Initial changes to add new auth framework

* Changes to evalmode only at this time * Cleaned up nginx eval config
2025-12-06 09:12:45 +01:00 · 2019-12-18 21:55:24 -05:00
parent b97ff72bc2
commit 2b6e2e0465
5 changed files with 94 additions and 32 deletions
--- a/salt/auth/init.sls
+++ b/salt/auth/init.sls
@@ -0,0 +1,44 @@
+authdir:
+    file.directory:
+        - name: /opt/so/conf/auth
+        - user: 939
+        - group: 939
+        - makedirs: True
+
+authfilesync:
+    file.recurse:
+        - name: /opt/so/conf/auth
+        - source: salt://auth/files
+        - user: 939
+        - group: 939
+        - template: jinja
+
+so-auth-api-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
+
+so-auth-ui-image:
+    cmd.run:
+        - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+
+so-auth-api:
+    docker_container.running:
+        - require:
+            - so-auth-api-image
+        - image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
+        - hostname: so-auth-api
+        - name: so-auth-api
+        - environment:
+            - BASE_PATH: "/so-auth/api"
+        - port_bindings:
+            - 0.0.0.0:5656:5656
+
+so-auth-ui:
+    docker_container.running:
+        - require:
+            - so-auth-ui-image
+        - image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
+        - hostname: so-auth-ui
+        - name: so-auth-ui
+        - port_bindings:
+            - 0.0.0.0:4242:80
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -100,8 +100,7 @@ http {
        }

        location /kibana/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          rewrite               /kibana/(.*) /$1 break;
          proxy_pass            http://{{ masterip }}:5601/;
          proxy_read_timeout    90;
@@ -126,8 +125,7 @@ http {


        location /navigator/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass            http://{{ masterip }}:4200/navigator/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -210,8 +208,7 @@ http {
        }

        location /sensoroni/ {
-          auth_basic            "Security Onion";
-          auth_basic_user_file  /opt/so/conf/nginx/.htpasswd;
+          auth_request          /so-auth/api/auth/;
          proxy_pass            http://{{ masterip }}:9822/;
          proxy_read_timeout    90;
          proxy_connect_timeout 90;
@@ -244,8 +241,27 @@ http {
          proxy_set_header      X-Real-IP $remote_addr;
          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header      Proxy "";
-
        }
+
+        location /so-auth/loginpage/ {
+            proxy_pass          http://{{ masterip }}:4242/;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /so-auth/api/ {
+            proxy_pass          http://{{ masterip }}:5656/;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Host $host;
+        }
+
+        error_page 401 = @error401;
+
+        location @error401 {
+          add_header    Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
+          return        302 http://{{ masterip }}/so-auth/loginpage/;
+        }
+
        error_page 404 /404.html;
            location = /40x.html {
        }
--- a/salt/cyberchef/init.sls
+++ b/salt/cyberchef/init.sls
@@ -42,13 +42,13 @@ cybercheflog:

 so-cyberchefimage:
 cmd.run:
-   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+   - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3

 so-cyberchef:
  docker_container.running:
    - require:
      - so-cyberchefimage
-    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4
+    - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
    - interactive: True
    - binds:
      - /opt/so/saltstack/salt/cyberchef/build:/prod:rw
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -48,6 +48,7 @@ base:
    - firewall
    - master
    - idstools
+    - auth
    {%- if OSQUERY != 0 %}
    - mysql
    {%- endif %}
--- a/setup/so-setup.sh
+++ b/setup/so-setup.sh
@@ -655,6 +655,7 @@ if (whiptail_you_sure) ; then
      echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
      checkin_at_boot >> $SETUPLOG 2>&1
      echo -e "XX\n97\nFinishing touches... \nXXX"
+      salt-call state.apply auth >> $SETUPLOG 2>&1
      filter_unused_nics >> $SETUPLOG 2>&1
      network_setup >> $SETUPLOG 2>&1
      echo -e "XXX\n98\nVerifying Setup... \nXXX"