From b97ff72bc25be80f0817a648f97d750d76a543b4 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 14:11:26 -0500
Subject: [PATCH 1/6] fix ssl verify hive_init.sh

---
 salt/hive/thehive/scripts/hive_init.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh
index f726ae229..6c5168a66 100755
--- a/salt/hive/thehive/scripts/hive_init.sh
+++ b/salt/hive/thehive/scripts/hive_init.sh
@@ -16,7 +16,7 @@ hive_init(){
     COUNT=0
     HIVE_CONNECTED="no"
     while [[ "$COUNT" -le 240 ]]; do
-        curl --output /dev/null --silent --head --fail "https://$HIVE_IP:/thehive"
+        curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP:/thehive"
             if [ $? -eq 0 ]; then
                 HIVE_CONNECTED="yes"
                 echo "connected!"

From 2b6e2e04656943d1b9b95ee25f50947d0b667f0c Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Wed, 18 Dec 2019 21:55:24 -0500
Subject: [PATCH 2/6] Initial changes to add new auth framework

* Changes to evalmode only at this time
* Cleaned up nginx eval config
---
 salt/auth/init.sls                   | 44 ++++++++++++++++
 salt/common/nginx/nginx.conf.so-eval | 76 +++++++++++++++++-----------
 salt/cyberchef/init.sls              |  4 +-
 salt/top.sls                         |  1 +
 setup/so-setup.sh                    |  1 +
 5 files changed, 94 insertions(+), 32 deletions(-)
 create mode 100644 salt/auth/init.sls

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
new file mode 100644
index 000000000..45254e177
--- /dev/null
+++ b/salt/auth/init.sls
@@ -0,0 +1,44 @@
+authdir:
+    file.directory:
+        - name: /opt/so/conf/auth
+        - user: 939
+        - group: 939
+        - makedirs: True
+
+authfilesync:
+    file.recurse:
+        - name: /opt/so/conf/auth
+        - source: salt://auth/files
+        - user: 939
+        - group: 939
+        - template: jinja
+
+so-auth-api-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
+
+so-auth-ui-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+
+so-auth-api:
+    docker_container.running:
+        - require:
+            - so-auth-api-image
+        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - hostname: so-auth-api
+        - name: so-auth-api
+        - environment:
+            - BASE_PATH: "/so-auth/api"
+        - port_bindings:
+            - 0.0.0.0:5656:5656
+
+so-auth-ui:
+    docker_container.running:
+        - require:
+            - so-auth-ui-image
+        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - hostname: so-auth-ui
+        - name: so-auth-ui
+        - port_bindings:
+            - 0.0.0.0:4242:80
diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index b5cf6ef5a..f506499a7 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -58,9 +58,9 @@ http {
     #    }
     #}
     server {
-	      listen 80 default_server;
-	      server_name _;
-	      return 301 https://$host$request_uri;
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
     }
 
 
@@ -88,8 +88,8 @@ http {
     #    }
 
         location /grafana/ {
-	  rewrite /grafana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:3000/;
+          rewrite               /grafana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:3000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -100,10 +100,9 @@ http {
         }
 
         location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-	  rewrite /kibana/(.*) /$1 break;
-          proxy_pass http://{{ masterip }}:5601/;
+          auth_request          /so-auth/api/auth/;
+          rewrite               /kibana/(.*) /$1 break;
+          proxy_pass            http://{{ masterip }}:5601/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -114,7 +113,7 @@ http {
         }
 
         location /playbook/ {
-          proxy_pass http://{{ masterip }}:3200/playbook/;
+          proxy_pass            http://{{ masterip }}:3200/playbook/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -126,9 +125,8 @@ http {
 
 
         location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:4200/navigator/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:4200/navigator/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -139,7 +137,7 @@ http {
         }
 
         location /api/ {
-          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_pass            https://{{ masterip }}:8080/api/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Upgrade $http_upgrade;
@@ -152,7 +150,7 @@ http {
         }
 
         location /fleet/ {
-          proxy_pass https://{{ masterip }}:8080/fleet/;
+          proxy_pass            https://{{ masterip }}:8080/fleet/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -163,10 +161,10 @@ http {
         }
 
         location /thehive/ {
-          proxy_pass http://{{ masterip }}:9000/thehive/;
+          proxy_pass            http://{{ masterip }}:9000/thehive/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -175,10 +173,10 @@ http {
         }
 
         location /cortex/ {
-          proxy_pass http://{{ masterip }}:9001/cortex/;
+          proxy_pass            http://{{ masterip }}:9001/cortex/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -187,19 +185,19 @@ http {
         }
         
         location /cyberchef/ {
-          proxy_pass http://{{ masterip }}:9080/;
+          proxy_pass            http://{{ masterip }}:9080/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
-          proxy_http_version 1.1; # this is essential for chunked responses to work
+          proxy_http_version    1.1; # this is essential for chunked responses to work
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
 
         }
-	
+  
         location /soctopus/ {
-          proxy_pass http://{{ masterip }}:7000/;
+          proxy_pass            http://{{ masterip }}:7000/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
@@ -210,17 +208,16 @@ http {
         }
 
         location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
-          proxy_pass http://{{ masterip }}:9822/;
+          auth_request          /so-auth/api/auth/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Connection "Upgrade";
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
 
         }
 
@@ -237,15 +234,34 @@ http {
         }
 
         location /sensoroniagents/ {
-          proxy_pass http://{{ masterip }}:9822/;
+          proxy_pass            http://{{ masterip }}:9822/;
           proxy_read_timeout    90;
           proxy_connect_timeout 90;
           proxy_set_header      Host $host;
           proxy_set_header      X-Real-IP $remote_addr;
           proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header      Proxy "";
-
         }
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
         error_page 404 /404.html;
             location = /40x.html {
         }
diff --git a/salt/cyberchef/init.sls b/salt/cyberchef/init.sls
index 8d33f38d5..ff258c293 100644
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -42,13 +42,13 @@ cybercheflog:
 
 so-cyberchefimage:
  cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
 
 so-cyberchef:
   docker_container.running:
     - require:
       - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
     - interactive: True
     - binds:
       - /opt/so/saltstack/salt/cyberchef/build:/prod:rw
diff --git a/salt/top.sls b/salt/top.sls
index 265214216..4a2ccdd2b 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -48,6 +48,7 @@ base:
     - firewall
     - master
     - idstools
+    - auth
     {%- if OSQUERY != 0 %}
     - mysql
     {%- endif %}
diff --git a/setup/so-setup.sh b/setup/so-setup.sh
index 6c26783ae..5fa4fa7b7 100644
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -655,6 +655,7 @@ if (whiptail_you_sure) ; then
       echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
       checkin_at_boot >> $SETUPLOG 2>&1
       echo -e "XX\n97\nFinishing touches... \nXXX"
+      salt-call state.apply auth >> $SETUPLOG 2>&1
       filter_unused_nics >> $SETUPLOG 2>&1
       network_setup >> $SETUPLOG 2>&1
       echo -e "XXX\n98\nVerifying Setup... \nXXX"

From ac800782f7d79f97763d7daf69d47089b509e2bd Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 20 Dec 2019 15:34:23 -0500
Subject: [PATCH 3/6] [BUG] Remove unneeded dir from auth salt file

Auth no longer needs a volume mount, so remove its directory
---
 salt/auth/init.sls | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 45254e177..ce9eda44f 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,18 +1,3 @@
-authdir:
-    file.directory:
-        - name: /opt/so/conf/auth
-        - user: 939
-        - group: 939
-        - makedirs: True
-
-authfilesync:
-    file.recurse:
-        - name: /opt/so/conf/auth
-        - source: salt://auth/files
-        - user: 939
-        - group: 939
-        - template: jinja
-
 so-auth-api-image:
     cmd.run:
         - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3

From c7e98f17e14c3656e451fe94a0d16720dd7e9d37 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Tue, 31 Dec 2019 17:19:57 -0500
Subject: [PATCH 4/6] Add volume binding to so-auth-api

---
 salt/auth/init.sls | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index ce9eda44f..0d82f6cb9 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -1,3 +1,10 @@
+so-auth-api-dir:
+  file.directory:
+    - name: /opt/so/conf/auth/api
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-auth-api-image:
     cmd.run:
         - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
@@ -15,6 +22,8 @@ so-auth-api:
         - name: so-auth-api
         - environment:
             - BASE_PATH: "/so-auth/api"
+        - binds:
+            - /opt/so/conf/auth/api:/data
         - port_bindings:
             - 0.0.0.0:5656:5656
 

From 1bfb8bbea280a4e7067cdba81c1b81c0872a1bd2 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Thu, 9 Jan 2020 12:20:25 -0500
Subject: [PATCH 5/6] Update SO-Auth version

---
 salt/auth/init.sls | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/salt/auth/init.sls b/salt/auth/init.sls
index 0d82f6cb9..bed7d18d5 100644
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -7,17 +7,17 @@ so-auth-api-dir:
 
 so-auth-api-image:
     cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.4
 
 so-auth-ui-image:
     cmd.run:
-        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.4
 
 so-auth-api:
     docker_container.running:
         - require:
             - so-auth-api-image
-        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.4
         - hostname: so-auth-api
         - name: so-auth-api
         - environment:
@@ -31,7 +31,7 @@ so-auth-ui:
     docker_container.running:
         - require:
             - so-auth-ui-image
-        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.4
         - hostname: so-auth-ui
         - name: so-auth-ui
         - port_bindings:

From 140feb5515a5f7952b82266bab8c4b792378e9ae Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 10 Jan 2020 08:58:50 -0500
Subject: [PATCH 6/6] Fix git merge leftovers

---
 salt/common/nginx/nginx.conf.so-eval | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval
index 5c49c0100..d3e377881 100644
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -184,21 +184,6 @@ http {
 
         }
         
-<<<<<<< HEAD
-        location /cyberchef/ {
-          proxy_pass            http://{{ masterip }}:9080/;
-          proxy_read_timeout    90;
-          proxy_connect_timeout 90;
-          proxy_http_version    1.1; # this is essential for chunked responses to work
-          proxy_set_header      Host $host;
-          proxy_set_header      X-Real-IP $remote_addr;
-          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header      Proxy "";
-
-        }
-  
-=======
->>>>>>> origin/dev
         location /soctopus/ {
           proxy_pass            http://{{ masterip }}:7000/;
           proxy_read_timeout    90;