CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

connect

Browse Source
This commit is contained in:
Jason Ertel
2024-10-24 15:45:18 -04:00
parent d9273ec369
commit d503c09ef2
2 changed files with 35 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
salt/manager/tools/sbin/so-client
View File

@@ -87,7 +87,7 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
hydraUrl=${HYDRA_URL:-http://127.0.0.1:4445/admin} hydraUrl=${HYDRA_URL:-http://127.0.0.1:4445}
socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_clients_roles} socRolesFile=${SOC_ROLES_FILE:-/opt/so/conf/soc/soc_clients_roles}
soUID=${SOCORE_UID:-939} soUID=${SOCORE_UID:-939}
soGID=${SOCORE_GID:-939} soGID=${SOCORE_GID:-939}
@@ -116,7 +116,7 @@ function verifyEnvironment() {
require "jq" require "jq"
require "curl" require "curl"
response=$(curl -Ss -L ${hydraUrl}/) response=$(curl -Ss -L ${hydraUrl}/)
[[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable" [[ "$response" != *"Error 404"* ]] && fail "Unable to communicate with Hydra; specify URL via HYDRA_URL environment variable"
} }
function createFile() { function createFile() {
@@ -145,7 +145,7 @@ function ensureRoleFileExists() {
} }
function listClients() { function listClients() {
response=$(curl -Ss -L ${hydraUrl}/admin/clients) response=$(curl -Ss -L -f ${hydraUrl}/admin/clients)
[[ $? != 0 ]] && fail "Unable to communicate with Hydra" [[ $? != 0 ]] && fail "Unable to communicate with Hydra"
clientIds=$(echo "${response}" | jq -r ".[] | .client_id" | sort) clientIds=$(echo "${response}" | jq -r ".[] | .client_id" | sort)
@@ -192,7 +192,7 @@ function adjustClientRole() {
if [[ "$hasRole" -ne 1 ]]; then if [[ "$hasRole" -ne 1 ]]; then
fail "Client '$identityId' does not have the role: $role" fail "Client '$identityId' does not have the role: $role"
else else
sed "/^$role:$identityId\$/d" "$filename" > "$filename.tmp" sed -e "\!^$role:$identityId\$!d" "$filename" > "$filename.tmp"
cat "$filename".tmp > "$filename" cat "$filename".tmp > "$filename"
rm -f "$filename".tmp rm -f "$filename".tmp
fi fi
@@ -206,7 +206,7 @@ function convertNameToId() {
name=$1 name=$1
name=${name//[^[:alnum:]]/_} name=${name//[^[:alnum:]]/_}
echo "$name" | tr '[:upper:]' '[:lower:]' echo "socl_$name" | tr '[:upper:]' '[:lower:]'
} }
function createClient() { function createClient() {
@@ -216,11 +216,15 @@ function createClient() {
id=$(convertNameToId "$name") id=$(convertNameToId "$name")
now=$(date -u +%FT%TZ) now=$(date -u +%FT%TZ)
secret=$(get_random_value)
body=$(cat <<EOF body=$(cat <<EOF
{ {
"access_token_strategy": "opaque", "access_token_strategy": "opaque",
"client_id": "$id", "client_id": "$id",
"client_secret": "$secret",
"client_name": "$name", "client_name": "$name",
"grant_types": [ "client_credentials" ],
"response_types": [ "code" ],
"metadata": { "metadata": {
"note": "$note" "note": "$note"
} }
@@ -228,31 +232,34 @@ function createClient() {
EOF EOF
) )
response=$(curl -Ss -L -X POST ${hydraUrl}/admin/clients -d "$body") response=$(curl -Ss -L --fail-with-body -X POST ${hydraUrl}/admin/clients -d "$body")
[[ $? != 0 ]] && fail "Unable to communicate with Hydra" if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
secret=$(echo "${response}" | jq -r ".client_secret") fail "Failed to submit request to Hydra: $error"
fi
addClientRole "$id" "$role" addClientRole "$id" "$role"
} }
function generateSecret() { function generateSecret() {
clientId=$1 clientId=$1
secret=$(get_random_value)
body=$(cat <<EOF body=$(cat <<EOF
[ [
{ {
"from": "/client_secret",
"op": "replace", "op": "replace",
"path": "/client_secret" "path": "/client_secret",
"value": "$secret"
} }
] ]
EOF EOF
) )
response=$(curl -Ss -L -X PATCH ${hydraUrl}/admin/clients/$id -d "$body") response=$(curl -Ss -L --fail-with-body -X PATCH ${hydraUrl}/admin/clients/$id -d "$body")
[[ $? != 0 ]] && fail "Unable to communicate with Hydra" if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
echo "$response" | jq -r .client_secret fail "Failed to submit request to Hydra: $error"
fi
} }
function deleteClient() { function deleteClient() {
@@ -260,8 +267,11 @@ function deleteClient() {
[[ ${identityId} == "" ]] && fail "Client not found" [[ ${identityId} == "" ]] && fail "Client not found"
response=$(curl -Ss -XDELETE -L "${hydraUrl}/admin/client/$identityId") response=$(curl -Ss -XDELETE -L --fail-with-body "${hydraUrl}/admin/clients/$identityId")
[[ $? != 0 ]] && fail "Unable to communicate with Hydra" if [[ $? != 0 ]]; then
error=$(echo $response | jq .error)
fail "Failed to submit request to Hydra: $error"
fi
rolesTmpFile="${socRolesFile}.tmp" rolesTmpFile="${socRolesFile}.tmp"
createFile "$rolesTmpFile" "$soUID" "$soGID" createFile "$rolesTmpFile" "$soUID" "$soGID"
@@ -276,7 +286,7 @@ case "${operation}" in
lock lock
createClient "$name" "${role:-$DEFAULT_ROLE}" "${note}" createClient "$name" "${role:-$DEFAULT_ROLE}" "${note}"
echo "Successfully added new client to SOC. Run 'so-user sync' to sync with Elasticsearch." echo "Successfully added user and generated secret: $secret"
;; ;;
"list") "list")
@@ -290,7 +300,7 @@ case "${operation}" in
[[ "$role" == "" ]] && fail "Role must be provided" [[ "$role" == "" ]] && fail "Role must be provided"
lock lock
if addClientRole "$email" "$role"; then if addClientRole "$id" "$role"; then
echo "Successfully added role to client" echo "Successfully added role to client"
fi fi
;; ;;
@@ -301,7 +311,7 @@ case "${operation}" in
[[ "$role" == "" ]] && fail "Role must be provided" [[ "$role" == "" ]] && fail "Role must be provided"
lock lock
deleteClientRole "$email" "$role" deleteClientRole "$id" "$role"
echo "Successfully removed role from client" echo "Successfully removed role from client"
;; ;;
@@ -311,7 +321,7 @@ case "${operation}" in
lock lock
generateSecret "$id" generateSecret "$id"
echo "Successfully generated secret" echo "Successfully generated secret: $secret"
;; ;;
"delete") "delete")
@@ -319,7 +329,7 @@ case "${operation}" in
[[ "$id" == "" ]] && fail "Id must be provided" [[ "$id" == "" ]] && fail "Id must be provided"
lock lock
deleteClient "$email" deleteClient "$id"
echo "Successfully deleted client. Run 'so-user sync' to sync with Elasticsearch." echo "Successfully deleted client. Run 'so-user sync' to sync with Elasticsearch."
;; ;;
*) *)

6
salt/nginx/etc/nginx.conf
View File

@@ -220,8 +220,7 @@ http {
} }
{% if 'api' in salt['pillar.get']('features', []) %} {% if 'api' in salt['pillar.get']('features', []) %}
location /connect/token { location ~* (^/oauth2/token.*|^.well-known/jwks.json|^.well-known/openid-configuration) {
rewrite /connect/token(.*) /oauth2/token$1 break;
limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay; limit_req zone=auth_throttle burst={{ NGINXMERGED.config.throttle_login_burst }} nodelay;
limit_req_status 429; limit_req_status 429;
proxy_pass http://{{ GLOBALS.manager }}:4444; proxy_pass http://{{ GLOBALS.manager }}:4444;
@@ -234,10 +233,11 @@ http {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
location /connect/api { location /connect/ {
if ($http_authorization !~ "Bearer .*") { if ($http_authorization !~ "Bearer .*") {
return 403; return 403;
} }
rewrite /connect/(.*) /api/$1 break;
proxy_pass http://{{ GLOBALS.manager }}:9822/; proxy_pass http://{{ GLOBALS.manager }}:9822/;
proxy_read_timeout 300; proxy_read_timeout 300;
proxy_connect_timeout 300; proxy_connect_timeout 300;