merge dev4

5d3b00ad · Arne Øslebø · 155783b0 · 5d3b00ad · 5d3b00ad · 5d3b00ad
Commit 5d3b00ad authored Feb 12, 2021 by Arne Øslebø
--- a/create-thehive-users.yml
+++ b/create-thehive-users.yml
+---
+
+- name: Create Users in TheHive
+  hosts: thehive
+  roles:
+    - thehive
--- a/group_vars/all/users.yml
+++ b/group_vars/all/users.yml
@@ -18,4 +18,23 @@ soctools_users:
 ODFE_ADMIN_USERS:
  - user1

+THEHIVE_ORGANIZATION: "uninett.no"

+THEHIVE_KIBANA_USER:
+  username: "kibana"
+  name: "Kibana"
+  surname: "User"
+  roles: '["read", "write"]'
+
+
+THEHIVE_USERS:
+  - user1:
+    username: "user1"
+    name: "User1"
+    surname: "SOC"
+    roles: '["read", "write", "admin"]'
+  - user2:
+    username: "user2"
+    name: "User2"
+    surname: "SOC"
+    roles: '["read", "write", "admin"]'
--- a/roles/cortex/tasks/start.yml
+++ b/roles/cortex/tasks/start.yml
@@ -23,6 +23,10 @@
    - "{{playbook_dir}}/secrets/CA/cacerts.jks"
    - "{{playbook_dir}}/secrets/CA/ca.crt"

+- name: Get openid authkey
+  set_fact:
+    cortexsecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/cortexsecret',convert_data=False) | from_json}}"
+
 - name: Configure embedded Elasticsearch 6
  remote_user: root
  template:

--- a/roles/cortex/templates/application.conf.j2
+++ b/roles/cortex/templates/application.conf.j2
@@ -66,7 +66,7 @@ auth {
 	#   the "ad" section below.
 	# - ldap : use LDAP to authenticate users. The associated configuration shall be done in the
 	#   "ldap" section below.
-	provider = [local]
+	provider = [local,oauth2]

 	ad {
 		# The Windows domain name in DNS format. This parameter is required if you do not use
@@ -108,6 +108,84 @@ auth {
 		# If 'true', use SSL to connect to the LDAP directory server.
 		#useSSL = true
 	}
+  oauth2 {
+    # URL of the authorization server
+    clientId = "soctools-cortex"
+    clientSecret = {{cortexsecret.value}}
+    redirectUri = "https://{{soctoolsproxy}}:9001/api/ssoLogin"
+    responseType = "code"
+    grantType = "authorization_code"
+
+    # URL from where to get the access token
+    authorizationUrl = "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/auth"
+    authorizationHeader = "Bearer"
+    tokenUrl = "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/token"
+    
+
+    # The endpoint from which to obtain user details using the OAuth token, after successful login
+    userUrl = "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/userinfo"
+    scope = "profile"
+    userIdField = "email"
+    #userUrl = "https://auth-site.com/api/User"
+    #scope = ["openid profile"]
+  }
+
+  ws.ssl.trustManager {
+    stores = [
+      {
+        type = "JKS" // JKS or PEM
+        path = "cacerts.jks"
+        password = "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
+      }
+    ]
+  }
+
+
+  # Single-Sign On
+  sso {
+    # Autocreate user in database?
+    autocreate = true
+
+    # Autoupdate its profile and roles?
+    autoupdate = true
+
+    # Autologin user using SSO?
+    autologin = true
+
+    # Name of mapping class from user resource to backend user ('simple' or 'group')
+    #mapper = group
+    #mapper = simple
+    #attributes {
+    #  login = "user"
+    #  name = "name"
+    #  groups = "groups"
+    #  organization = "org"
+    #}
+#    defaultRoles = ["read", "write", "admin"]
+#    defaultOrganization = "uninett.no"
+    #defaultRoles = ["read"]
+    #defaultOrganization = "csirt"
+    #groups {
+    #  # URL to retreive groups (leave empty if you are using OIDC)
+    #  #url = "https://auth-site.com/api/Groups"
+    #  # Group mappings, you can have multiple roles for each group: they are merged
+    #  mappings {
+    #    admin-profile-name = ["admin"]
+    #    editor-profile-name = ["write"]
+    #    reader-profile-name = ["read"]
+    #  }
+    #}
+
+    mapper = simple
+    attributes {
+      login = "user"
+      name = "name"
+      roles = "roles"
+      organization = "org"
+    }
+    defaultRoles = ["read", "analyze"]
+    defaultOrganization = "uninett.no"
+  }
 }

 ## ANALYZERS

--- a/roles/keycloak/tasks/start.yml
+++ b/roles/keycloak/tasks/start.yml
@@ -91,6 +91,13 @@
      local:  "{{playbook_dir}}/secrets/tokens/kibanasecret"
    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/mispsecret"
      local:  "{{playbook_dir}}/secrets/tokens/mispsecret"
+    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/thehivesecret"
+      local:  "{{playbook_dir}}/secrets/tokens/thehivesecret"
+    - remote: "{{ ansible_facts.env['JBOSS_HOME'] }}/cortexsecret"
+      local:  "{{playbook_dir}}/secrets/tokens/cortexsecret"

 - name: Set Autostart for supervisord's services
-  shell: "sed -i 's/autostart=false/autostart=true/g' /etc/supervisord.conf"
+  replace:
+    path: /etc/supervisord.conf
+    regexp: '^autostart=false$'
+    replace: 'autostart=true'
--- a/roles/keycloak/templates/initkeycloakrealm.sh.j2
+++ b/roles/keycloak/templates/initkeycloakrealm.sh.j2
@@ -31,6 +31,12 @@ kcadm.sh get realms/{{openid_realm}}/clients/${KIBANACLIENT}/client-secret --fie
 MISPCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-misp","protocol":"openid-connect","clientAuthenticatorType": "client-secret","rootUrl": "https://{{soctoolsproxy}}:6443","adminUrl": "","redirectUris": ["https://{{soctoolsproxy}}:6443/users/login/keycloak"],"webOrigins": [], "publicClient": false }')
 kcadm.sh get realms/{{openid_realm}}/clients/${MISPCLIENT}/client-secret --fields value > /opt/jboss/keycloak/mispsecret

+THEHIVECLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-thehive","protocol":"openid-connect","clientAuthenticatorType": "client-secret","adminUrl": "","redirectUris": ["https://{{soctoolsproxy}}:9000/api/ssoLogin"],"webOrigins": [], "publicClient": false }')
+kcadm.sh get realms/{{openid_realm}}/clients/${THEHIVECLIENT}/client-secret --fields value > /opt/jboss/keycloak/thehivesecret
+
+CORTEXCLIENT=$(kcadm.sh create realms/{{openid_realm}}/clients -i -b '{"enabled":true, "clientId":"soctools-cortex","protocol":"openid-connect","clientAuthenticatorType": "client-secret","adminUrl": "","redirectUris": ["https://{{soctoolsproxy}}:9001/api/ssoLogin"],"webOrigins": [], "publicClient": false }')
+kcadm.sh get realms/{{openid_realm}}/clients/${CORTEXCLIENT}/client-secret --fields value > /opt/jboss/keycloak/cortexsecret
+
 kcadm.sh config truststore --delete

 exec 1>&6 6>&-

--- a/roles/odfekibana/files/env.js.j2
+++ b/roles/odfekibana/files/env.js.j2
 // Default plugin configuration
-export const THEHIVE_URL = '{{THEHIVE_URL}}';
-export const THEHIVE_API_KEY = '{{THEHIVE_API_KEY}}';
-export const THEHIVE_OWNER = '{{THEHIVE_OWNER}}'; // default owner account of the created cases
+export const THEHIVE_URL = 'https://{{soctoolsproxy}}:9000';
+export const THEHIVE_API_KEY = '{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_kibana_secret_key')}}';
+export const THEHIVE_OWNER = '{{THEHIVE_KIBANA_USER.username}}'; // default owner account of the created cases
--- a/roles/odfekibana/tasks/start.yml
+++ b/roles/odfekibana/tasks/start.yml
@@ -126,6 +126,7 @@
          -k --user admin:{{lookup("password", "{{playbook_dir}}/secrets/passwords/odfees_adminpass")}} \
          -H "kbn-xsrf: reporting" -H "Content-Type: multipart/form-data" \
          -F "file=@/tmp/kibana_graphs.ndjson"'
+  ignore_errors: True

 - name: Copy role modification json to container
  remote_user: kibana

--- a/roles/thehive/tasks/adminuser.yml
+++ b/roles/thehive/tasks/adminuser.yml
+---
+
+- name: copy json file for admin user
+  remote_user: root
+  template:
+    src: admin.json
+    dest: /tmp/admin.json
+
+- name: get admin user id
+  remote_user: root
+  shell: "curl -X POST http://127.0.0.1:9000/api/login -b /tmp/cookie.txt -c /tmp/cookie.txt -H 'Content-Type: application/json' -d @/tmp/admin.json | cut -d\\\" -f4"
+  register: adminuser
+  args:
+    warn: false
+
+- set_fact:
+    adminuserid={{ adminuser.stdout }}
+
+- name: create admin user API KEY
+  shell: "curl -X POST http://127.0.0.1:9000/api/v1/user/{{ adminuserid }}/key/renew -b /tmp/cookie.txt -c /tmp/cookie.txt 2> /dev/null | tee /tmp/thehive_secret_key"
+  register: adminuserkey
+  args:
+    warn: false
+
+- set_fact:
+    adminuserapikey={{ adminuserkey.stdout }}
+
+- name: copy API key to local file
+  local_action: copy content="{{adminuserapikey}}" dest=secrets/tokens/thehive_secret_key
+
+- name: copy json file for admin pass
+  remote_user: root
+  template:
+    src: adminpass.json
+    dest: /tmp/adminpass.json
+
+- name: change password for admin user
+  shell: "curl -X POST http://127.0.0.1:9000/api/v1/user/{{ adminuserid }}/password/set -b /tmp/cookie.txt -c /tmp/cookie.txt -H 'Content-Type: application/json' -d @/tmp/adminpass.json"
+  args:
+    warn: false
--- a/roles/thehive/tasks/createusers.yml
+++ b/roles/thehive/tasks/createusers.yml
+---
+
+- name: generate json files for creating users
+  remote_user: root
+  template:
+    src: users.json
+    dest: /tmp/{{ item.username }}.json
+  with_items:
+    - "{{ THEHIVE_USERS }}"
+
+- name: create users
+  remote_user: root
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/{{ item.username}}.json"
+  args:
+    warn: false
+  with_items:
+    - "{{ THEHIVE_USERS }}"
--- a/roles/thehive/tasks/kibanauser.yml
+++ b/roles/thehive/tasks/kibanauser.yml
+---
+
+- name: generate json file for kibana user
+  remote_user: root
+  template:
+    src: kibanauser.json
+    dest: /tmp/kibanauser.json
+
+- name: create kibana user
+  remote_user: root
+  shell: "curl -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/user -d @/tmp/kibanauser.json | cut -d\\\" -f4"
+  register: kibanauser
+  args:
+    warn: false
+
+- set_fact:
+    kibanauserid={{ kibanauser.stdout }}
+
+- name: create API key for kibana user
+  remote_user: root
+  shell: "curl -XPOST -H 'Authorization: Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}' -H 'Content-Type: application/json' http://127.0.0.1:9000/api/v1/user/{{kibanauser.stdout}}/key/renew 2> /dev/null | tee /tmp/kibanaapikey"
+  register: kibanaapikey
+  args:
+    warn: false
+
+- set_fact:
+    kibanauserapikey={{ kibanaapikey.stdout }}
+
+- name: copy API key to local file
+  local_action: copy content="{{kibanauserapikey}}" dest=secrets/tokens/thehive_kibana_secret_key
+
--- a/roles/thehive/tasks/main.yml
+++ b/roles/thehive/tasks/main.yml
@@ -3,6 +3,20 @@
 - include: start.yml
  tags:
   - start
+- include: adminuser.yml
+  tags:
+   - start
+- include: organization.yml
+  tags:
+   - start
+- include: kibanauser.yml
+  tags:
+   - start
+- include: createusers.yml
+  tags:
+   - start
+   - create-thehive-users
+   - createusers
 - include: stop.yml
  tags:
   - stop

--- a/roles/thehive/tasks/organization.yml
+++ b/roles/thehive/tasks/organization.yml
+---
+
+- name: create organisation
+  uri:
+    url: "http://127.0.0.1:9000/api/organisation"
+    method: POST
+    headers:
+      Authorization: "Bearer {{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"
+    body_format: form-urlencoded
+    body:
+      name: "{{ THEHIVE_ORGANIZATION }}"
+      description: "{{ THEHIVE_ORGANIZATION }}"
+    status_code: 201
+  ignore_errors: True
+
--- a/roles/thehive/tasks/start.yml
+++ b/roles/thehive/tasks/start.yml
 ---

+- name: Copy cacert to ca-trust dir
+  remote_user: root
+  copy:
+    src: "{{playbook_dir}}/secrets/CA/ca.crt"
+    dest: /etc/pki/ca-trust/source/anchors/ca.crt
+
+- name: Install cacert to root truststore
+  remote_user: root
+  command: "update-ca-trust"
+
+- name: Copy certificate in thehive conf dir
+  copy:
+    src:  "{{playbook_dir}}/secrets/CA/issued/{{ inventory_hostname }}.crt"
+    dest: "/etc/thehive/{{ inventory_hostname }}.crt"
+    mode: 0600
+
+- name: Copy certificate key in thehive conf dir
+  copy:
+    src:  "{{playbook_dir}}/secrets/CA/private/{{ inventory_hostname }}.key"
+    dest: "/etc/thehive/{{ inventory_hostname }}.key"
+    mode: 0600
+
+- name: Copy CA certificates in thehive conf dir
+  copy:
+    src:  "{{playbook_dir}}/secrets/CA/{{ item }}"
+    dest: "/etc/thehive/{{ item }}"
+    mode: 0600
+  with_items:
+    - "cacerts.jks"
+    - "ca.crt"
+
+- name: Get openid authkey
+  set_fact:
+    thehivesecret: "{{lookup('file', '{{playbook_dir}}/secrets/tokens/thehivesecret',convert_data=False) | from_json}}"
+
 - name: Configure TheHive
  remote_user: thehive
  template:

--- a/roles/thehive/templates/admin.json
+++ b/roles/thehive/templates/admin.json
+{"user":"admin@thehive.local","password":"secret"}
--- a/roles/thehive/templates/adminpass.json
+++ b/roles/thehive/templates/adminpass.json
+{"password":"{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_adminpass')}}"}
--- a/roles/thehive/templates/application.conf.j2
+++ b/roles/thehive/templates/application.conf.j2
@@ -5,7 +5,7 @@
 ## Include Play secret key
 # More information on secret key at https://www.playframework.com/documentation/2.8.x/ApplicationSecret
 #include "/etc/thehive/secret.conf"
-play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/passwords/thehive_secret_key')}}"
+play.http.secret.key="{{lookup('password', '{{playbook_dir}}/secrets/tokens/thehive_secret_key')}}"

 ## Database configuration
 db.janusgraph {
@@ -13,7 +13,7 @@ db.janusgraph {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
-    hostname: ["{{groups['cassandra'][0]}}.{{soctools_netname}}"]
+    hostname: ["{{groups['cassandra'][0]}}.{{soctools_netname}}:9042"]
    # Cassandra authentication (if configured)
    // username: "thehive"
    // password: "password"
@@ -47,17 +47,61 @@ storage {

 ## Authentication configuration
 # More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Authentication.md
-//auth {
-//  providers: [
+auth {
+  providers: [
 //    {name: session}               # required !
 //    {name: basic, realm: thehive}
 //    {name: local}
 //    {name: key}
-//  ]
+    {name: session}               # required !
+    {name: basic, realm: thehive}
+    {name: local}
+    {name: key}    
+    {
+      name: oauth2
+      clientId: "soctools-thehive"
+      clientSecret: {{thehivesecret.value}}
+      redirectUri: "https://{{soctoolsproxy}}:9000/api/ssoLogin"
+      responseType: "code"
+      grantType: "authorization_code"
+      authorizationUrl: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/auth"
+      authorizationHeader: "Bearer"
+      tokenUrl: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/token"
+      userUrl: "https://{{soctoolsproxy}}:12443/auth/realms/{{openid_realm}}/protocol/openid-connect/userinfo"
+//      scope: ["openid", "email"]
+      scope: ["openid"]
+      userIdField: "email"
+//      userIdField: "name"
+    }
+  ]
+  sso {
+    autocreate: true
+    autoupdate: true
+    autologin: true
+    mapper: "simple"
+//    attributes {
+//     login: "login"
+//      name: "name"
+//      roles: "role"
+//    }
+    defaultRoles: ["read", "write", "admin"]
+    defaultOrganization: "uninett.no"
+//    defaultOrganization: "demo"
+  } 
+  ws.ssl.trustManager {
+    stores = [
+      {
+        type: "JKS" // JKS or PEM
+        path: "cacerts.jks"
+        password: "{{lookup('password', '{{playbook_dir}}/secrets/passwords/truststore')}}"
+      }
+    ]
+  }
 # The format of logins must be valid email address format. If the provided login doesn't contain `@` the following
 # domain is automatically appended
-//  defaultUserDomain: "thehive.local"
-//}
+  defaultUserDomain: "uninett.no"
+#  defaultUserDomain: "thehive.local"
+}

 ## CORTEX configuration
 # More information at https://github.com/TheHive-Project/TheHiveDocs/TheHive4/Administration/Connectors.md

--- a/roles/thehive/templates/kibanauser.json
+++ b/roles/thehive/templates/kibanauser.json
+{
+  "login": "{{ THEHIVE_KIBANA_USER.username }}",
+  "name": "{{ THEHIVE_KIBANA_USER.name }} {{ THEHIVE_KIBANA_USER.surname }}",
+  "roles": {{ THEHIVE_KIBANA_USER.roles }},
+  "organisation": "{{ THEHIVE_ORGANIZATION }}"
+}
--- a/roles/thehive/templates/users.json
+++ b/roles/thehive/templates/users.json
+{
+  "login": "{{ item.username }}",
+  "name": "{{ item.name }} {{ item.surname }}",
+  "roles": {{ item.roles }},
+  "organisation": "{{ THEHIVE_ORGANIZATION }}"
+}
--- a/soctools.yml
+++ b/soctools.yml
@@ -15,3 +15,7 @@
 - name: restart soctools cluster servics
  import_playbook: restart-soctools.yml
  when: "'restart' in ansible_run_tags or 'restart-thehive' in ansible_run_tags or 'restart-keycloak' in ansible_run_tags or 'restart-cortex' in ansible_run_tags or 'restart-haproxy' in ansible_run_tags or 'restart-cassandra' in ansible_run_tags or 'restart-filebeat' in ansible_run_tags or 'restart-misp' in ansible_run_tags or 'restart-mysql' in ansible_run_tags or 'restart-nifi' in ansible_run_tags or 'restart-odfees' in ansible_run_tags or 'restart-odfekibana' in ansible_run_tags"
+
+- name: create thehive users
+  import_playbook: create-thehive-users.yml
+  when: "'create-thehive-users' in ansible_run_tags or 'createusers' in ansible_run_tags"