cortex: create superadmin and thehive users

Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Nov 13, 2020 · f84f9c6 · f84f9c6
1 parent 6d25ba9
commit f84f9c6
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 14 deletions.
diff --git a/ansible/group_vars/thehive-master.yml b/ansible/group_vars/thehive-master.yml
@@ -6,6 +6,13 @@ es_cluster_name: 'cortex'
 cortex_domain: 'cortex.status.im'
 cortex_port: 9001
 
+# Super Admin
+cortex_admin_user: 'admin'
+cortex_admin_pass: '{{ lookup("passwordstore", "services/TheHive-Cortex/admin-pass") }}'
+# TheHive API Access
+cortex_the_hive_user: 'thehive'
+cortex_the_hive_pass: '{{ lookup("passwordstore", "services/TheHive-Cortex/thehive-pass") }}'
+
 # Paths
 cortex_conf_path: '/data/cortex/conf'
 cortex_logs_path: '/data/cortex/logs'

diff --git a/ansible/roles/cortex/defaults/main.yml b/ansible/roles/cortex/defaults/main.yml
@@ -29,3 +29,14 @@ cortex_search_nodes: []
 
 # Secret for cookies and built-in encryption
 cortex_http_secret: ~
+
+# Super Admin user
+cortex_admin_user: 'admin'
+cortex_admin_pass: ~
+
+# Organization
+cortex_org_name: 'Status.im'
+
+# User for TheHive API access
+cortex_the_hive_user: 'thehive'
+cortex_the_hive_pass: ~
diff --git a/ansible/roles/cortex/tasks/main.yml b/ansible/roles/cortex/tasks/main.yml
@@ -8,8 +8,11 @@
 - name: Create Systemd service
   import_tasks: service.yml
 
-- name: Run database migrations
-  import_tasks: migrate.yml
+- name: Migrations and Super Admin
+  import_tasks: setup.yml
+
+- name: Create Org and users
+  import_tasks: users.yml
 
 - name: Create Consul definition
   import_tasks: consul.yml
diff --git a/ansible/roles/cortex/tasks/migrate.yml b/ansible/roles/cortex/tasks/migrate.yml
diff --git a/ansible/roles/cortex/tasks/setup.yml b/ansible/roles/cortex/tasks/setup.yml
@@ -0,0 +1,43 @@
+---
+- name: Wait for API port to become available
+  wait_for:
+    port: '{{ cortex_port }}'
+    delay: 10
+    timeout: 20
+
+# This is necessary because this software for no reason whatsoever
+# does not run its migrations at startup if ES index doesn't exist.
+# There is no harm in calling this route multiple times.
+# For more details you can read this issue:
+# https://github.com/TheHive-Project/Cortex/issues/305
+- name: Trigger ES index migrations
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/maintenance/migrate'
+    method: POST
+    status_code: 204
+
+- name: CHeck if Super Admin exists
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/user/{{ cortex_admin_user }}'
+    status_code: [200, 404]
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+  register: check_admin_user
+
+- name: Create Super Admin user
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/user' 
+    method: 'POST'
+    status_code: 201
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+    body_format: 'json'
+    body:
+      name: '{{ cortex_admin_user | mandatory }}'
+      login: '{{ cortex_admin_user | mandatory }}'
+      password: '{{ cortex_admin_pass | mandatory }}'
+      organization: 'cortex'
+      roles: ['superadmin']
+  when: check_admin_user.status == 404
diff --git a/ansible/roles/cortex/tasks/users.yml b/ansible/roles/cortex/tasks/users.yml
@@ -0,0 +1,51 @@
+---
+- name: Check if organization exists
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/organization/{{ cortex_org_name }}'
+    status_code: [200, 404]
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+  register: check_org_exists
+
+- name: Create organization for TheHive
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/organization'
+    method: 'POST'
+    status_code: 201
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+    body_format: 'json'
+    body:
+      name: '{{ cortex_org_name }}'
+      description: 'Status Security Incident Response'
+      status: 'Active'
+  when: check_org_exists.status == 404
+
+- name: Check if The Hive user exists
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/user/{{ cortex_the_hive_user }}'
+    status_code: [200, 404]
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+  register: check_thehive_user
+
+- name: Create API user for TheHive
+  uri:
+    url: 'http://localhost:{{ cortex_port }}/api/user' 
+    method: 'POST'
+    status_code: 201
+    force_basic_auth: yes
+    user: '{{ cortex_admin_user }}'
+    password: '{{ cortex_admin_pass }}'
+    body_format: 'json'
+    body:
+      name: 'The Hive API User'
+      login: '{{ cortex_the_hive_user | mandatory }}'
+      password: '{{ cortex_the_hive_pass | mandatory }}'
+      organization: '{{ cortex_org_name }}'
+      roles: ['read', 'analyze', 'orgadmin']
+  when: check_thehive_user.status == 404
+  register: cortex_the_hive_user_creation
diff --git a/ansible/roles/cortex/templates/application.conf.j2 b/ansible/roles/cortex/templates/application.conf.j2
@@ -14,7 +14,10 @@ cache.job = 10 minutes
 
 # Authentication
 auth {
-    provider = [local]
+  provider = [local]
+  method {
+    basic = true
+  }
 }
 
 # ANALYZERS