CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ensure highstate migrates user roles

Browse Source
This commit is contained in:
Jason Ertel
2021-09-18 23:17:49 -04:00
parent 3508f3d8c1
commit 730503b69c
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
salt/common/tools/sbin/so-user
View File

@@ -138,7 +138,7 @@ function updatePassword() {
validatePassword "$password" validatePassword "$password"
fi fi
if [[ -n $identityId ]]; then if [[ -n "$identityId" ]]; then
# Generate password hash # Generate password hash
passwordHash=$(hashPassword "$password") passwordHash=$(hashPassword "$password")
# Update DB with new hash # Update DB with new hash
@@ -172,7 +172,7 @@ function ensureRoleFileExists() {
[[ $? != 0 ]] && fail "Unable to read identities from database" [[ $? != 0 ]] && fail "Unable to read identities from database"
echo "The following users have all been migrated with the super user role:" echo "The following users have all been migrated with the super user role:"
cat "${socRolesFile}" cat "${rolesTmpFile}"
else else
echo "Database file does not exist yet, installation is likely not yet complete." echo "Database file does not exist yet, installation is likely not yet complete."
fi fi
@@ -331,7 +331,8 @@ function adjustUserRole() {
grep "$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1 grep "$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1
if [[ "$op" == "add" ]]; then if [[ "$op" == "add" ]]; then
if [[ "$hasRole" == "1" ]]; then if [[ "$hasRole" == "1" ]]; then
fail "User '$email' already has the role: $role" echo "User '$email' already has the role: $role"
return 1
else else
echo "$role:$identityId" >> "$filename" echo "$role:$identityId" >> "$filename"
fi fi
@@ -339,11 +340,14 @@ function adjustUserRole() {
if [[ "$hasRole" -ne 1 ]]; then if [[ "$hasRole" -ne 1 ]]; then
fail "User '$email' does not have the role: $role" fail "User '$email' does not have the role: $role"
else else
sed -i "/^$role:$identityId\$/d" "$filename" sed "/^$role:$identityId\$/d" "$filename" > "$filename.tmp"
cat "$filename".tmp > "$filename"
rm -f "$filename".tmp
fi fi
else else
fail "Unsupported role adjustment operation: $op" fail "Unsupported role adjustment operation: $op"
fi fi
return 0
} }
function createUser() { function createUser() {
@@ -370,10 +374,9 @@ EOF
reason=$(echo "${response}" | jq ".error.message") reason=$(echo "${response}" | jq ".error.message")
[[ $? == 0 ]] && fail "Unable to add user: ${reason}" [[ $? == 0 ]] && fail "Unable to add user: ${reason}"
else else
updatePassword "$identityId"
addUserRole "$email" "$role" addUserRole "$email" "$role"
fi fi
updatePassword "$identityId"
} }
function updateStatus() { function updateStatus() {
@@ -457,9 +460,10 @@ case "${operation}" in
lock lock
validateEmail "$email" validateEmail "$email"
addUserRole "$email" "$role" if addUserRole "$email" "$role"; then
syncElastic syncElastic
echo "Successfully added role to user" echo "Successfully added role to user"
fi
;; ;;
"delrole") "delrole")

1
salt/manager/init.sls
View File

@@ -124,6 +124,7 @@ syncesusers:
- creates: - creates:
- /opt/so/saltstack/local/salt/elasticsearch/files/users - /opt/so/saltstack/local/salt/elasticsearch/files/users
- /opt/so/saltstack/local/salt/elasticsearch/files/users_roles - /opt/so/saltstack/local/salt/elasticsearch/files/users_roles
- /opt/so/conf/soc/soc_users_roles
- show_changes: False - show_changes: False
{% else %} {% else %}