Add Azure AD implementation

Config/bootstrap.php

@@ -117,6 +117,9 @@ function initializeSentry($sentryDsn) {
  */
 // CakePlugin::load('CertAuth');
 // CakePlugin::load('ShibbAuth');
+{% if AZURE_LOGIN %}
+CakePlugin::load('AadAuth');
+{% endif %}
 
 /**
  * Configures default file logging options
@@ -142,4 +145,3 @@ function initializeSentry($sentryDsn) {
 if (in_array('phar', stream_get_wrappers(), true)) {
     stream_wrapper_unregister('phar');
 }
-

Config/config.php

@@ -105,6 +105,20 @@
     'custom_css' => {{ MISP_CUSTOM_CSS | str }},
     'tmpdir' => '/tmp',
   ],
+  {% if AZURE_LOGIN %}
+  'AadAuth' => [
+    'client_id' => '{{ AZURE_CLIENT_ID }}', // Client ID (see Azure AD)
+    'ad_tenant' => '{{ AZURE_AD_TENANT }}', // Directory ID (see Azure AD)
+    'client_secret' => '{{ AZURE_CLIENT_SECRET }}', // Client secret (see Azure AD)
+    'redirect_uri' => '{{ AZURE_REDIRECT_URI }}', // Your MISP URI, must be the same as in Azure AD
+    'auth_provider' => 'https://login.microsoftonline.com/', // No change required
+    'auth_provider_user' => 'https://graph.microsoft.com/', // No change required
+    'misp_user' => '{{ AZURE_MISP_USER_GROUP }}', // The AD group for MISP users
+    'misp_orgadmin' => '{{ AZURE_MISP_ORGADMIN_GROUP }}', // The AD group for MISP administrators
+    'misp_siteadmin' => '{{ AZURE_MISP_SITEADMIN_GROUP }}', // The AD group for MISP site administrators
+    'check_ad_groups' => {{ AZURE_CHECK_AD_GROUPS }}, // Should we check if the user belongs to one of the above AD groups?
+  ],
+  {% endif %}
   'SimpleBackgroundJobs' => [
     'enabled' => true,
     'redis_host' => '{{ REDIS_HOST }}',
@@ -142,6 +156,11 @@
     'expire' => 300,
   ],
   'Security' => [
+    {% if AZURE_LOGIN %}
+    'auth' => [
+      0 => 'AadAuth.AadAuthenticate',
+    ],
+    {% endif %}
     'force_https' => {{ 'true' if MISP_BASEURL.startswith('https://') else 'false' }},
     'csp_enforce' => true,
     'min_tls_version' => 'tlsv1_2',

bin/misp_create_configs.py

@@ -182,6 +182,16 @@ def check_is_uuid(variable_name: str, value: str):
     "JOBBER_LOG_ROTATE_TIME": Option(default="0 0 5"),
     "JOBBER_USER_CHECK_VALIDITY_TIME": Option(default="0 0 5"),
     "JOBBER_SEND_PERIODIC_SUMMARY": Option(default="0 0 6 * * 1-5"),
+    # Azure AD
+    "AZURE_LOGIN": Option(typ=bool),
+    "AZURE_CLIENT_ID": Option(),
+    "AZURE_AD_TENANT": Option(),
+    "AZURE_CLIENT_SECRET": Option(),
+    "AZURE_REDIRECT_URI": Option(validation=check_is_url),
+    "AZURE_MISP_USER_GROUP": Option(),
+    "AZURE_MISP_ORGADMIN_GROUP": Option(),
+    "AZURE_MISP_SITEADMIN_GROUP": Option(),
+    "AZURE_CHECK_AD_GROUPS": Option(typ=bool),
 }
 
 
@@ -377,7 +387,13 @@ def main():
         if "/.well-known/openid-configuration" not in variables["OIDC_PROVIDER"]:
             variables["OIDC_PROVIDER"] = f"{variables['OIDC_PROVIDER'].rstrip('/')}/.well-known/openid-configuration"
 
-    for template_name in ("database.php", "config.php", "email.php"):
+    if variables["AZURE_LOGIN"]:
+        variables["AZURE_CHECK_AD_GROUPS"] = str(variables["AZURE_CHECK_AD_GROUPS"]).lower()
+        for var in ("AZURE_CLIENT_ID", "AZURE_AD_TENANT", "AZURE_CLIENT_SECRET", "AZURE_REDIRECT_URI", "AZURE_MISP_USER_GROUP", "AZURE_MISP_ORGADMIN_GROUP", "AZURE_MISP_SITEADMIN_GROUP", "AZURE_CHECK_AD_GROUPS"):
+            if not variables[var]:
+                error(f"Azure login is enabled, but '{var}' environment variable is not set")
+
+    for template_name in ("database.php", "config.php", "email.php", "bootstrap.php"):
         path = f"/var/www/MISP/app/Config/{template_name}"
         render_jinja_template(path, variables)