Merge pull request #8822 from Security-Onion-Solutions/config

user management / sync
2026-05-01 08:58:05 +02:00 · 2022-09-27 11:14:32 -04:00
parent 004fa8167e 53b4f01921
commit 16d24d4bc9
7 changed files with 287 additions and 42 deletions
@@ -37,11 +37,11 @@ function list_minions() {
 }

 function manage_minion() {
-  command=$1
-  op=$2
-  minion=$3
-  
-  response=$(so-minion "-o=$op" "-m=$minion")
+  request=$1
+  op=$(echo "$request" | jq -r .operation)
+  id=$(echo "$request" | jq -r .id)
+
+  response=$(so-minion "-o=$op" "-m=$id")
  exit_code=$?
  if [[ exit_code -eq 0 ]]; then
    log "Successful command execution"
@@ -52,21 +52,135 @@ function manage_minion() {
  fi
 }

+function manage_user() {
+  request=$1
+  op=$(echo "$request" | jq -r .operation)
+
+  case "$op" in
+    add)
+      email=$(echo "$request" | jq -r .email)
+      password=$(echo "$request" | jq -r .password)
+      role=$(echo "$request" | jq -r .role)
+      firstName=$(echo "$request" | jq -r .firstName)
+      lastName=$(echo "$request" | jq -r .lastName)
+      note=$(echo "$request" | jq -r .note)
+      log "Performing user '$op' for user '$email' with firstname '$firstName', lastname '$lastName', note '$note' and role '$role'"
+      response=$(echo "$password" | so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
+      exit_code=$?
+      ;;
+    add|enable|disable|delete)
+      email=$(echo "$request" | jq -r .email)
+      log "Performing user '$op' for user '$email'"
+      response=$(so-user "$op" --email "$email" --skip-sync)
+      exit_code=$?
+      ;;
+    addrole|delrole)
+      email=$(echo "$request" | jq -r .email)
+      role=$(echo "$request" | jq -r .role)
+      log "Performing '$op' for user '$email' with role '$role'"
+      response=$(so-user "$op" --email "$email" --role "$role" --skip-sync)
+      exit_code=$?
+      ;;
+    password)
+      email=$(echo "$request" | jq -r .email)
+      password=$(echo "$request" | jq -r .password)
+      log "Performing '$op' operation for user '$email'"
+      response=$(echo "$password" | so-user "$op" --email "$email" --skip-sync)
+      exit_code=$?
+      ;;
+    profile)
+      email=$(echo "$request" | jq -r .email)
+      firstName=$(echo "$request" | jq -r .firstName)
+      lastName=$(echo "$request" | jq -r .lastName)
+      note=$(echo "$request" | jq -r .note)
+      log "Performing '$op' update for user '$email' with firstname '$firstName', lastname '$lastName', and note '$note'"
+      response=$(so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note")
+      exit_code=$?
+      ;;
+    sync)
+      log "Performing '$op'"
+      response=$(so-user "$op")
+      exit_code=$?
+      ;;
+    *)
+      response="Unsupported user operation: $op"
+      exit_code=1
+      ;;
+  esac
+
+  if [[ exit_code -eq 0 ]]; then
+    log "Successful command execution"
+    $(echo "true" > "${SOC_PIPE}")
+  else
+    log "Unsuccessful command execution: $response ($exit_code)"
+    $(echo "false" > "${SOC_PIPE}")
+  fi
+}
+
+function manage_salt() {
+  request=$1
+  op=$(echo "$request" | jq -r .operation)
+  minion=$(echo "$request" | jq -r .minion)
+  if [[ -s $minion || "$minion" == "null" ]]; then
+    minion=$(cat /etc/salt/minion | grep "id:" | awk '{print $2}' | sed "s/'//g")
+  fi
+
+  case "$op" in
+    state)
+      log "Performing '$op' for '$state' on minion '$minion'"
+      state=$(echo "$request" | jq -r .state)
+      response=$(salt --async "$minion" state.apply "$state" queue=True)
+      exit_code=$?
+      ;;
+    highstate)
+      log "Performing '$op' on minion $minion"
+      response=$(salt --async "$minion" state.highstate queue=True)
+      exit_code=$?
+      ;;
+    activejobs)
+      log "Querying active salt jobs"
+      response=$(salt-run jobs.active -out json -l quiet)
+      $(echo "$response" > "${SOC_PIPE}")
+      return
+      ;;
+    *)
+      response="Unsupported salt operation: $op"
+      exit_code=1
+      ;;
+  esac
+
+  if [[ exit_code -eq 0 ]]; then
+    log "Successful command execution"
+    $(echo "true" > "${SOC_PIPE}")
+  else
+    log "Unsuccessful command execution: $response ($exit_code)"
+    $(echo "false" > "${SOC_PIPE}")
+  fi
+}
+
 while true; do
  log "Listening for request"
  request=$(cat ${SOC_PIPE})
  if [[ "$request" != "" ]]; then
-    log "Received request: ${request}"
-    case "$request" in
+    command=$(echo "$request" | jq -r .command)
+    log "Received request; command=${command}"
+    case "$command" in
      list-minions)
        list_minions
        ;;
-      manage-minion*)
-        manage_minion ${request}
+      manage-minion)
+        manage_minion "${request}"
+        ;;
+      manage-user)
+        manage_user "${request}"
+        ;;
+      manage-salt)
+        manage_salt "${request}"
        ;;
      *)
-        log "Unsupported command: $request"
+        log "Unsupported command: $command"
        $(echo "false" > "${SOC_PIPE}")
+        ;;
    esac

    # allow remote reader to get a clean reader before we try to read again on next loop