mirror of https://github.com/MISP/misp-docker
Compare commits
10 Commits
9229617ffd
...
bb0ff968e0
Author | SHA1 | Date |
---|---|---|
Stefano Ortolani | bb0ff968e0 | |
Stefano Ortolani | 66a683c075 | |
Christian Morales Guerrero | 313681a344 | |
Christian Morales Guerrero | b8d722a86b | |
Stefano Ortolani | c9b4ee2e42 | |
Stefano Ortolani | e407e127d3 | |
shieldsurge | 67d4a0ea32 | |
Stefano Ortolani | 52db2da71d | |
shieldsurge | 0c24160035 | |
Daan Willems | 0673b30b2d |
|
@ -103,6 +103,7 @@ set_up_oidc() {
|
|||
fi
|
||||
|
||||
# Check required variables
|
||||
# OIDC_ISSUER may be empty
|
||||
check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
|
||||
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
|
@ -114,6 +115,7 @@ set_up_oidc() {
|
|||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"OidcAuth\": {
|
||||
\"provider_url\": \"${OIDC_PROVIDER_URL}\",
|
||||
${OIDC_ISSUER:+\"issuer\": \"${OIDC_ISSUER}\",}
|
||||
\"client_id\": \"${OIDC_CLIENT_ID}\",
|
||||
\"client_secret\": \"${OIDC_CLIENT_SECRET}\",
|
||||
\"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
|
||||
|
@ -155,6 +157,54 @@ set_up_ldap() {
|
|||
\"ldapEmailField\": ${LDAP_EMAIL_FIELD}
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||
}
|
||||
|
||||
set_up_aad() {
|
||||
if [[ "$AAD_ENABLE" != "true" ]]; then
|
||||
echo "... Entra (AzureAD) authentication disabled"
|
||||
return
|
||||
fi
|
||||
|
||||
# Check required variables
|
||||
check_env_vars AAD_CLIENT_ID AAD_TENANT_ID AAD_CLIENT_SECRET AAD_REDIRECT_URI AAD_PROVIDER AAD_PROVIDER_USER AAD_MISP_ORGADMIN AAD_MISP_SITEADMIN AAD_CHECK_GROUPS
|
||||
|
||||
# Note: Not necessary to edit bootstrap.php to load AadAuth Cake plugin because
|
||||
# existing loadAll() call in bootstrap.php already loads all available Cake plugins
|
||||
|
||||
# Set auth mechanism to AAD in config.php file
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"Security\": {
|
||||
\"auth\": [\"AadAuth.AadAuthenticate\"]
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
# Configure AAD auth settings from environment variables in config.php file
|
||||
sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
|
||||
\"AadAuth\": {
|
||||
\"client_id\": \"${AAD_CLIENT_ID}\",
|
||||
\"ad_tenant\": \"${AAD_TENANT_ID}\",
|
||||
\"client_secret\": \"${AAD_CLIENT_SECRET}\",
|
||||
\"redirect_uri\": \"${AAD_REDIRECT_URI}\",
|
||||
\"auth_provider\": \"${AAD_PROVIDER}\",
|
||||
\"auth_provider_user\": \"${AAD_PROVIDER_USER}\",
|
||||
\"misp_user\": \"${AAD_MISP_USER}\",
|
||||
\"misp_orgadmin\": \"${AAD_MISP_ORGADMIN}\",
|
||||
\"misp_siteadmin\": \"${AAD_MISP_SITEADMIN}\",
|
||||
\"check_ad_groups\": ${AAD_CHECK_GROUPS}
|
||||
}
|
||||
}" > /dev/null
|
||||
|
||||
# Disable self-management, username change, and password change to prevent users from circumventing AAD login flow
|
||||
# Recommended per https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disableUserSelfManagement" true
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_login_change" true
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.disable_user_password_change" true
|
||||
|
||||
# Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
|
||||
}
|
||||
|
||||
apply_updates() {
|
||||
|
@ -323,5 +373,7 @@ echo "MISP | Set Up OIDC ..." && set_up_oidc
|
|||
|
||||
echo "MISP | Set Up LDAP ..." && set_up_ldap
|
||||
|
||||
echo "MISP | Set Up AAD ..." && set_up_aad
|
||||
|
||||
echo "MISP | Mark instance live"
|
||||
sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
|
||||
|
|
|
@ -19,7 +19,7 @@ change_php_vars() {
|
|||
sed -i "s/upload_max_filesize = .*/upload_max_filesize = 50M/" "$FILE"
|
||||
sed -i "s/post_max_size = .*/post_max_size = 50M/" "$FILE"
|
||||
sed -i "s/session.save_handler = .*/session.save_handler = redis/" "$FILE"
|
||||
sed -i "s|.*session.save_path = .*|session.save_path = 'tcp://${REDIS_FQDN}:6379'|" "$FILE"
|
||||
sed -i "s|.*session.save_path = .*|session.save_path = '$(echo $REDIS_FQDN | grep -E '^\w+://' || echo tcp://$REDIS_FQDN):6379'|" "$FILE"
|
||||
done
|
||||
}
|
||||
|
||||
|
|
|
@ -148,7 +148,7 @@ EOT
|
|||
|
||||
update_misp_data_files(){
|
||||
for DIR in $(ls /var/www/MISP/app/files.dist); do
|
||||
if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] ; then
|
||||
if [ "$DIR" = "certs" ] || [ "$DIR" = "img" ] || [ "$DIR" == "taxonomies" ] ; then
|
||||
echo "... rsync -azh \"/var/www/MISP/app/files.dist/$DIR\" \"/var/www/MISP/app/files/\""
|
||||
rsync -azh "/var/www/MISP/app/files.dist/$DIR" "/var/www/MISP/app/files/"
|
||||
else
|
||||
|
|
|
@ -117,6 +117,18 @@ services:
|
|||
- "LDAP_OPT_PROTOCOL_VERSION=${LDAP_OPT_PROTOCOL_VERSION}"
|
||||
- "LDAP_OPT_NETWORK_TIMEOUT=${LDAP_OPT_NETWORK_TIMEOUT}"
|
||||
- "LDAP_OPT_REFERRALS=${LDAP_OPT_REFERRALS}"
|
||||
# AAD authentication settings
|
||||
- "AAD_ENABLE=${AAD_ENABLE}"
|
||||
- "AAD_CLIENT_ID=${AAD_CLIENT_ID}"
|
||||
- "AAD_TENANT_ID=${AAD_TENANT_ID}"
|
||||
- "AAD_CLIENT_SECRET=${AAD_CLIENT_SECRET}"
|
||||
- "AAD_REDIRECT_URI=${AAD_REDIRECT_URI}"
|
||||
- "AAD_PROVIDER=${AAD_PROVIDER}"
|
||||
- "AAD_PROVIDER_USER=${AAD_PROVIDER_USER}"
|
||||
- "AAD_MISP_USER=${AAD_MISP_USER}"
|
||||
- "AAD_MISP_ORGADMIN=${AAD_MISP_ORGADMIN}"
|
||||
- "AAD_MISP_SITEADMIN=${AAD_MISP_SITEADMIN}"
|
||||
- "AAD_CHECK_GROUPS=${AAD_CHECK_GROUPS}"
|
||||
# sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
|
||||
- "SYNCSERVERS=${SYNCSERVERS}"
|
||||
- |
|
||||
|
|
15
template.env
15
template.env
|
@ -2,7 +2,7 @@
|
|||
# Build-time variables
|
||||
##
|
||||
|
||||
CORE_TAG=v2.4.188
|
||||
CORE_TAG=v2.4.191
|
||||
MODULES_TAG=v2.4.188
|
||||
PHP_VER=20190902
|
||||
LIBFAUP_COMMIT=3a26d0a
|
||||
|
@ -119,3 +119,16 @@ SYNCSERVERS_1_KEY=
|
|||
# LDAP_OPT_PROTOCOL_VERSION="3"
|
||||
# LDAP_OPT_NETWORK_TIMEOUT="-1"
|
||||
# LDAP_OPT_REFERRALS=false
|
||||
|
||||
# Enable Azure AD (Entra) authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/AadAuth/README.md
|
||||
# AAD_ENABLE=true
|
||||
# AAD_CLIENT_ID=
|
||||
# AAD_TENANT_ID=
|
||||
# AAD_CLIENT_SECRET=
|
||||
# AAD_REDIRECT_URI="https://misp.mydomain.com/users/login"
|
||||
# AAD_PROVIDER="https://login.microsoftonline.com/"
|
||||
# AAD_PROVIDER_USER="https://graph.microsoft.com/"
|
||||
# AAD_MISP_USER="Misp Users"
|
||||
# AAD_MISP_ORGADMIN="Misp Org Admins"
|
||||
# AAD_MISP_SITEADMIN="Misp Site Admins"
|
||||
# AAD_CHECK_GROUPS=false
|
||||
|
|
Loading…
Reference in New Issue