diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c4f6aca30..ce59c64db 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,6 +160,14 @@ fail() { exit 1 } +fqdn_lowercase() { + local fqdn=$1 + + echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-z0-9-]{0,62}[a-z0-9]\.)+[a-z]{2,63}$)' \ + && return 0 \ + || return 1 +} + get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 @@ -186,6 +194,12 @@ header() { printf '%s\n' "" "$banner" " $*" "$banner" } +hostname_lowercase() { + local hostname=$1 + + [[ $hostname =~ ^[a-z0-9\-]+$ ]] && return 0 || return 1 +} + init_monitor() { MONITORNIC=$1 diff --git a/setup/so-functions b/setup/so-functions index ff019953e..98dd007cb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -423,14 +423,28 @@ collect_homenet_snsr() { } collect_hostname() { + collect_hostname_validate + + while ! hostname_lowercase "$HOSTNAME"; do + if ! (whiptail_uppercase_warning); then + collect_hostname_validate + else + no_use_hostname=true + break + fi + done +} + +collect_hostname_validate() { if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi whiptail_set_hostname "$HOSTNAME" - if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once + if [[ -z $default_hostname_flag ]] && [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then whiptail_set_hostname "$HOSTNAME" fi + default_hostname_flag=true fi while ! valid_hostname "$HOSTNAME"; do @@ -648,7 +662,23 @@ collect_proxy_details() { } collect_redirect_host() { - whiptail_set_redirect_host "$HOSTNAME" + collect_redirect_host_validate + + while ! hostname_lowercase "$REDIRECTHOST" && ! fqdn_lowercase "$REDIRECTHOST"; do + local text + ! valid_hostname "$REDIRECTHOST" && text="domain name" || text="hostname" + if ! (whiptail_uppercase_warning "$text"); then + collect_redirect_host_validate "$REDIRECTHOST" + else + break + fi + done +} + +collect_redirect_host_validate() { + local prefill=${1:-$HOSTNAME} + + whiptail_set_redirect_host "$prefill" while ! valid_ip4 "$REDIRECTHOST" && ! valid_hostname "$REDIRECTHOST" && ! valid_fqdn "$REDIRECTHOST"; do whiptail_invalid_input diff --git a/setup/so-whiptail b/setup/so-whiptail index e404152e5..10d86ec2b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1661,11 +1661,16 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return + local options=() + options+=( "IP" "Use IP address to access the web interface" ON ) + [[ $no_use_hostname != true ]] && options+=( "HOSTNAME" "Use hostname to access the web interface" OFF ) + options+=("OTHER" "Use a different name like a FQDN or Load Balancer" OFF) + REDIRECTINFO=$(whiptail --title "$whiptail_title" --radiolist \ - "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ - "IP" "Use IP address to access the web interface" ON \ - "HOSTNAME" "Use hostname to access the web interface" OFF \ - "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 ) + "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ + "${options[@]}" \ + 3>&1 1>&2 2>&3 + ) local exitstatus=$? whiptail_check_exitstatus $exitstatus }