+        }
+    }" > /dev/null
+
+    # Configure AAD auth settings from environment variables in config.php file
+    sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+        \"AadAuth\": {
+            \"client_id\": \"${AAD_CLIENT_ID}\",
+            \"ad_tenant\": \"${AAD_TENANT_ID}\",
+            \"client_secret\": \"${AAD_CLIENT_SECRET}\",
+            \"redirect_uri\": \"${AAD_REDIRECT_URI}\",
+            \"auth_provider\": \"${AAD_PROVIDER}\",
+            \"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
+            \"misp_user\": \"${AAD_MISP_USER}\",
+            \"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
+            \"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
+            \"check_ad_groups\": ${AAD_CHECK_GROUPS}
+        }
+    }" > /dev/null
+
+    # Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
+    # Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
+
+    # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+    sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
 }

 apply_updates() {
@ -323,5 +373,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc

 echo "MISP | Set Up LDAP ..." && set_up_ldap

+echo "MISP | Set Up AAD ..." && set_up_aad
+
 echo "MISP | Mark instance live"
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
--- a/core/files/entrypoint_fpm.sh
+++ b/core/files/entrypoint_fpm.sh
@ -19,7 +19,7 @@ change_php_vars() {
        sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE"
        sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE"
        sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
-        sed -i "s|.*session.save_path = .*|session.save_path = 'tcp://${REDIS_FQDN}:6379'|" "$FILE"
+        sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_FQDN | grep -E '^\w+://' || echo tcp://$REDIS_FQDN):6379'|" "$FILE"
    done
 }

--- a/core/files/entrypoint_nginx.sh
+++ b/core/files/entrypoint_nginx.sh
@ -148,7 +148,7 @@ EOT

 update_misp_data_files(){
    for DIR in $(ls /var/www/MISP/app/files.dist); do
-        if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] ; then
+        if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] || [ "$DIR" == "taxonomies" ] ; then
            echo "... rsync -azh \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
            rsync -azh "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
        else
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -117,6 +117,18 @@ services:
      - "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
      - "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
      - "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
+      # AAD authentication settings
+      - "AAD_ENABLE=${AAD_ENABLE}"
+      - "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
+      - "AAD_TENANT_ID=${AAD_TENANT_ID}"
+      - "AAD_CLIENT_SECRET=${AAD_CLIENT_SECRET}"
+      - "AAD_REDIRECT_URI=${AAD_REDIRECT_URI}"
+      - "AAD_PROVIDER=${AAD_PROVIDER}"
+      - "AAD_PROVIDER_USER=${AAD_PROVIDER_USER}"
+      - "AAD_MISP_USER=${AAD_MISP_USER}"
+      - "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
+      - "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
+      - "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
      # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
      - "SYNCSERVERS=${SYNCSERVERS}"
      - |
--- a/template.env
+++ b/template.env
@ -2,7 +2,7 @@
 # Build-time variables
 ##

-CORE_TAG=v2.4.188
+CORE_TAG=v2.4.191
 MODULES_TAG=v2.4.188
 PHP_VER=20190902
 LIBFAUP_COMMIT=3a26d0a
@ -119,3 +119,16 @@ SYNCSERVERS_1_KEY=
 # LDAP_OPT_PROTOCOL_VERSION="3"
 # LDAP_OPT_NETWORK_TIMEOUT="-1"
 # LDAP_OPT_REFERRALS=false
+
+# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
+# AAD_ENABLE=true
+# AAD_CLIENT_ID=
+# AAD_TENANT_ID=
+# AAD_CLIENT_SECRET=
+# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
+# AAD_PROVIDER="https://login.microsoftonline.com/"
+# AAD_PROVIDER_USER="https://graph.microsoft.com/"
+# AAD_MISP_USER="Misp Users"
+# AAD_MISP_ORGADMIN="Misp Org Admins"
+# AAD_MISP_SITEADMIN="Misp Site Admins"
+# AAD_CHECK_GROUPS=false
Author	SHA1	Message	Date
Stefano Ortolani	bb0ff968e0	Merge branch 'master' into ftoppi-redis	2024-04-24 12:59:12 +01:00
Stefano Ortolani	66a683c075	Bump MISP	2024-04-24 12:37:49 +01:00
Christian Morales Guerrero	313681a344	Support optional OIDC_ISSUER parameter (#52 )	2024-04-24 12:26:22 +01:00
Christian Morales Guerrero	b8d722a86b	Allow Redis over TLS (#49 )	2024-04-22 09:20:59 +01:00
Stefano Ortolani	c9b4ee2e42	Replace redis image with valkey	2024-04-21 13:18:11 +01:00
Stefano Ortolani	e407e127d3	Bump MISP	2024-04-20 19:54:43 +01:00
shieldsurge	67d4a0ea32	Fix missing AadAuth env var (#44 )	2024-04-12 19:54:43 +01:00
Stefano Ortolani	52db2da71d	Bump version	2024-04-11 08:45:25 +01:00
shieldsurge	0c24160035	Add AadAuth support in configure_misp.sh (#39 )	2024-04-10 16:56:44 +01:00
Daan Willems	0673b30b2d	Add exemption to entrypoint_nginx for taxonomies (#41 )	2024-04-10 16:22:55 +01:00