Merge branch 'release/3.4.1'

build.sbt

@@ -53,17 +53,17 @@ lazy val thehiveCortex = (project in file("thehive-cortex"))
   )
 
 lazy val thehive = (project in file("."))
-  .enablePlugins(PlayScala/*, PlayAkkaHttp2Support*/)
+  .enablePlugins(PlayScala /*, PlayAkkaHttp2Support*/ )
   .enablePlugins(Bintray)
   .dependsOn(thehiveBackend, thehiveMisp, thehiveCortex)
   .aggregate(thehiveBackend, thehiveMisp, thehiveCortex)
   .settings(projectSettings)
   .settings(
     aggregate in Debian := false,
     aggregate in Rpm := false,
-    aggregate in Docker := false
+    aggregate in Docker := false,
+    aggregate in changeLog := false
   )
-
 lazy val rpmPackageRelease = (project in file("package/rpm-release"))
   .enablePlugins(RpmPlugin)
   .settings(projectSettings)
@@ -81,23 +81,27 @@ lazy val rpmPackageRelease = (project in file("package/rpm-release"))
     packageDescription :=
       """This package contains the TheHive-Project packages repository
         |GPG key as well as configuration for yum.""".stripMargin,
-    linuxPackageMappings in Rpm := Seq(packageMapping(
-      file("PGP-PUBLIC-KEY") -> "etc/pki/rpm-gpg/GPG-TheHive-Project",
-      file("package/rpm-release/thehive-rpm.repo") -> "/etc/yum.repos.d/thehive-rpm.repo",
-      file("LICENSE") -> "/usr/share/doc/thehive-project-release/LICENSE"
-    ))
+    linuxPackageMappings in Rpm := Seq(
+      packageMapping(
+        file("PGP-PUBLIC-KEY")                       → "etc/pki/rpm-gpg/GPG-TheHive-Project",
+        file("package/rpm-release/thehive-rpm.repo") → "/etc/yum.repos.d/thehive-rpm.repo",
+        file("LICENSE")                              → "/usr/share/doc/thehive-project-release/LICENSE"
+      )
+    )
   )
 
 rpmReleaseFile := {
   import scala.sys.process._
   val rpmFile = (packageBin in Rpm in rpmPackageRelease).value
-  Process("rpm" ::
-    "--define" :: "_gpg_name TheHive Project" ::
-    "--define" :: "_signature gpg" ::
-    "--define" :: "__gpg_check_password_cmd /bin/true" ::
-    "--define" :: "__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}" ::
-    "--addsign" :: rpmFile.toString ::
-    Nil).!!
+  Process(
+    "rpm" ::
+      "--define" :: "_gpg_name TheHive Project" ::
+      "--define" :: "_signature gpg" ::
+      "--define" :: "__gpg_check_password_cmd /bin/true" ::
+      "--define" :: "__gpg_sign_cmd %{__gpg} gpg --batch --no-verbose --no-armor --use-agent --no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} %{__plaintext_filename}" ::
+      "--addsign" :: rpmFile.toString ::
+      Nil
+  ).!!
   rpmFile
 }
 

conf/application.sample

@@ -45,57 +45,110 @@ search {
 
 # Authentication
 auth {
-	# "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
-	# available auth types are:
-	# services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
-	# ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
-	# ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
-	provider = [local]
+  # "provider" parameter contains authentication provider. It can be multi-valued (useful for migration)
+  # available auth types are:
+  # services.LocalAuthSrv : passwords are stored in user entity (in Elasticsearch). No configuration is required.
+  # ad : use ActiveDirectory to authenticate users. Configuration is under "auth.ad" key
+  # ldap : use LDAP to authenticate users. Configuration is under "auth.ldap" key
+  # oauth2 : use OAuth/OIDC to authenticate users. Configuration is under "auth.oauth2" and "auth.sso" keys
+  provider = [local]
 
   # By default, basic authentication is disabled. You can enable it by setting "method.basic" to true.
   #method.basic = true
 
-
-	ad {
-		# The Windows domain name in DNS format. This parameter is required if you do not use
-		# 'serverNames' below.
-		#domainFQDN = "mydomain.local"
-
-		# Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
-		# above. If this parameter is not set, TheHive uses 'domainFQDN'.
-        #serverNames = [ad1.mydomain.local, ad2.mydomain.local]
-
-		# The Windows domain name using short format. This parameter is required.
-		#domainName = "MYDOMAIN"
-
-		# If 'true', use SSL to connect to the domain controller.
-		#useSSL = true
-	}
-
-	ldap {
-		# The LDAP server name or address. The port can be specified using the 'host:port'
-		# syntax. This parameter is required if you don't use 'serverNames' below.
-		#serverName = "ldap.mydomain.local:389"
-
-		# If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
-        #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
-
-		# Account to use to bind to the LDAP server. This parameter is required.
-		#bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
-
-		# Password of the binding account. This parameter is required.
-		#bindPW = "***secret*password***"
-
-		# Base DN to search users. This parameter is required.
-		#baseDN = "ou=users,dc=mydomain,dc=local"
-
-		# Filter to search user in the directory server. Please note that {0} is replaced
-		# by the actual user name. This parameter is required.
-		#filter = "(cn={0})"
-
-		# If 'true', use SSL to connect to the LDAP directory server.
-		#useSSL = true
-	}
+  ad {
+    # The Windows domain name in DNS format. This parameter is required if you do not use
+    # 'serverNames' below.
+    #domainFQDN = "mydomain.local"
+
+    # Optionally you can specify the host names of the domain controllers instead of using 'domainFQDN
+    # above. If this parameter is not set, TheHive uses 'domainFQDN'.
+    #serverNames = [ad1.mydomain.local, ad2.mydomain.local]
+
+    # The Windows domain name using short format. This parameter is required.
+    #domainName = "MYDOMAIN"
+
+    # If 'true', use SSL to connect to the domain controller.
+    #useSSL = true
+  }
+
+  ldap {
+    # The LDAP server name or address. The port can be specified using the 'host:port'
+    # syntax. This parameter is required if you don't use 'serverNames' below.
+    #serverName = "ldap.mydomain.local:389"
+
+    # If you have multiple LDAP servers, use the multi-valued setting 'serverNames' instead.
+    #serverNames = [ldap1.mydomain.local, ldap2.mydomain.local]
+
+    # Account to use to bind to the LDAP server. This parameter is required.
+    #bindDN = "cn=thehive,ou=services,dc=mydomain,dc=local"
+
+    # Password of the binding account. This parameter is required.
+    #bindPW = "***secret*password***"
+
+    # Base DN to search users. This parameter is required.
+    #baseDN = "ou=users,dc=mydomain,dc=local"
+
+    # Filter to search user in the directory server. Please note that {0} is replaced
+    # by the actual user name. This parameter is required.
+    #filter = "(cn={0})"
+
+    # If 'true', use SSL to connect to the LDAP directory server.
+    #useSSL = true
+  }
+
+  oauth2 {
+    # URL of the authorization server
+    #clientId = "client-id"
+    #clientSecret = "client-secret"
+    #redirectUri = "https://my-thehive-instance.example/index.html#!/login"
+    #responseType = "code"
+    #grantType = "authorization_code"
+
+    # URL from where to get the access token
+    #authorizationUrl = "https://auth-site.com/OAuth/Authorize"
+    #tokenUrl = "https://auth-site.com/OAuth/Token"
+
+    # The endpoint from which to obtain user details using the OAuth token, after successful login
+    #userUrl = "https://auth-site.com/api/User"
+    #scope = "openid profile"
+  }
+
+  # Single-Sign On
+  sso {
+    # Autocreate user in database?
+    #autocreate = false
+
+    # Autoupdate its profile and roles?
+    #autoupdate = false
+
+    # Autologin user using SSO?
+    #autologin = false
+
+    # Attributes mappings
+    #attributes {
+    #  login = "sub"
+    #  name = "name"
+    #  groups = "groups"
+    #  #roles = "roles"
+    #}
+
+    # Name of mapping class from user resource to backend user ('simple' or 'group')
+    #mapper = group
+    # Default roles for users with no groups mapped ("read", "write", "admin")
+    #defaultRoles = []
+
+    #groups {
+    #  # URL to retreive groups (leave empty if you are using OIDC)
+    #  #url = "https://auth-site.com/api/Groups"
+    #  # Group mappings, you can have multiple roles for each group: they are merged
+    #  mappings {
+    #    admin-profile-name = ["admin"]
+    #    editor-profile-name = ["write"]
+    #    reader-profile-name = ["read"]
+    #  }
+    #}
+  }
 }
 
 # Maximum time between two requests without requesting authentication

conf/logback.xml

@@ -46,9 +46,14 @@
     <!--logger name="services.LocalStreamActor" level="DEBUG" /-->
     <!--logger name="services.StreamActor" level="DEBUG" /-->
 
+    <!-- Uncomment the next lines to log debug information for OAuth/OIDC login -->
+    <!--logger name="org.elastic4play.services.auth" level="DEBUG" /-->
+    <!--logger name="services.OAuth2Srv" level="DEBUG" /-->
+    <!--logger name="services.mappers" level="DEBUG" /-->
+
     <root level="INFO">
         <appender-ref ref="ASYNCFILE" />
         <appender-ref ref="ASYNCSTDOUT" />
     </root>
 
-</configuration>
+</configuration>

docker.sbt

@@ -3,36 +3,53 @@ import com.typesafe.sbt.packager.docker.{Cmd, ExecCmd}
 
 version in Docker := {
   version.value match {
-    case stableVersion(_, _) => version.value
-    case betaVersion(v1, v2) => v1 + "-0.1RC" + v2
-    case snapshotVersion(_, _) => version.value + "-SNAPSHOT"
-    case _ => sys.error("Invalid version: " + version.value)
+    case stableVersion(_, _)   ⇒ version.value
+    case betaVersion(v1, v2)   ⇒ v1 + "-0.1RC" + v2
+    case snapshotVersion(_, _) ⇒ version.value + "-SNAPSHOT"
+    case _                     ⇒ sys.error("Invalid version: " + version.value)
   }
 }
 defaultLinuxInstallLocation in Docker := "/opt/thehive"
 dockerRepository := Some("thehiveproject")
 dockerUpdateLatest := !version.value.toUpperCase.contains("RC") && !version.value.contains("SNAPSHOT")
 dockerEntrypoint := Seq("/opt/thehive/entrypoint")
 dockerExposedPorts := Seq(9000)
+daemonUser in Docker := "thehive"
+daemonGroup in Docker := "thehive"
 mappings in Docker ++= Seq(
-  file("package/docker/entrypoint") -> "/opt/thehive/entrypoint",
-  file("package/logback.xml") -> "/etc/thehive/logback.xml",
-  file("package/empty") -> "/var/log/thehive/application.log")
+  file("package/docker/entrypoint") → "/opt/thehive/entrypoint",
+  file("package/logback.xml")       → "/etc/thehive/logback.xml",
+  file("package/empty")             → "/var/log/thehive/application.log"
+)
 mappings in Docker ~= (_.filterNot {
-  case (_, filepath) => filepath == "/opt/thehive/conf/application.conf"
+  case (_, filepath) ⇒ filepath == "/opt/thehive/conf/application.conf"
 })
-dockerCommands ~= { dc =>
-  val (dockerInitCmds, dockerTailCmds) = dc
-    .collect {
-      case ExecCmd("RUN", "chown", _*) => ExecCmd("RUN", "chown", "-R", "daemon:root", ".")
-      case other => other
-    }
-    .splitAt(4)
-  dockerInitCmds ++
-    Seq(
-      Cmd("ADD", "var", "/var"),
-      Cmd("ADD", "etc", "/etc"),
-      ExecCmd("RUN", "chown", "-R", "daemon:root", "/var/log/thehive"),
-      ExecCmd("RUN", "chmod", "+x", "/opt/thehive/bin/thehive", "/opt/thehive/entrypoint")) ++
-    dockerTailCmds
-}
+dockerCommands := Seq(
+  Cmd("FROM", "openjdk:8"),
+  Cmd("LABEL", "MAINTAINER=\"TheHive Project <support@thehive-project.org>\"", "repository=\"https://github.com/TheHive-Project/TheHive\""),
+  Cmd("WORKDIR", "/opt/thehive"),
+  // format: off
+  Cmd("RUN",
+    "apt", "update", "&&",
+    "apt", "upgrade", "-y", "&&",
+    "apt", "autoclean", "-y", "-q",  "&&",
+    "apt", "autoremove", "-y", "-q",  "&&",
+    "rm", "-rf", "/var/lib/apt/lists/*", "&&",
+    "(", "type", "groupadd", "1>/dev/null", "2>&1", "&&",
+      "groupadd", "-g", "1000", "thehive", "||",
+      "addgroup", "-g", "1000", "-S", "thehive",
+    ")", "&&",
+    "(", "type", "useradd", "1>/dev/null", "2>&1", "&&",
+      "useradd", "--system", "--uid", "1000", "--gid", "1000", "thehive", "||",
+      "adduser", "-S", "-u", "1000", "-G", "thehive", "thehive",
+    ")"),
+  //format: on
+  Cmd("ADD", "--chown=root:root", "opt", "/opt"),
+  Cmd("ADD", "--chown=thehive:thehive", "var", "/var"),
+  Cmd("ADD", "--chown=thehive:thehive", "etc", "/etc"),
+  ExecCmd("RUN", "chmod", "+x", "/opt/thehive/bin/thehive", "/opt/thehive/entrypoint"),
+  Cmd("EXPOSE", "9000"),
+  Cmd("USER", "thehive"),
+  ExecCmd("ENTRYPOINT", "/opt/thehive/entrypoint"),
+  ExecCmd("CMD")
+)

docker/thehive/docker-compose.yml

@@ -1,27 +1,25 @@
 version: "2"
 services:
   elasticsearch:
-    image: elasticsearch:6.8.0
+    image: elasticsearch:6.8.8
     environment:
       - http.host=0.0.0.0
-      - cluster.name=hive
-      - thread_pool.index.queue_size=100000
-      - thread_pool.search.queue_size=100000
-      - thread_pool.bulk.queue_size=100000
+      - discovery.type=single-node
     ulimits:
       nofile:
         soft: 65536
         hard: 65536
   cortex:
-    image: thehiveproject/cortex:3.0.1
+    image: thehiveproject/cortex:latest
     depends_on:
       - elasticsearch
     ports:
       - "0.0.0.0:9001:9001"
   thehive:
-    image: thehiveproject/thehive:3.4.0
+    image: thehiveproject/thehive:latest
     depends_on:
       - elasticsearch
       - cortex
     ports:
       - "0.0.0.0:9000:9000"
+    command: --cortex-port 9001