connect

salt/docker/defaults.yaml

@@ -55,7 +55,7 @@ docker:
       final_octet: 30
       port_bindings:
         - 0.0.0.0:4444:4444
-        - 0.0.0.0:4454:4445
+        - 0.0.0.0:4445:4445
       custom_bind_mounts: []
       extra_hosts: []
       extra_env: []

salt/hydra/defaults.yaml

@@ -27,6 +27,8 @@ hydra:
           - public
         pairwise:
           salt: ""
-
+    log:
+      level: debug
+      format: json
     sqa:
       opt_out: true

salt/manager/sync_es_users.sls

@@ -16,6 +16,7 @@ sync_es_users:
       - /opt/so/saltstack/local/salt/elasticsearch/files/users
       - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
       - /opt/so/conf/soc/soc_users_roles
+      - /opt/so/conf/soc/soc_client_roles
     - show_changes: False
     - require:
       - docker_container: so-kratos

salt/manager/tools/sbin/so-user

@@ -136,6 +136,7 @@ bcryptRounds=${BCRYPT_ROUNDS:-12}
 elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
 elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
 socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles}
+clientRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_client_roles}
 esUID=${ELASTIC_UID:-930}
 esGID=${ELASTIC_GID:-930}
 soUID=${SOCORE_UID:-939}
@@ -282,6 +283,18 @@ function ensureRoleFileExists() {
     fi
     mv "${rolesTmpFile}" "${socRolesFile}"
   fi
+
+  if [[ ! -f "$clientRolesFile" || ! -s "$clientRolesFile" ]]; then
+    # Generate the new client roles file
+    rolesTmpFile="${clientRolesFile}.tmp"
+    createFile "$rolesTmpFile" "$soUID" "$soGID"
+
+    if [[ -d "$clientRolesFile" ]]; then
+      echo "Removing invalid roles directory created by Docker"
+      rm -fr "$clientRolesFile"
+    fi
+    mv "${rolesTmpFile}" "${clientRolesFile}"
+  fi
 }
 
 function syncElasticSystemUser() {
@@ -374,6 +387,9 @@ function syncElastic() {
       [[ $? != 0 ]] && fail "Unable to read role identities from database"
     done < "$socRolesFile"
 
+    # Append the client roles
+    cat "$clientRolesFile" >> "$rolesTmpFile"
+
   else
     echo "Database file or soc roles file does not exist yet, skipping users export"
   fi

salt/manager/tools/sbin/soup

@@ -726,12 +726,17 @@ add_hydra_pillars() {
   chmod 660 /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
   touch /opt/so/saltstack/local/pillar/hydra/adv_hydra.sls
   HYDRAKEY=$(get_random_value)
+  HYDRASALT=$(get_random_value)
 	printf '%s\n'\
 		"hydra:"\
 		"  config:"\
 		"    secrets:"\
 		"      system:"\
 		"        - '$HYDRAKEY'"\
+    "    oidc:"\
+    "        subject_identifiers:"\
+    "            pairwise:"\
+    "                salt: '$HYDRASALT'"\
 		"" > /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
 }
 

salt/soc/defaults.yaml

@@ -1318,6 +1318,8 @@ soc:
           jobDir: jobs
         kratos:
           hostUrl:
+        hydra:
+          hostUrl:
         elastalertengine:
           aiRepoUrl: https://github.com/Security-Onion-Solutions/securityonion-resources
           aiRepoBranch: generated-summaries-published

salt/soc/enabled.sls

@@ -44,6 +44,7 @@ so-soc:
       - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro
       - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
       - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
+      - /opt/so/conf/soc/soc_client_roles:/opt/sensoroni/rbac/client_roles:rw
       - /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
       - /opt/so/saltstack:/opt/so/saltstack:rw
       - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw

salt/soc/files/bin/salt-relay.sh

@@ -97,7 +97,7 @@ function manage_user() {
         response=$(echo "$password" | so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
         exit_code=$?
         ;;
-      add|enable|disable|delete)
+      enable|disable|delete)
         email=$(echo "$request" | jq -r .email)
         log "Performing user '$op' for user '$email'"
         response=$(so-user "$op" --email "$email" --skip-sync)
@@ -155,6 +155,82 @@ function manage_user() {
   fi
 }
 
+function manage_client() {
+  id=$1
+  request=$2
+  op=$(echo "$request" | jq -r .operation)
+
+  webResponse="true"
+  max_tries=10
+  tries=0
+  while [[ $tries -lt $max_tries ]]; do
+    case "$op" in
+      add)
+        role=$(echo "$request" | jq -r .role)
+        name=$(echo "$request" | jq -r .name)
+        note=$(echo "$request" | jq -r .note)
+        log "Performing client '$op' for client with name '$name', note '$note' and role '$role'"
+        response=$(so-client "$op" --name "$name" --note "$note" --role "$role" --skip-sync)
+        webResponse=$resposne
+        exit_code=$?
+        ;;
+      delete)
+        id=$(echo "$request" | jq -r .id)
+        log "Performing client '$op' for client '$id'"
+        response=$(so-client "$op" --id "$id" --skip-sync)
+        exit_code=$?
+        ;;
+      addrole|delrole)
+        id=$(echo "$request" | jq -r .id)
+        role=$(echo "$request" | jq -r .role)
+        log "Performing '$op' for client '$id' with role '$role'"
+        response=$(so-client "$op" --id "$id" --role "$role" --skip-sync)
+        exit_code=$?
+        ;;
+      generate-secret)
+        id=$(echo "$request" | jq -r .id)
+        log "Performing '$op' operation for client '$id'"
+        response=$(so-client "$op" --id "$id" --skip-sync)
+        webResponse=$response
+        exit_code=$?
+        ;;
+      update)
+        id=$(echo "$request" | jq -r .id)
+        name=$(echo "$request" | jq -r .name)
+        note=$(echo "$request" | jq -r .note)
+        log "Performing '$op' update for client '$id' with name '$name', and note '$note'"
+        response=$(so-client "$op" --id "$id" --name "$name" --note "$note")
+        exit_code=$?
+        ;;
+      sync)
+        log "Performing '$op'"
+        response=$(so-user "$op")
+        exit_code=$?
+        ;;
+      *)
+        response="Unsupported client operation: $op"
+        exit_code=1
+        ;;
+    esac
+
+    tries=$((tries+1))
+    if [[ "$response" == "Another process is using so-user"* ]]; then
+      log "Retrying after brief delay to let so-user unlock ($tries/$max_tries)"
+      sleep 5
+    else
+      break
+    fi
+  done
+
+  if [[ exit_code -eq 0 ]]; then
+    log "Successful command execution"
+    respond "$id" "$webResponse"
+  else
+    log "Unsuccessful command execution: $response ($exit_code)"
+    respond "$id" "false"
+  fi
+}
+
 function manage_salt() {
   id=$1
   request=$2

salt/vars/globals.map.jinja

@@ -53,6 +53,7 @@
 {%
   do GLOBALS.update({
     'application_urls': {
+      'hydra': 'http://' ~ GLOBALS.manager ~ ':4445/',
       'kratos': 'http://' ~ GLOBALS.manager ~ ':4434/',
       'elastic': 'https://' ~ GLOBALS.manager ~ ':9200/',
       'influxdb': 'https://' ~ GLOBALS.manager ~ ':8086/'

setup/so-functions

@@ -1110,6 +1110,7 @@ generate_passwords(){
   SENSORONIKEY=$(get_random_value)
   KRATOSKEY=$(get_random_value)
   HYDRAKEY=$(get_random_value)
+  HYDRASALT=$(get_random_value)
   REDISPASS=$(get_random_value)
   SOCSRVKEY=$(get_random_value 64)
   IMPORTPASS=$(get_random_value)
@@ -1308,12 +1309,18 @@ kratos_pillar() {
 hydra_pillar() {
 	title "Create the Hydra pillar file"
 	touch $adv_hydra_pillar_file
+	touch $hydra_pillar_file
+	chmod 660 $hydra_pillar_file
 	printf '%s\n'\
 		"hydra:"\
 		"  config:"\
 		"    secrets:"\
 		"      system:"\
 		"        - '$HYDRAKEY'"\
+        "    oidc:"\
+        "        subject_identifiers:"\
+        "            pairwise:"\
+        "                salt: '$HYDRASALT'"\
 		"" > "$hydra_pillar_file"
 }