From d01e6f733f14d425a83c1b7e9e445eaa86d70473 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= Date: Fri, 13 Nov 2020 18:30:31 +0100 Subject: [PATCH] cortex: add GitHub OAuth configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jakub SokoĊ‚owski --- ansible/group_vars/thehive-master.yml | 1 - ansible/roles/cortex/defaults/main.yml | 6 ++++ .../cortex/templates/application.conf.j2 | 34 ++++++++++++++++++- 3 files changed, 39 insertions(+), 2 deletions(-) diff --git a/ansible/group_vars/thehive-master.yml b/ansible/group_vars/thehive-master.yml index 8497bb3..fff3c9c 100644 --- a/ansible/group_vars/thehive-master.yml +++ b/ansible/group_vars/thehive-master.yml @@ -31,7 +31,6 @@ cortex_search_nodes: | # GitHub OAuth details cortex_oauth_client_id: '{{ lookup("passwordstore", "services/TheHive-Cortex/OAuth/client-id") }}' cortex_oauth_client_secret: '{{ lookup("passwordstore", "services/TheHive-Cortex/OAuth/client-secret") }}' -cortex_oauth_org_name: 'status-im' # The Hive --------------------------------------------------------------------- the_hive_domain: 'hive.status.im' diff --git a/ansible/roles/cortex/defaults/main.yml b/ansible/roles/cortex/defaults/main.yml index dcbfe3b..c40bafc 100644 --- a/ansible/roles/cortex/defaults/main.yml +++ b/ansible/roles/cortex/defaults/main.yml @@ -1,4 +1,6 @@ --- +cortex_domain: ~ + cortex_service_name: 'cortex' cortex_service_user: 'cortex' @@ -40,3 +42,7 @@ cortex_org_name: 'Status.im' # User for TheHive API access cortex_the_hive_user: 'thehive' cortex_the_hive_pass: ~ + +# OAuth +cortex_oauth_client_id: ~ +cortex_oauth_client_secret: ~ diff --git a/ansible/roles/cortex/templates/application.conf.j2 b/ansible/roles/cortex/templates/application.conf.j2 index 2c98428..b2d11d2 100644 --- a/ansible/roles/cortex/templates/application.conf.j2 +++ b/ansible/roles/cortex/templates/application.conf.j2 @@ -14,10 +14,42 @@ cache.job = 10 minutes # Authentication auth { - provider = [local] + provider = [ + local, +{% if cortex_oauth_client_id is defined %} + oauth2, +{% endif %} + ] method { basic = true } +{% if cortex_oauth_client_id is defined %} + sso { + autocreate: false + autoupdate: false + mapper: "simple" + attributes { + login: "login" + name: "name" + roles: "role" + } + defaultRoles: ["read", "analyze"] + defaultOrganization: "{{ cortex_org_name }}" + } + oauth2 { + name: oauth2 + clientId: "{{ cortex_oauth_client_id | mandatory }}" + clientSecret: "{{ cortex_oauth_client_secret | mandatory }}" + redirectUri: "https://{{ cortex_domain | mandatory }}/api/ssoLogin" + responseType: code + grantType: "authorization_code" + authorizationUrl: "https://github.com/login/oauth/authorize" + authorizationHeader: "token" + tokenUrl: "https://github.com/login/oauth/access_token" + userUrl: "https://api.github.com/user" + scope: ["user"] + } +{% endif %} } # ANALYZERS