Merge pull request #590 from jurgenmehja/4.3

alberpilot · web-flow · commit 04517f0d0457 · 2022-12-22T13:10:13.000+01:00
Add possibility to configure single sign on through puppet
diff --git a/manifests/dashboard.pp b/manifests/dashboard.pp
@@ -14,6 +14,16 @@
   $dashboard_server_host = '0.0.0.0',
   $dashboard_server_hosts = "https://${indexer_server_ip}:${indexer_server_port}",
 
+  # Parameters used for OpenID login
+  $enable_openid_login = undef,
+  $opensearch_ssl_verificationMode = undef,
+  $opensearch_security_openid_connect_url = undef,
+  $opensearch_security_openid_client_id = undef,
+  $opensearch_security_openid_client_secret = undef,
+  $opensearch_security_openid_base_redirect_url = undef,
+  $opensearch_security_openid_verify_hostnames = undef,
+
+
   # If the keystore is used, the credentials are not managed by the module (TODO).
   # If use_keystore is false, the keystore is deleted, the dashboard use the credentials in the configuration file.
   $use_keystore = true,
diff --git a/manifests/indexer.pp b/manifests/indexer.pp
@@ -26,6 +26,9 @@
 
   # JVM options
   $jvm_options_memory = '1g',
+
+  # Parameters used for openid login
+  $openid_connect_url   = undef,
 ) {
   if $manage_repos {
     include wazuh::repo
@@ -83,6 +86,12 @@
     require => Package['wazuh-indexer'],
     notify  => Service['wazuh-indexer'],
   }
+  
+  file { 
+    '/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml':
+      content => template('wazuh/opensearch_security_config.yml.erb'),
+      notify  => Service['wazuh-indexer'],
+  }
 
   file_line { 'Insert line initial size of total heap space':
     path    => '/etc/wazuh-indexer/jvm.options',
diff --git a/templates/opensearch_security_config.yml.erb b/templates/opensearch_security_config.yml.erb
@@ -0,0 +1,33 @@
+---
+_meta:
+  type: "config"
+  config_version: 2
+config:
+  dynamic:
+    http:
+      anonymous_auth_enabled: false
+    authc:
+      basic:
+      basic_internal_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 0
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      openid_auth_domain:
+        http_enabled: true
+        transport_enabled: true
+        order: 1
+        http_authenticator:
+          type: openid
+          challenge: false
+          config:
+            subject_key: preferred_username
+            roles_key: roles
+            openid_connect_url: <%= @openid_connect_url %>
+            verify_hostnames: false
+        authentication_backend:
+          type: noop
diff --git a/templates/wazuh_dashboard_yml.erb b/templates/wazuh_dashboard_yml.erb
@@ -9,9 +9,16 @@ opensearch.password: <%= @dashboard_password %>
 opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
 opensearch_security.multitenancy.enabled: false
 opensearch_security.readonly_mode.roles: ["kibana_read_only"]
+<% if @enable_openid_login -%>
+opensearch_security.auth.type: <%= @opensearch_security_auth_type %>
+opensearch_security.openid.connect_url: <%= @opensearch_security_openid_connect_url %>
+opensearch_security.openid.client_id: <%= @opensearch_security_openid_client_id %>
+opensearch_security.openid.client_secret: <%= @opensearch_security_openid_client_secret %>
+opensearch_security.openid.base_redirect_url: <%= @opensearch_security_openid_base_redirect_url %>
+opensearch_security.openid.verify_hostnames: <%= @opensearch_security_openid_verify_hostnames %>
+<% end -%>
 server.ssl.enabled: true
 server.ssl.key: "<%= @dashboard_path_certs %>/dashboard-key.pem"
 server.ssl.certificate: "<%= @dashboard_path_certs %>/dashboard.pem"
 opensearch.ssl.certificateAuthorities: ["<%= @dashboard_path_certs %>/root-ca.pem"]
 uiSettings.overrides.defaultRoute: /app/wazuh
-
