CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-20 16:03:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

enabled/disable kratos in ui

Browse Source
This commit is contained in:
m0duspwnens
2023-05-12 16:53:18 -04:00
parent 2a39f5f0b5
commit b71b4225c4
10 changed files with 230 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
salt/kratos/config.sls Normal file
View File

@@ -0,0 +1,71 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from "kratos/map.jinja" import KRATOSMERGED %}
# Add Kratos Group
kratosgroup:
group.present:
- name: kratos
- gid: 928
# Add Kratos user
kratos:
user.present:
- uid: 928
- gid: 928
- home: /opt/so/conf/kratos
kratosdir:
file.directory:
- name: /nsm/kratos
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratosdbdir:
file.directory:
- name: /nsm/kratos/db
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratoslogdir:
file.directory:
- name: /opt/so/log/kratos
- user: 928
- group: 928
- makedirs: True
kratosschema:
file.managed:
- name: /opt/so/conf/kratos/schema.json
- source: salt://kratos/files/schema.json
- user: 928
- group: 928
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml
- source: salt://kratos/files/kratos.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- defaults:
KRATOSMERGED: {{ KRATOSMERGED }}
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

1
salt/kratos/defaults.yaml
View File

@@ -1,4 +1,5 @@
kratos: kratos:
enabled: False
config: config:
session: session:
lifespan: 24h lifespan: 24h

27
salt/kratos/disabled.sls Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
include:
- kratos.sostatus
so-kratos:
docker_container.absent:
- force: True
so-kratos_so-status.disabled:
file.comment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kratos$
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

69
salt/kratos/enabled.sls Normal file
View File

@@ -0,0 +1,69 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include:
- kratos.config
- kratos.sostatus
so-kratos:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
- hostname: kratos
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro
- /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
- port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema
- file: kratosconfig
- require:
- file: kratosschema
- file: kratosconfig
- file: kratoslogdir
- file: kratosdir
delete_so-kratos_so-status.disabled:
file.uncomment:
- name: /opt/so/conf/so-status/so-status.conf
- regex: ^so-kratos$
wait_for_kratos:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4434/'
- ssl: True
- verify_ssl: False
- status:
- 200
- 301
- 302
- 404
- status_type: list
- wait_for: 300
- request_interval: 10
- require:
- docker_container: so-kratos
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

15
salt/kratos/files/kratos.yaml.jinja
View File

@@ -1,14 +1 @@
{%- import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %} {{ KRATOSMERGED.config | yaml(false) }}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{%- set KRATOSMERGED = salt['pillar.get']('kratos:config', default=KRATOSDEFAULTS.kratos.config, merge=true) %}
{{- KRATOSMERGED | yaml(false) }}

117
salt/kratos/init.sls
View File

@@ -3,118 +3,11 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'kratos/config.map.jinja' import KRATOSMERGED %}
{% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
# Add Kratos Group
kratosgroup:
group.present:
- name: kratos
- gid: 928
# Add Kratos user
kratos:
user.present:
- uid: 928
- gid: 928
- home: /opt/so/conf/kratos
kratosdir:
file.directory:
- name: /nsm/kratos
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratosdbdir:
file.directory:
- name: /nsm/kratos/db
- user: 928
- group: 928
- mode: 700
- makedirs: True
kratoslogdir:
file.directory:
- name: /opt/so/log/kratos
- user: 928
- group: 928
- makedirs: True
kratosschema:
file.managed:
- name: /opt/so/conf/kratos/schema.json
- source: salt://kratos/files/schema.json
- user: 928
- group: 928
- mode: 600
kratosconfig:
file.managed:
- name: /opt/so/conf/kratos/kratos.yaml
- source: salt://kratos/files/kratos.yaml.jinja
- user: 928
- group: 928
- mode: 600
- template: jinja
- defaults:
GLOBALS: {{ GLOBALS }}
so-kratos:
docker_container.running:
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }}
- hostname: kratos
- name: so-kratos
- networks:
- sobridge:
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
- binds:
- /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro
- /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
- /opt/so/log/kratos/:/kratos-log:rw
- /nsm/kratos/db:/kratos-data:rw
- port_bindings:
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
- {{ BINDING }}
{% endfor %}
- restart_policy: unless-stopped
- watch:
- file: kratosschema
- file: kratosconfig
- require:
- file: kratosschema
- file: kratosconfig
- file: kratoslogdir
- file: kratosdir
append_so-kratos_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kratos
wait_for_kratos:
http.wait_for_successful_query:
- name: 'http://{{ GLOBALS.manager }}:4434/'
- ssl: True
- verify_ssl: False
- status:
- 200
- 301
- 302
- 404
- status_type: list
- wait_for: 300
- request_interval: 10
- require:
- docker_container: so-kratos
include:
{% if KRATOSMERGED.enabled %}
- kratos.enabled
{% else %} {% else %}
- kratos.disabled
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %} {% endif %}

19
salt/kratos/map.jinja Normal file
View File

@@ -0,0 +1,19 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'kratos/defaults.yaml' as KRATOSDEFAULTS %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.settings.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.verification.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.login.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.login.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.error.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.error.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.update({'ui_url': KRATOSDEFAULTS.kratos.config.selfservice.flows.registration.ui_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.selfservice.update({'default_browser_return_url': KRATOSDEFAULTS.kratos.config.selfservice.default_browser_return_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.serve.public.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.public.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.serve.admin.update({'base_url': KRATOSDEFAULTS.kratos.config.serve.admin.base_url | replace("URL_BASE", GLOBALS.url_base)}) %}
{% do KRATOSDEFAULTS.kratos.config.courier.smtp.update({'connection_uri': KRATOSDEFAULTS.kratos.config.courier.smtp.connection_uri | replace("URL_BASE", GLOBALS.url_base)}) %}
{% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}

4
salt/kratos/soc_kratos.yaml
View File

@@ -1,4 +1,8 @@
kratos: kratos:
enabled:
description: You can enable or disable Kratos.
advanced: True
helpLink: kratos.html
config: config:
session: session:
lifespan: lifespan:

21
salt/kratos/sostatus.sls Normal file
View File

@@ -0,0 +1,21 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
append_so-kratos_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-kratos
- unless: grep -q so-kratos /opt/so/conf/so-status/so-status.conf
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}

12
salt/manager/tools/sbin/so-minion
View File

@@ -338,6 +338,13 @@ function add_mysql_to_minion() {
" " >> $PILLARFILE " " >> $PILLARFILE
} }
function add_kratos_to_minion() {
printf '%s\n'\
"kratos:"\
" enabled: True"\
" " >> $PILLARFILE
}
function create_fleet_policy() { function create_fleet_policy() {
JSON_STRING=$( jq -n \ JSON_STRING=$( jq -n \
@@ -395,6 +402,7 @@ function createEVAL() {
add_soc_to_minion add_soc_to_minion
add_registry_to_minion add_registry_to_minion
add_mysql_to_minion add_mysql_to_minion
add_kratos_to_minion
} }
function createSTANDALONE() { function createSTANDALONE() {
@@ -414,6 +422,7 @@ function createSTANDALONE() {
add_soc_to_minion add_soc_to_minion
add_registry_to_minion add_registry_to_minion
add_mysql_to_minion add_mysql_to_minion
add_kratos_to_minion
} }
function createMANAGER() { function createMANAGER() {
@@ -431,6 +440,7 @@ function createMANAGER() {
add_soc_to_minion add_soc_to_minion
add_registry_to_minion add_registry_to_minion
add_mysql_to_minion add_mysql_to_minion
add_kratos_to_minion
} }
function createMANAGERSEARCH() { function createMANAGERSEARCH() {
@@ -448,6 +458,7 @@ function createMANAGERSEARCH() {
add_soc_to_minion add_soc_to_minion
add_registry_to_minion add_registry_to_minion
add_mysql_to_minion add_mysql_to_minion
add_kratos_to_minion
} }
function createIMPORT() { function createIMPORT() {
@@ -459,6 +470,7 @@ function createIMPORT() {
add_nginx_to_minion add_nginx_to_minion
add_soc_to_minion add_soc_to_minion
add_registry_to_minion add_registry_to_minion
add_kratos_to_minion
} }
function createFLEET() { function createFLEET() {