mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
connect
This commit is contained in:
Jason Ertel
@@ -45,6 +45,7 @@ function usage() {
|
|||||||
--id <id>
|
--id <id>
|
||||||
--name <name>
|
--name <name>
|
||||||
--note <note>
|
--note <note>
|
||||||
|
--searchusername <run-as username>
|
||||||
|
|
||||||
generate-secret: Regenerates a client's secret and outputs the new secret.
|
generate-secret: Regenerates a client's secret and outputs the new secret.
|
||||||
Required parameters:
|
Required parameters:
|
||||||
@@ -84,7 +85,12 @@ while [[ $# -gt 0 ]]; do
|
|||||||
;;
|
;;
|
||||||
--note)
|
--note)
|
||||||
note=$1
|
note=$1
|
||||||
[[ ${#note} -gt 50 ]] && fail "note cannot be longer than 500 characters"
|
[[ ${#note} -gt 100 ]] && fail "note cannot be longer than 100 characters"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--searchusername)
|
||||||
|
searchusername=$1
|
||||||
|
[[ ${#searchusername} -gt 50 ]] && fail "search username cannot be longer than 50 characters"
|
||||||
shift
|
shift
|
||||||
;;
|
;;
|
||||||
--json)
|
--json)
|
||||||
@@ -199,7 +205,7 @@ function adjustClientPermission() {
|
|||||||
echo "$perm:$identityId" >> "$filename"
|
echo "$perm:$identityId" >> "$filename"
|
||||||
fi
|
fi
|
||||||
elif [[ "$op" == "del" ]]; then
|
elif [[ "$op" == "del" ]]; then
|
||||||
if [[ "$hasPermission" -ne 1 ]]; then
|
if [[ "$hasPerm" -ne 1 ]]; then
|
||||||
fail "Client '$identityId' does not have the permission: $perm"
|
fail "Client '$identityId' does not have the permission: $perm"
|
||||||
else
|
else
|
||||||
sed -e "\!^$perm:$identityId\$!d" "$filename" > "$filename.tmp"
|
sed -e "\!^$perm:$identityId\$!d" "$filename" > "$filename.tmp"
|
||||||
@@ -328,7 +334,7 @@ case "${operation}" in
|
|||||||
if [[ "$json" == "1" ]]; then
|
if [[ "$json" == "1" ]]; then
|
||||||
echo "{\"id\":\"$id\",\"secret\":\"$secret\"}"
|
echo "{\"id\":\"$id\",\"secret\":\"$secret\"}"
|
||||||
else
|
else
|
||||||
echo "Successfully added user ID $id with generated secret: $secret"
|
echo "Successfully added client ID $id with generated secret: $secret"
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@@ -363,9 +369,10 @@ case "${operation}" in
|
|||||||
[[ "$id" == "" ]] && fail "Id must be provided"
|
[[ "$id" == "" ]] && fail "Id must be provided"
|
||||||
[[ "$name" == "" ]] && fail "Name must be provided"
|
[[ "$name" == "" ]] && fail "Name must be provided"
|
||||||
[[ "$note" == "" ]] && fail "Note must be provided"
|
[[ "$note" == "" ]] && fail "Note must be provided"
|
||||||
|
[[ "$searchusername" == "" ]] && fail "Search Username must be provided"
|
||||||
|
|
||||||
lock
|
lock
|
||||||
update "$id" "$name" "$note"
|
update "$id" "$name" "$note" "$searchusername"
|
||||||
echo "Successfully updated client"
|
echo "Successfully updated client"
|
||||||
;;
|
;;
|
||||||
|
|
||||||
@@ -388,7 +395,7 @@ case "${operation}" in
|
|||||||
|
|
||||||
lock
|
lock
|
||||||
deleteClient "$id"
|
deleteClient "$id"
|
||||||
echo "Successfully deleted client. Run 'so-user sync' to sync with Elasticsearch."
|
echo "Successfully deleted client."
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
fail "Unsupported operation: $operation"
|
fail "Unsupported operation: $operation"
|
||||||
|
|||||||
@@ -136,7 +136,6 @@ bcryptRounds=${BCRYPT_ROUNDS:-12}
|
|||||||
elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
|
elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
|
||||||
elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
|
elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
|
||||||
socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles}
|
socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_users_roles}
|
||||||
clientRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_clients_roles}
|
|
||||||
esUID=${ELASTIC_UID:-930}
|
esUID=${ELASTIC_UID:-930}
|
||||||
esGID=${ELASTIC_GID:-930}
|
esGID=${ELASTIC_GID:-930}
|
||||||
soUID=${SOCORE_UID:-939}
|
soUID=${SOCORE_UID:-939}
|
||||||
@@ -283,18 +282,6 @@ function ensureRoleFileExists() {
|
|||||||
fi
|
fi
|
||||||
mv "${rolesTmpFile}" "${socRolesFile}"
|
mv "${rolesTmpFile}" "${socRolesFile}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ ! -f "$clientRolesFile" || ! -s "$clientRolesFile" ]]; then
|
|
||||||
# Generate the new client roles file
|
|
||||||
rolesTmpFile="${clientRolesFile}.tmp"
|
|
||||||
createFile "$rolesTmpFile" "$soUID" "$soGID"
|
|
||||||
|
|
||||||
if [[ -d "$clientRolesFile" ]]; then
|
|
||||||
echo "Removing invalid roles directory created by Docker"
|
|
||||||
rm -fr "$clientRolesFile"
|
|
||||||
fi
|
|
||||||
mv "${rolesTmpFile}" "${clientRolesFile}"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function syncElasticSystemUser() {
|
function syncElasticSystemUser() {
|
||||||
@@ -370,7 +357,6 @@ function syncElastic() {
|
|||||||
random_crypt=$(get_random_value 53)
|
random_crypt=$(get_random_value 53)
|
||||||
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
|
user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "${user_data_formatted}" >> "$usersTmpFile"
|
echo "${user_data_formatted}" >> "$usersTmpFile"
|
||||||
|
|
||||||
# Append the user roles
|
# Append the user roles
|
||||||
@@ -386,10 +372,6 @@ function syncElastic() {
|
|||||||
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile"
|
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile"
|
||||||
[[ $? != 0 ]] && fail "Unable to read role identities from database"
|
[[ $? != 0 ]] && fail "Unable to read role identities from database"
|
||||||
done < "$socRolesFile"
|
done < "$socRolesFile"
|
||||||
|
|
||||||
# Append the client roles
|
|
||||||
cat "$clientRolesFile" >> "$rolesTmpFile"
|
|
||||||
|
|
||||||
else
|
else
|
||||||
echo "Database file or soc roles file does not exist yet, skipping users export"
|
echo "Database file or soc roles file does not exist yet, skipping users export"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -197,13 +197,9 @@ function manage_client() {
|
|||||||
client_id=$(echo "$request" | jq -r .id)
|
client_id=$(echo "$request" | jq -r .id)
|
||||||
name=$(echo "$request" | jq -r .name)
|
name=$(echo "$request" | jq -r .name)
|
||||||
note=$(echo "$request" | jq -r .note)
|
note=$(echo "$request" | jq -r .note)
|
||||||
log "Performing '$op' update for client '$client_id' with name '$name', and note '$note'"
|
searchusername=$(echo "$request" | jq -r .searchusername)
|
||||||
response=$(so-client "$op" --id "$client_id" --name "$name" --note "$note")
|
log "Performing '$op' update for client '$client_id' with name '$name', search username '$searchusername', and note '$note'"
|
||||||
exit_code=$?
|
response=$(so-client "$op" --id "$client_id" --name "$name" --searchusername "$searchusername" --note "$note")
|
||||||
;;
|
|
||||||
sync)
|
|
||||||
log "Performing '$op'"
|
|
||||||
response=$(so-user "$op")
|
|
||||||
exit_code=$?
|
exit_code=$?
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
|
|||||||
Reference in New Issue
Block a user