cortex: add GitHub OAuth configuration

Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Nov 13, 2020 · d01e6f7 · d01e6f7
1 parent 9835031
commit d01e6f7
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/ansible/group_vars/thehive-master.yml b/ansible/group_vars/thehive-master.yml
@@ -31,7 +31,6 @@ cortex_search_nodes: |
 # GitHub OAuth details
 cortex_oauth_client_id: '{{ lookup("passwordstore", "services/TheHive-Cortex/OAuth/client-id") }}'
 cortex_oauth_client_secret: '{{ lookup("passwordstore", "services/TheHive-Cortex/OAuth/client-secret") }}'
-cortex_oauth_org_name: 'status-im'
 
 # The Hive ---------------------------------------------------------------------
 the_hive_domain: 'hive.status.im'

diff --git a/ansible/roles/cortex/defaults/main.yml b/ansible/roles/cortex/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
+cortex_domain: ~
+
 cortex_service_name: 'cortex'
 cortex_service_user: 'cortex'
 
@@ -40,3 +42,7 @@ cortex_org_name: 'Status.im'
 # User for TheHive API access
 cortex_the_hive_user: 'thehive'
 cortex_the_hive_pass: ~
+
+# OAuth
+cortex_oauth_client_id: ~
+cortex_oauth_client_secret: ~
diff --git a/ansible/roles/cortex/templates/application.conf.j2 b/ansible/roles/cortex/templates/application.conf.j2
@@ -14,10 +14,42 @@ cache.job = 10 minutes
 
 # Authentication
 auth {
-  provider = [local]
+  provider = [
+    local,
+{% if cortex_oauth_client_id is defined %}
+    oauth2,
+{% endif %}
+  ]
   method {
     basic = true
   }
+{% if cortex_oauth_client_id is defined %}
+  sso {
+    autocreate: false
+    autoupdate: false
+    mapper: "simple"
+    attributes {
+      login: "login"
+      name: "name"
+      roles: "role"
+    }
+    defaultRoles: ["read", "analyze"]
+    defaultOrganization: "{{ cortex_org_name }}"
+  }
+  oauth2 {
+    name: oauth2
+    clientId: "{{ cortex_oauth_client_id | mandatory }}"
+    clientSecret: "{{ cortex_oauth_client_secret | mandatory }}"
+    redirectUri: "https://{{ cortex_domain | mandatory }}/api/ssoLogin"
+    responseType: code
+    grantType: "authorization_code"
+    authorizationUrl: "https://github.com/login/oauth/authorize"
+    authorizationHeader: "token"
+    tokenUrl: "https://github.com/login/oauth/access_token"
+    userUrl: "https://api.github.com/user"
+    scope: ["user"]
+  }
+{% endif %}
 }
 
 # ANALYZERS