the-hive: add GitHub OAuth configuration

It works only if you first create a user with public email of given user in their GitHub profile. Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Oct 12, 2020 · dc77d24 · dc77d24
1 parent 060fac2
commit dc77d24
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 0 deletions.
diff --git a/ansible/group_vars/thehive-master.yml b/ansible/group_vars/thehive-master.yml
@@ -13,6 +13,11 @@ the_hive_conf_path: '/data/thehive/conf'
 the_hive_data_path: '/data/thehive/data'
 the_hive_logs_path: '/data/thehive/logs'
 
+# GitHub OAuth
+the_hive_oauth_client_id: '{{ lookup("passwordstore", "services/TheHive/OAuth/client-id") }}'
+the_hive_oauth_client_secret: '{{ lookup("passwordstore", "services/TheHive/OAuth/client-secret") }}'
+the_hive_oauth_org_name: 'status-im'
+
 # Cassandra auth
 the_hive_db_user: '{{ lookup("passwordstore", "services/TheHive/Cassandra/user") }}'
 the_hive_db_pass: '{{ lookup("passwordstore", "services/TheHive/Cassandra/pass") }}'

diff --git a/ansible/roles/the-hive/README.md b/ansible/roles/the-hive/README.md
@@ -6,6 +6,8 @@ This role configures [The Hive](https://thehive-project.org/) - an Open Source s
 
 The most basic configuration would include:
 ```yaml
+the_hive_domain: 'the-hive.example.org'
+
 # Application HTTP secret
 the_hive_app_http_secret: 'very-long-random-string'
 
@@ -20,6 +22,16 @@ the_hive_db_hosts:
   - { name: "node-03", addr: "10.1.2.3", port: 1234 }
 ```
 
+# OAuth
+
+Optionally you can enable user autnetication via GitHub OAuth:
+```yaml
+# GitHub OAuth details
+the_hive_oauth_client_id: 'asdasdasdasdasdasdasda'
+the_hive_oauth_client_secret: '1231231231231231231231232131231'
+the_hive_oauth_org_name: 'my-org'
+```
+
 # Details
 
 The service depends on a [Cassandra](https://cassandra.apache.org/) cluster for state storage.

diff --git a/ansible/roles/the-hive/defaults/main.yml b/ansible/roles/the-hive/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
+the_hive_domain: ~
+
 # Service
 the_hive_service_name: 'thehive'
 the_hive_service_user: 'thehive'
@@ -23,6 +25,11 @@ the_hive_binary_md5: 'e7fe6b258dc59352b57630a7c060fdc0'
 # Secret for cookies and built-in encryption
 the_hive_http_secret: ~
 
+# GitHub OAuth details
+the_hive_oauth_client_id: ~
+the_hive_oauth_client_secret: ~
+the_hive_oauth_org_name: ~
+
 # Cassandra database nodes and auth
 the_hive_db_user: ~
 the_hive_db_pass: ~

diff --git a/ansible/roles/the-hive/templates/application.conf.j2 b/ansible/roles/the-hive/templates/application.conf.j2
@@ -26,3 +26,34 @@ storage {
   provider: localfs
   localfs.directory: "{{ the_hive_data_path }}"
 }
+
+# Authentication configuration
+auth {
+  providers: [
+    {name: session}
+    {name: basic, realm: thehive}
+    {name: local}
+    {name: key}
+{% if the_hive_oauth_client_id is defined %}
+    {
+      name: oauth2
+      clientId: "{{ the_hive_oauth_client_id | mandatory }}"
+      clientSecret: "{{ the_hive_oauth_client_secret | mandatory }}"
+      userOrganisation: "{{ the_hive_oauth_org_name | mandatory }}"
+      redirectUri: "https://{{ the_hive_domain | mandatory }}/api/ssoLogin"
+      responseType: code
+      grantType: "authorization_code"
+      authorizationUrl: "https://github.com/login/oauth/authorize"
+      authorizationHeader: "token"
+      tokenUrl: "https://github.com/login/oauth/access_token"
+      userUrl: "https://api.github.com/user"
+      scope: ["user"]
+      userIdField: "email" 
+    }
+{% endif %}
+  ]
+  # The format of logins must be valid email address format.
+  # If the provided login doesn't contain `@` the following 
+  # domain is automatically appended.
+  defaultUserDomain: "{{ the_hive_domain | mandatory }}"
+}