From a2c4fce1ef5cab61c02b8e1474ba63c33f97df5b Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 6 Oct 2021 11:53:10 -0400
Subject: [PATCH 1/4] Switch to use state attribute in identities for
 enabling/disabling users

---
 salt/common/tools/sbin/so-user | 34 +++++++++++++++-------------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index f7604d298..41152a570 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -237,8 +237,12 @@ function syncElastic() {
   if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
     # Append the SOC users 
     echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
-      "from identity_credential_identifiers ici, identity_credentials ic " \
-      "where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \
+      "from identity_credential_identifiers ici, identity_credentials ic, identities i " \
+      "where " \
+      "      ici.identity_credential_id=ic.id " \
+      "  and ic.identity_id=i.id " \
+      "  and instr(ic.config, 'hashed_password') " \
+      "  and i.state == 'active' " \
       "order by ici.identifier;" | \
       sqlite3 "$databasePath" | \
       jq -r '.user + ":" + .data.hashed_password' \
@@ -391,24 +395,16 @@ function updateStatus() {
   response=$(curl -Ss -L "${kratosUrl}/identities/$identityId")
   [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
 
-  oldConfig=$(echo "select config from identity_credentials where identity_id='${identityId}';" | sqlite3 "$databasePath")
+  schemaId=$(echo "$response" | jq -r .schema_id)
+  traitBlock=$(echo "$response" | jq -r .traits)
+
+  state="active"
   if [[ "$status" == "locked" ]]; then
-    config=$(echo $oldConfig | sed -e 's/hashed/locked/')
-    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath"
-    [[ $? != 0 ]] && fail "Unable to lock credential record"
-
-    echo "delete from sessions where identity_id='${identityId}';" | sqlite3 "$databasePath"
-    [[ $? != 0 ]] && fail "Unable to invalidate sessions"    
-  else
-    config=$(echo $oldConfig | sed -e 's/locked/hashed/')
-    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath"
-    [[ $? != 0 ]] && fail "Unable to unlock credential record"
-  fi  
-
-  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url) | del(.created_at) | del(.updated_at)")
-  response=$(curl -Ss -XPUT -L ${kratosUrl}/identities/$identityId -d "$updatedJson")
-  [[ $? != 0 ]] && fail "Unable to mark user as locked"
-
+    state="inactive"
+  fi
+  body="{ \"schema_id\": \"$schemaId\", \"state\": \"$state\", \"traits\": $traitBlock }"
+  response=$(curl -fSsL -XPUT "${kratosUrl}/identities/$identityId" -d "$body")
+  [[ $? != 0 ]] && fail "Unable to update user"
 }
 
 function updateUser() {

From 7d8c8144b030fb03c315f91326a8aa5924dc2123 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 6 Oct 2021 12:52:41 -0400
Subject: [PATCH 2/4] Drop obsolete status trait

---
 salt/common/tools/sbin/so-user | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 41152a570..5471cf932 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -396,7 +396,9 @@ function updateStatus() {
   [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
 
   schemaId=$(echo "$response" | jq -r .schema_id)
-  traitBlock=$(echo "$response" | jq -r .traits)
+
+  # Capture traits and remove obsolete 'status' trait if exists
+  traitBlock=$(echo "$response" | jq -r .traits | grep -v "\"status\":")
 
   state="active"
   if [[ "$status" == "locked" ]]; then

From 62c3afc81dce857d385edebfa09835359358b7c9 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Wed, 6 Oct 2021 15:45:35 -0400
Subject: [PATCH 3/4] Migrate users from locked to inactive during soup

---
 salt/common/tools/sbin/so-user | 20 +++++++++++++++++++-
 salt/common/tools/sbin/soup    |  3 +++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 5471cf932..7ef23ca9b 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -385,6 +385,19 @@ EOF
   fi
 }
 
+function migrateLockedUsers() {
+  # This is a migration function to convert locked users from prior to 2.3.90
+  # to inactive users using the newer Kratos functionality. This should only
+  # find locked users once.
+  lockedEmails=$(curl -s http://localhost:4434/identities | jq -r '.[] | select(.traits.status == "locked") | .traits.email')
+  if [[ -n "$lockedEmails" ]]; then
+    echo "Disabling locked users..."
+    for email in $lockedEmails; do
+      updateStatus "$email" locked
+    done
+  fi
+}
+
 function updateStatus() {
   email=$1
   status=$2
@@ -398,7 +411,7 @@ function updateStatus() {
   schemaId=$(echo "$response" | jq -r .schema_id)
 
   # Capture traits and remove obsolete 'status' trait if exists
-  traitBlock=$(echo "$response" | jq -r .traits | grep -v "\"status\":")
+  traitBlock=$(echo "$response" | jq -c .traits | sed -re 's/,?"status":".*?"//')
 
   state="active"
   if [[ "$status" == "locked" ]]; then
@@ -545,6 +558,11 @@ case "${operation}" in
     echo "Password is acceptable"
     ;;
 
+  "migrate")
+    migrateLockedUsers
+    echo "User migration complete"
+    ;;
+
   *)
     fail "Unsupported operation: $operation"
     ;;
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index caea21866..98c641b6d 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -1037,6 +1037,9 @@ main() {
     echo "Checking sudoers file."
     check_sudoers
 
+    echo "Checking for necessary user migrations."
+    so-user migrate
+
     if [[ -n $lsl_msg ]]; then
       case $lsl_msg in
         'distributed')

From d21dee162dc9a6c70608436c7a09230cefd30ee0 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 8 Oct 2021 12:39:17 -0400
Subject: [PATCH 4/4] Add Note field to user traits; Enforce max length
 restrictions on email, firstname, lastname, and note fields

---
 salt/common/tools/sbin/so-user    |  3 +++
 salt/soc/files/kratos/schema.json | 14 +++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 7ef23ca9b..015a28c9f 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -101,6 +101,9 @@ function validatePassword() {
   if [[ $len -lt 6 ]]; then
     fail "Password does not meet the minimum requirements"
   fi
+  if [[ $len -gt 72 ]]; then
+    fail "Password is too long (max: 72)"
+  fi
   check_password_and_exit "$password"
 }
 
diff --git a/salt/soc/files/kratos/schema.json b/salt/soc/files/kratos/schema.json
index 19ee2197c..782d1b78b 100644
--- a/salt/soc/files/kratos/schema.json
+++ b/salt/soc/files/kratos/schema.json
@@ -12,6 +12,7 @@
           "format": "email",
           "title": "E-Mail",
           "minLength": 6,
+          "maxLength": 100,
           "ory.sh/kratos": {
             "credentials": {
               "password": {
@@ -25,16 +26,19 @@
         },
         "firstName": {
           "type": "string",
-          "title": "First Name"
+          "title": "First Name",
+          "maxLength": 100
         },
         "lastName": {
           "type": "string",
-          "title": "Last Name"
+          "title": "Last Name",
+          "maxLength": 100
         },
-        "status": {
+        "note": {
           "type": "string",
-          "title": "Status"
-        }      
+          "title": "Note",
+          "maxLength": 100
+        }
       },
       "required": [
         "email"