CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Gracefully handle situations when another process is using the Kratos DB

Browse Source
This commit is contained in:
Jason Ertel
2022-03-08 10:38:05 -05:00
parent f147bb33ed
commit f2865d8b7f
1 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
salt/common/tools/sbin/so-user
View File

@@ -46,6 +46,7 @@ role=$3
kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434} kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434}
databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite} databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
databaseTimeout=${KRATOS_DB_TIMEOUT:-5000}
bcryptRounds=${BCRYPT_ROUNDS:-12} bcryptRounds=${BCRYPT_ROUNDS:-12}
elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles} elasticRolesFile=${ELASTIC_ROLES_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users_roles}
@@ -147,10 +148,14 @@ function updatePassword() {
# Generate password hash # Generate password hash
passwordHash=$(hashPassword "$password") passwordHash=$(hashPassword "$password")
# Update DB with new hash # Update DB with new hash
<<<<<<< Updated upstream
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath" echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath"
# Deactivate MFA # Deactivate MFA
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath" echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath" echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath"
=======
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
>>>>>>> Stashed changes
[[ $? != 0 ]] && fail "Unable to update password" [[ $? != 0 ]] && fail "Unable to update password"
fi fi
} }
@@ -175,7 +180,7 @@ function ensureRoleFileExists() {
if [[ -f "$databasePath" ]]; then if [[ -f "$databasePath" ]]; then
echo "Migrating roles to new file: $socRolesFile" echo "Migrating roles to new file: $socRolesFile"
echo "select 'superuser:' || id from identities;" | sqlite3 "$databasePath" \ echo "select 'superuser:' || id from identities;" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" \
>> "$rolesTmpFile" >> "$rolesTmpFile"
[[ $? != 0 ]] && fail "Unable to read identities from database" [[ $? != 0 ]] && fail "Unable to read identities from database"
@@ -246,8 +251,13 @@ function syncElastic() {
if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
# Append the SOC users # Append the SOC users
<<<<<<< Updated upstream
echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
"from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \ "from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \
=======
userData=$(echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
"from identity_credential_identifiers ici, identity_credentials ic, identities i " \
>>>>>>> Stashed changes
"where " \ "where " \
" ici.identity_credential_id=ic.id " \ " ici.identity_credential_id=ic.id " \
" and ic.identity_id=i.id " \ " and ic.identity_id=i.id " \
@@ -256,22 +266,29 @@ function syncElastic() {
" and instr(ic.config, 'hashed_password') " \ " and instr(ic.config, 'hashed_password') " \
" and i.state == 'active' " \ " and i.state == 'active' " \
"order by ici.identifier;" | \ "order by ici.identifier;" | \
sqlite3 "$databasePath" | \ sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath")
jq -r '.user + ":" + .data.hashed_password' \
>> "$usersTmpFile"
[[ $? != 0 ]] && fail "Unable to read credential hashes from database" [[ $? != 0 ]] && fail "Unable to read credential hashes from database"
echo "$userData" | jq -r '.user + ":" + .data.hashed_password' >> "$usersTmpFile"
# Append the user roles # Append the user roles
while IFS="" read -r rolePair || [ -n "$rolePair" ]; do while IFS="" read -r rolePair || [ -n "$rolePair" ]; do
userId=$(echo "$rolePair" | cut -d: -f2) userId=$(echo "$rolePair" | cut -d: -f2)
role=$(echo "$rolePair" | cut -d: -f1) role=$(echo "$rolePair" | cut -d: -f1)
echo "select '$role:' || ici.identifier " \ echo "select '$role:' || ici.identifier " \
<<<<<<< Updated upstream
"from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \ "from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \
"where ici.identity_credential_id=ic.id " \ "where ici.identity_credential_id=ic.id " \
" and ict.id=ic.identity_credential_type_id " \ " and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \ " and ict.name='password' " \
" and ic.identity_id = '$userId';" | \ " and ic.identity_id = '$userId';" | \
sqlite3 "$databasePath" >> "$rolesTmpFile" sqlite3 "$databasePath" >> "$rolesTmpFile"
=======
"from identity_credential_identifiers ici, identity_credentials ic " \
"where ici.identity_credential_id=ic.id and ic.identity_id = '$userId';" | \
sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" >> "$rolesTmpFile"
[[ $? != 0 ]] && fail "Unable to read user role identifiers from database"
>>>>>>> Stashed changes
done < "$socRolesFile" done < "$socRolesFile"
else else
@@ -301,7 +318,8 @@ function syncAll() {
if [[ -z "$FORCE_SYNC" && -f "$databasePath" && -f "$elasticUsersFile" ]]; then if [[ -z "$FORCE_SYNC" && -f "$databasePath" && -f "$elasticUsersFile" ]]; then
usersFileAgeSecs=$(echo $(($(date +%s) - $(date +%s -r "$elasticUsersFile")))) usersFileAgeSecs=$(echo $(($(date +%s) - $(date +%s -r "$elasticUsersFile"))))
staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \ staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \
| sqlite3 "$databasePath") | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath")
[[ $? != 0 ]] && fail "Unable to read user count from database"
if [[ "$staleCount" == "0" && "$elasticRolesFile" -nt "$socRolesFile" ]]; then if [[ "$staleCount" == "0" && "$elasticRolesFile" -nt "$socRolesFile" ]]; then
return 1 return 1
fi fi