Merge pull request #4 from arvchristos/feat/oidc

Expose OIDC config parameters
MISP · Dec 11, 2023 · 2d1a3b5 · 2d1a3b5
2 parents fffaa51 + 2039141
commit 2d1a3b5
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 1 deletion.
diff --git a/core/files/configure_misp.sh b/core/files/configure_misp.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 source /rest_client.sh
+source /utilities.sh
 
 [ -z "$ADMIN_EMAIL" ] && ADMIN_EMAIL="admin@admin.test"
 [ -z "$GPG_PASSPHRASE" ] && GPG_PASSPHRASE="passphrase"
@@ -10,6 +11,7 @@ source /rest_client.sh
 # Switches to selectively disable configuration logic
 [ -z "$AUTOCONF_GPG" ] && AUTOCONF_GPG="true"
 [ -z "$AUTOCONF_ADMIN_KEY" ] && AUTOCONF_ADMIN_KEY="true"
+[ -z "$OIDC_ENABLE" ] && OIDC_ENABLE="false"
 
 init_configuration(){
  # Note that we are doing this after enforcing permissions, so we need to use the www-data user for this
@@ -93,6 +95,36 @@ GPGEOF
  sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "GnuPG.binary" "$(which gpg)"
 }
 
+set_up_oidc() {
+ if [[ "$OIDC_ENABLE" != "true" ]]; then
+ echo "... OIDC authentication disabled"
+ return
+ fi
+
+ # Check required variables
+ check_env_vars OIDC_PROVIDER_URL OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_ROLES_PROPERTY OIDC_ROLES_MAPPING OIDC_DEFAULT_ORG
+
+ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+ \"Security\": {
+ \"auth\": [\"OidcAuth.Oidc\"]
+ }
+ }" > /dev/null
+
+ sudo -u www-data php /var/www/MISP/tests/modify_config.php modify "{
+ \"OidcAuth\": {
+ \"provider_url\": \"${OIDC_PROVIDER_URL}\",
+ \"client_id\": \"${OIDC_CLIENT_ID}\",
+ \"client_secret\": \"${OIDC_CLIENT_SECRET}\",
+ \"roles_property\": \"${OIDC_ROLES_PROPERTY}\",
+ \"role_mapper\": ${OIDC_ROLES_MAPPING},
+ \"default_org\": \"${OIDC_DEFAULT_ORG}\"
+ }
+ }" > /dev/null
+
+ # Disable password confirmation as stated at https://github.com/MISP/MISP/issues/8116
+ sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Security.require_password_confirmation" false
+}
+
 apply_updates() {
  # Disable weird default
  sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "Plugin.ZeroMQ_enable" false
@@ -164,7 +196,7 @@ apply_critical_fixes() {
 apply_optional_fixes() {
  sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_top" ""
  sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q --force "MISP.welcome_text_bottom" ""
- 
+
  sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.contact" "${ADMIN_EMAIL}"
  # This is not necessary because we update the DB directly
  # sudo -u www-data /var/www/MISP/app/Console/cake Admin setSetting -q "MISP.org" "${ADMIN_ORG}"
@@ -254,5 +286,7 @@ echo "MISP | Create sync servers ..." && create_sync_servers
 
 echo "MISP | Update components ..." && update_components
 
+echo "MISP | Set Up OIDC ..." && set_up_oidc
+
 echo "MISP | Mark instance live"
 sudo -u www-data /var/www/MISP/app/Console/cake Admin live 1
diff --git a/core/files/utilities.sh b/core/files/utilities.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Check whether passed env variables are defined
+check_env_vars() {
+ local required_vars=("$@")
+
+ missing_vars=()
+ for i in "${required_vars[@]}"
+ do
+ test -n "${!i:+y}" || missing_vars+=("$i")
+ done
+ if [ ${#missing_vars[@]} -ne 0 ]
+ then
+ echo "The following env variables are not set:"
+ printf ' %q\n' "${missing_vars[@]}"
+ exit 1
+ fi
+}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -69,6 +69,14 @@ services:
  - "ADMIN_KEY=${ADMIN_KEY}"
  - "ADMIN_ORG=${ADMIN_ORG}"
  - "GPG_PASSPHRASE=${GPG_PASSPHRASE}"
+ # authentication settings
+ - "OIDC_ENABLE=${OIDC_ENABLE}"
+ - "OIDC_PROVIDER_URL=${OIDC_PROVIDER_URL}"
+ - "OIDC_CLIENT_ID=${OIDC_CLIENT_ID}"
+ - "OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}"
+ - "OIDC_ROLES_PROPERTY=${OIDC_ROLES_PROPERTY}"
+ - "OIDC_ROLES_MAPPING=${OIDC_ROLES_MAPPING}"
+ - "OIDC_DEFAULT_ORG=${OIDC_DEFAULT_ORG}"
  # sync server settings (see https://www.misp-project.org/openapi/#tag/Servers for more options)
  - "SYNCSERVERS=${SYNCSERVERS}"
  - |

diff --git a/template.env b/template.env
@@ -87,3 +87,12 @@ SYNCSERVERS_1_KEY=
 
 # Disable IPv6 completely (this setting will persist until the container is removed)
 # DISABLE_IPV6=true
+
+# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
+# OIDC_ENABLE=true
+# OIDC_PROVIDER_URL=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+# OIDC_ROLES_PROPERTY="roles"
+# OIDC_ROLES_MAPPING={"admin": "1","sync-user": "5"}
+# OIDC_DEFAULT_ORG=