From f27e5164d0549f7eea083d9ce7fd4279c5de6bb9 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 4 Sep 2020 17:01:45 -0400
Subject: [PATCH] Update to latest kratos; add support for a custom status
 trait to represent whether a user is locked or not; refactor so-user to use
 new enable/disable capabilities in SOC; remove 'delete' option from so-user
 usage to avoid having user lists out of sync across SOC and external apps

---
 salt/common/tools/sbin/so-cortex-user-add    |  1 +
 salt/common/tools/sbin/so-cortex-user-enable |  1 +
 salt/common/tools/sbin/so-fleet-user-add     |  1 +
 salt/common/tools/sbin/so-fleet-user-enable  |  1 +
 salt/common/tools/sbin/so-thehive-user-add   |  1 +
 salt/common/tools/sbin/so-user               | 78 +++++++++++++++-----
 salt/soc/files/kratos/kratos.yaml            | 60 ++++++---------
 salt/soc/files/kratos/schema.json            | 71 ++++++++++--------
 8 files changed, 129 insertions(+), 85 deletions(-)

diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add
index 43126f709..dbb5b9716 100755
--- a/salt/common/tools/sbin/so-cortex-user-add
+++ b/salt/common/tools/sbin/so-cortex-user-add
@@ -48,6 +48,7 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to Cortex."
 else
     echo "Unable to add user to Cortex; user might already exist."
+    echo $resp
     exit 2
 fi
     
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable
index 63cd2f089..cbfdceb25 100755
--- a/salt/common/tools/sbin/so-cortex-user-enable
+++ b/salt/common/tools/sbin/so-cortex-user-enable
@@ -51,6 +51,7 @@ if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully updated user in Cortex."
 else
     echo "Failed to update user in Cortex."
+    echo $resp
     exit 2
 fi
     
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add
index 9637aa63c..5560b0522 100755
--- a/salt/common/tools/sbin/so-fleet-user-add
+++ b/salt/common/tools/sbin/so-fleet-user-add
@@ -54,5 +54,6 @@ if [[ $? -eq 0 ]]; then
     echo "Successfully added user to Fleet."
 else
     echo "Unable to add user to Fleet; user might already exist."
+    echo $resp
     exit 2
 fi
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-fleet-user-enable b/salt/common/tools/sbin/so-fleet-user-enable
index 0ea826391..a632844bb 100755
--- a/salt/common/tools/sbin/so-fleet-user-enable
+++ b/salt/common/tools/sbin/so-fleet-user-enable
@@ -53,5 +53,6 @@ if [[ $? -eq 0 ]]; then
     echo "Successfully updated user in Fleet."
 else
     echo "Failed to update user in Fleet."
+    echo $resp
     exit 2
 fi
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add
index 0c9553abc..fc7a56f63 100755
--- a/salt/common/tools/sbin/so-thehive-user-add
+++ b/salt/common/tools/sbin/so-thehive-user-add
@@ -47,5 +47,6 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
     echo "Successfully added user to TheHive."
 else
     echo "Unable to add user to TheHive; user might already exist."
+    echo $resp
     exit 2
 fi
diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 4616be3f5..57f51fe9a 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -11,12 +11,13 @@
 . /usr/sbin/so-common
 
 if [[ $# < 1 || $# > 2 ]]; then
-  echo "Usage: $0 <list|add|update|delete|validate|valemail|valpass> [email]"
+  echo "Usage: $0 <list|add|update|enable|disable|validate|valemail|valpass> [email]"
   echo ""
   echo "     list: Lists all user email addresses currently defined in the identity system"
   echo "      add: Adds a new user to the identity system; requires 'email' parameter"
   echo "   update: Updates a user's password; requires 'email' parameter"
-  echo "   delete: Deletes an existing user; requires 'email' parameter"
+  echo "   enable: Enables a user; requires 'email' parameter"
+  echo "  disable: Disables a user; requires 'email' parameter"
   echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
   echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter"
   echo "  valpass: Validates that a password is acceptable for defining a new user"
@@ -63,7 +64,7 @@ function findIdByEmail() {
   email=$1
 
   response=$(curl -Ss ${kratosUrl}/identities)
-  identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id")
+  identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id")
   echo $identityId
 }
 
@@ -113,7 +114,7 @@ function listUsers() {
   response=$(curl -Ss ${kratosUrl}/identities)
   [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
 
-  echo "${response}" | jq -r ".[] | .addresses[0].value" | sort
+  echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort
 }
 
 function createUser() {
@@ -122,17 +123,8 @@ function createUser() {
   now=$(date -u +%FT%TZ)
   addUserJson=$(cat <<EOF
 {
-  "addresses": [
-    {
-      "expires_at": "2099-01-31T12:00:00Z",
-      "value": "${email}",
-      "verified": true,
-      "verified_at": "${now}",
-      "via": "so-add-user"
-    }
-  ],
   "traits": {"email":"${email}"},
-  "traits_schema_id": "default"
+  "schema_id": "default"
 }
 EOF
   )
@@ -152,6 +144,36 @@ EOF
   updatePassword $identityId
 }
 
+function updateStatus() {
+  email=$1
+  status=$2
+
+  identityId=$(findIdByEmail "$email")
+  [[ ${identityId} == "" ]] && fail "User not found"
+
+  response=$(curl -Ss "${kratosUrl}/identities/$identityId")
+  [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
+
+  oldConfig=$(echo "select config from identity_credentials where identity_id=${identityId};" | sqlite3 "$databasePath")
+  if [[ "$status" == "locked" ]]; then
+    config=$(echo $oldConfig | sed -e 's/hashed/locked/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to lock credential record"
+
+    echo "delete from sessions where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to invalidate sessions"    
+  else
+    config=$(echo $oldConfig | sed -e 's/locked/hashed/')
+    echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id=${identityId};" | sqlite3 "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to unlock credential record"
+  fi  
+
+  updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url)")
+  response=$(curl -Ss -XPUT ${kratosUrl}/identities/$identityId -d "$updatedJson")
+  [[ $? != 0 ]] && fail "Unable to mark user as locked"
+
+}
+
 function updateUser() {
   email=$1
 
@@ -179,9 +201,9 @@ case "${operation}" in
     validateEmail "$email"
     createUser "$email"
     echo "Successfully added new user to SOC"
-    check_container thehive && (echo $password | so-thehive-user-add "$email" || so-thehive-user-enable "$email" true)
-    check_container cortex && (echo $password | so-cortex-user-add "$email" || so-cortex-user-enable "$email" true)
-    check_container fleet && (echo $password | so-fleet-user-add "$email" || so-fleet-user-enable "$email" true)
+    check_container thehive && echo $password | so-thehive-user-add "$email"
+    check_container cortex && echo $password | so-cortex-user-add "$email"
+    check_container fleet && echo $password | so-fleet-user-add "$email"
     ;;
 
   "list")
@@ -197,6 +219,28 @@ case "${operation}" in
     echo "Successfully updated user"
     ;;
 
+  "enable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'active'
+    echo "Successfully enabled user"
+    check_container thehive && so-thehive-user-enable "$email" true
+    check_container cortex && so-cortex-user-enable "$email" true
+    check_container fleet && so-fleet-user-enable "$email" true   
+    ;;
+
+  "disable")
+    verifyEnvironment
+    [[ "$email" == "" ]] && fail "Email address must be provided"
+
+    updateStatus "$email" 'locked'
+    echo "Successfully disabled user"
+    check_container thehive && so-thehive-user-enable "$email" false
+    check_container cortex && so-cortex-user-enable "$email" false
+    check_container fleet && so-fleet-user-enable "$email" false   
+    ;;    
+
   "delete")
     verifyEnvironment
     [[ "$email" == "" ]] && fail "Email address must be provided"
diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml
index 2e8a408fd..928e744d0 100644
--- a/salt/soc/files/kratos/kratos.yaml
+++ b/salt/soc/files/kratos/kratos.yaml
@@ -6,52 +6,39 @@ selfservice:
     password:
       enabled: true
 
-  settings:
-    privileged_session_max_age: 1m
-    after:
-      profile:
-        hooks:
-          - hook: verify
-          
-  verify:
-    return_to: https://{{ WEBACCESS }}/
+  flows:
+    settings:
+      ui_url: https://{{ WEBACCESS }}/?r=/settings
 
-  logout:
-    redirect_to: https://{{ WEBACCESS }}/login/
+    verification:
+      ui_url: https://{{ WEBACCESS }}/
 
-  login:
-    request_lifespan: 10m
+    login:
+      ui_url: https://{{ WEBACCESS }}/login/
 
-  registration:
-    request_lifespan: 10m
-    after:
-      password:
-        hooks:
-          - hook: session
-          - hook: verify
+    error:
+      ui_url: https://{{ WEBACCESS }}/login/
+
+    registration:
+      ui_url: https://{{ WEBACCESS }}/login/
+    
+  default_browser_return_url: https://{{ WEBACCESS }}/
+  whitelisted_return_urls:
+    - http://127.0.0.1
 
 log:
   level: debug
   format: json
 
 secrets:
-  session:
+  default:
     - {{ KRATOSKEY }}
 
-urls:
-  login_ui: https://{{ WEBACCESS }}/login/
-  registration_ui: https://{{ WEBACCESS }}/login/
-  error_ui: https://{{ WEBACCESS }}/login/
-  settings_ui: https://{{ WEBACCESS }}/?r=/settings
-  verify_ui: https://{{ WEBACCESS }}/
-  mfa_ui: https://{{ WEBACCESS }}/
-
-  self:
-    public: https://{{ WEBACCESS }}/auth/
-    admin: https://{{ WEBACCESS }}/kratos/
-  default_return_to: https://{{ WEBACCESS }}/
-  whitelisted_return_to_urls:
-    - http://127.0.0.1
+serve:
+  public: 
+    base_url: https://{{ WEBACCESS }}/auth/
+  admin: 
+    base_url: https://{{ WEBACCESS }}/kratos/
 
 hashers:
   argon2:
@@ -62,8 +49,7 @@ hashers:
     key_length: 32
 
 identity:
-  traits:
-    default_schema_url: file:///kratos-conf/schema.json
+  default_schema_url: file:///kratos-conf/schema.json
 
 courier:
   smtp:
diff --git a/salt/soc/files/kratos/schema.json b/salt/soc/files/kratos/schema.json
index a22a9fef6..986086936 100644
--- a/salt/soc/files/kratos/schema.json
+++ b/salt/soc/files/kratos/schema.json
@@ -4,37 +4,46 @@
     "title": "Person",
     "type": "object",
     "properties": {
-      "email": {
-        "type": "string",
-        "format": "email",
-        "title": "E-Mail",
-        "minLength": 6,
-        "ory.sh/kratos": {
-          "credentials": {
-            "password": {
-              "identifier": true
+      "traits": {
+        "type": "object",
+        "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 6,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
             }
-          },
-          "verification": {
-            "via": "email"
           }
-        }
+        },
+        "firstName": {
+          "type": "string",
+          "title": "First Name"
+        },
+        "lastName": {
+          "type": "string",
+          "title": "Last Name"
+        },
+        "role": {
+          "type": "string",
+          "title": "Role"
+        },
+        "status": {
+          "type": "string",
+          "title": "Status"
+        }      
       },
-      "firstName": {
-        "type": "string",
-        "title": "First Name"
-      },
-      "lastName": {
-        "type": "string",
-        "title": "Last Name"
-      },
-      "role": {
-        "type": "string",
-        "title": "Role"
-      }
-    },
-    "required": [
-      "email"
-    ],
-    "additionalProperties": false
-  }
\ No newline at end of file
+      "required": [
+        "email"
+      ],
+      "additionalProperties": false
+    }
+  }
+}
\ No newline at end of file