diff --git a/salt/kratos/config.sls b/salt/kratos/config.sls new file mode 100644 index 000000000..55949ea3c --- /dev/null +++ b/salt/kratos/config.sls @@ -0,0 +1,71 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from "kratos/map.jinja" import KRATOSMERGED %} + +# Add Kratos Group +kratosgroup: + group.present: + - name: kratos + - gid: 928 + +# Add Kratos user +kratos: + user.present: + - uid: 928 + - gid: 928 + - home: /opt/so/conf/kratos + +kratosdir: + file.directory: + - name: /nsm/kratos + - user: 928 + - group: 928 + - mode: 700 + - makedirs: True + +kratosdbdir: + file.directory: + - name: /nsm/kratos/db + - user: 928 + - group: 928 + - mode: 700 + - makedirs: True + +kratoslogdir: + file.directory: + - name: /opt/so/log/kratos + - user: 928 + - group: 928 + - makedirs: True + +kratosschema: + file.managed: + - name: /opt/so/conf/kratos/schema.json + - source: salt://kratos/files/schema.json + - user: 928 + - group: 928 + - mode: 600 + +kratosconfig: + file.managed: + - name: /opt/so/conf/kratos/kratos.yaml + - source: salt://kratos/files/kratos.yaml.jinja + - user: 928 + - group: 928 + - mode: 600 + - template: jinja + - defaults: + KRATOSMERGED: {{ KRATOSMERGED }} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index 8f7a72b00..e0317ed37 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -1,4 +1,5 @@ kratos: + enabled: False config: session: lifespan: 24h diff --git a/salt/kratos/disabled.sls b/salt/kratos/disabled.sls new file mode 100644 index 000000000..0ab998273 --- /dev/null +++ b/salt/kratos/disabled.sls @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +include: + - kratos.sostatus + +so-kratos: + docker_container.absent: + - force: True + +so-kratos_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-kratos$ + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls new file mode 100644 index 000000000..9358c9349 --- /dev/null +++ b/salt/kratos/enabled.sls @@ -0,0 +1,69 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +include: + - kratos.config + - kratos.sostatus + +so-kratos: + docker_container.running: + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} + - hostname: kratos + - name: so-kratos + - networks: + - sobridge: + - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} + - binds: + - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro + - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro + - /opt/so/log/kratos/:/kratos-log:rw + - /nsm/kratos/db:/kratos-data:rw + - port_bindings: + {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} + - {{ BINDING }} + {% endfor %} + - restart_policy: unless-stopped + - watch: + - file: kratosschema + - file: kratosconfig + - require: + - file: kratosschema + - file: kratosconfig + - file: kratoslogdir + - file: kratosdir + +delete_so-kratos_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-kratos$ + +wait_for_kratos: + http.wait_for_successful_query: + - name: 'http://{{ GLOBALS.manager }}:4434/' + - ssl: True + - verify_ssl: False + - status: + - 200 + - 301 + - 302 + - 404 + - status_type: list + - wait_for: 300 + - request_interval: 10 + - require: + - docker_container: so-kratos + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/kratos/files/kratos.yaml.jinja b/salt/kratos/files/kratos.yaml.jinja index fc67a1db8..e31ec0313 100644 --- a/salt/kratos/files/kratos.yaml.jinja +++ b/salt/kratos/files/kratos.yaml.jinja @@ -1,14 +1 @@ -{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} - -{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %} -{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %} - -{{- KRATOSMERGED | yaml(false) }} +{{ KRATOSMERGED.config | yaml(false) }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index c52ae15f8..7351fb0f3 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -3,118 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} - -# Add Kratos Group -kratosgroup: - group.present: - - name: kratos - - gid: 928 - -# Add Kratos user -kratos: - user.present: - - uid: 928 - - gid: 928 - - home: /opt/so/conf/kratos - -kratosdir: - file.directory: - - name: /nsm/kratos - - user: 928 - - group: 928 - - mode: 700 - - makedirs: True - -kratosdbdir: - file.directory: - - name: /nsm/kratos/db - - user: 928 - - group: 928 - - mode: 700 - - makedirs: True - -kratoslogdir: - file.directory: - - name: /opt/so/log/kratos - - user: 928 - - group: 928 - - makedirs: True - -kratosschema: - file.managed: - - name: /opt/so/conf/kratos/schema.json - - source: salt://kratos/files/schema.json - - user: 928 - - group: 928 - - mode: 600 - -kratosconfig: - file.managed: - - name: /opt/so/conf/kratos/kratos.yaml - - source: salt://kratos/files/kratos.yaml.jinja - - user: 928 - - group: 928 - - mode: 600 - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} - -so-kratos: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - - hostname: kratos - - name: so-kratos - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - - binds: - - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro - - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro - - /opt/so/log/kratos/:/kratos-log:rw - - /nsm/kratos/db:/kratos-data:rw - - port_bindings: - {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - restart_policy: unless-stopped - - watch: - - file: kratosschema - - file: kratosconfig - - require: - - file: kratosschema - - file: kratosconfig - - file: kratoslogdir - - file: kratosdir - -append_so-kratos_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-kratos - -wait_for_kratos: - http.wait_for_successful_query: - - name: 'http://{{ GLOBALS.manager }}:4434/' - - ssl: True - - verify_ssl: False - - status: - - 200 - - 301 - - 302 - - 404 - - status_type: list - - wait_for: 300 - - request_interval: 10 - - require: - - docker_container: so-kratos +{% from 'kratos/config.map.jinja' import KRATOSMERGED %} +include: +{% if KRATOSMERGED.enabled %} + - kratos.enabled {% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - + - kratos.disabled {% endif %} diff --git a/salt/kratos/map.jinja b/salt/kratos/map.jinja new file mode 100644 index 000000000..1cdc4337b --- /dev/null +++ b/salt/kratos/map.jinja @@ -0,0 +1,19 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} + +{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %} +{% do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %} + +{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %} diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index d2555bf11..1eb9bef40 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -1,4 +1,8 @@ kratos: + enabled: + description: You can enable or disable Kratos. + advanced: True + helpLink: kratos.html config: session: lifespan: diff --git a/salt/kratos/sostatus.sls b/salt/kratos/sostatus.sls new file mode 100644 index 000000000..cf736d8f7 --- /dev/null +++ b/salt/kratos/sostatus.sls @@ -0,0 +1,21 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} + +append_so-kratos_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-kratos + - unless: grep -q so-kratos /opt/so/conf/so-status/so-status.conf + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 3ec17f79f..4941367de 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -338,6 +338,13 @@ function add_mysql_to_minion() { " " >> $PILLARFILE } +function add_kratos_to_minion() { + printf '%s\n'\ + "kratos:"\ + " enabled: True"\ + " " >> $PILLARFILE +} + function create_fleet_policy() { JSON_STRING=$( jq -n \ @@ -395,6 +402,7 @@ function createEVAL() { add_soc_to_minion add_registry_to_minion add_mysql_to_minion + add_kratos_to_minion } function createSTANDALONE() { @@ -414,6 +422,7 @@ function createSTANDALONE() { add_soc_to_minion add_registry_to_minion add_mysql_to_minion + add_kratos_to_minion } function createMANAGER() { @@ -431,6 +440,7 @@ function createMANAGER() { add_soc_to_minion add_registry_to_minion add_mysql_to_minion + add_kratos_to_minion } function createMANAGERSEARCH() { @@ -448,6 +458,7 @@ function createMANAGERSEARCH() { add_soc_to_minion add_registry_to_minion add_mysql_to_minion + add_kratos_to_minion } function createIMPORT() { @@ -459,6 +470,7 @@ function createIMPORT() { add_nginx_to_minion add_soc_to_minion add_registry_to_minion + add_kratos_to_minion } function createFLEET() {