[RORDEV-1922] audit with LDAP example

ror-demo-cluster/conf/es/log4j2.properties

@@ -81,5 +81,5 @@ logger.index_indexing_slowlog.level=trace
 logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref=index_indexing_slowlog_rolling
 logger.index_indexing_slowlog.additivity=false
 
-logger.ror.name=tech.beshu.ror.accesscontrol.blocks.rules.elasticsearch.indices
+logger.ror.name=tech.beshu.ror.accesscontrol
 logger.ror.level=info

ror-demo-cluster/conf/es/readonlyrest.yml

@@ -16,60 +16,34 @@ readonlyrest:
       kibana:
         access: admin
 
-    - name: "End users"
-      groups: ["EndUsers"]
-      indices: ["frontend_logs", "kibana_sample_data_*"]
-      kibana:
-        index: .kibana_end_@{user}
-        access: rw
-        hide_apps: ["Security", "Observability"]
-
-    - name: "Business users"
-      groups: ["BusinessUsers"]
-      indices: ["business_logs", "kibana_sample_data_*"]
-      kibana:
-        index: .kibana_business_@{user}
-        access: rw
-        hide_apps: ["Security", "Observability"]
-
-  users:
-    - username: admin
-      auth_key: admin:admin
-      groups:
-        - id: "Administrators"
-          name: "Administrators"
-        - id: "EndUsers"
-          name: "End Users"
-        - id: "BusinessUsers"
-          name: "Business Users"
-
-    - username: user1
-      auth_key: user1:test
-      groups:
-        - id: "EndUsers"
-          name: "End Users"
-        - id: "BusinessUsers"
-          name: "Business Users"
-
-    - username: user2
-      auth_key: user2:test
-      groups:
-        - id: "EndUsers"
-          name: "End Users"
-
-    - username: "*"
-      ror_kbn_auth:
-        name: "kbn1"
-        groups: ["*"]
-      groups:
-        - local_group:
-            id: "EndUsers"
-            name: "End Users"
-          external_group_ids: [ "extEndUsers" ]
-        - local_group:
-            id: "BusinessUsers"
-            name: "Business Users"
-          external_group_ids: [ "extBusinessUsers" ]
-  ror_kbn:
-    - name: kbn1
-      signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"
+    - name: "Test 1"
+      ldap_authentication: ldap1
+      ldap_authorization:
+        name: ldap1
+        groups_or: ["Group1"]
+      indices: ["frontend_logs"]
+
+    - name: "Test 2"
+      ldap_authentication: ldap1
+      indices: ["frontend_logs"]
+
+  ldaps:
+
+    - name: ldap1
+      host: ldap
+      port: 389
+      ssl_enabled: false
+      ssl_trust_all_certs: true
+      bind_dn: "cn=admin,dc=example,dc=com"
+      bind_password: "password"
+      connection_pool_size: 10
+      connection_timeout: 10s
+      request_timeout: 10s
+      cache_ttl: 60s
+      search_user_base_DN: "dc=example,dc=com"
+      search_groups_base_DN: "dc=example,dc=com"
+      user_id_attribute: "uid"
+      unique_member_attribute: "uniqueMember"
+      group_search_filter: "(cn=*)"
+      group_name_attribute: "cn"
+      nested_groups_depth: 3

ror-demo-cluster/conf/ldap/example-com.ldif

@@ -0,0 +1,85 @@
+version: 1
+
+dn: ou=People,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: cn=User1,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: User1
+sn: User1
+uid: user1
+userPassword: test
+
+dn: cn=User2,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: User2
+sn: User2
+uid: user2
+userPassword: test
+
+dn: cn=User3,ou=People,dc=example,dc=com
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: User3
+sn: User3
+uid: user3
+userPassword: test
+
+dn: ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: Groups
+
+dn: cn=Group1,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group1
+o: Group1
+uniqueMember: cn=User1,ou=People,dc=example,dc=com
+
+dn: cn=Group2,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group2
+o: Group2
+uniqueMember: cn=User2,ou=People,dc=example,dc=com
+
+dn: cn=Group3,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group3
+o: Group3
+uniqueMember: cn=User3,ou=People,dc=example,dc=com
+
+dn: cn=Group4,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group4
+o: Group4
+uniqueMember: cn=User3,ou=People,dc=example,dc=com
+uniqueMember: cn=User2,ou=People,dc=example,dc=com
+uniqueMember: cn=User1,ou=People,dc=example,dc=com
+
+dn: cn=Group5,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group5
+o: Group5
+uniqueMember: cn=User3,ou=People,dc=example,dc=com
+
+dn: cn=Group6,ou=Groups,dc=example,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Group6
+o: Group6
+uniqueMember: cn=User3,ou=People,dc=example,dc=com

ror-demo-cluster/docker-compose.yml

@@ -99,6 +99,7 @@ services:
         condition: service_healthy
     environment:
       ELASTICSEARCH_ADDRESS: https://es-ror:9200
+      KIBANA_ADDRESS: https://kbn-ror:5601
       ELASTICSEARCH_USER: kibana
       ELASTICSEARCH_PASSWORD: kibana
     healthcheck:
@@ -112,6 +113,20 @@ services:
     networks:
       - es-ror-network
 
+  ldap:
+    image: osixia/openldap:1.3.0
+    command: [--copy-service]
+    volumes:
+      - ./conf/ldap/example-com.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/example-com.ldif
+    ports:
+      - "389:389"
+      - "636:636"
+    environment:
+      - LDAP_ADMIN_PASSWORD=password
+      - LDAP_DOMAIN=example.com
+    networks:
+      - es-ror-network
+
 networks:
   es-ror-network:
     driver: bridge

ror-demo-cluster/images/es/install-ror-es-using-file.sh

@@ -1,4 +1,4 @@
-#!/bin/bash -e
+#!/bin/bash -ex
 
 function greater_than_or_equal() {
   # Strip the -pre part (or any suffix starting with -) from both versions
@@ -14,7 +14,7 @@ fi
 
 echo "Installing ES ROR from file..."
 /usr/share/elasticsearch/bin/elasticsearch-plugin install --batch file:///tmp/ror.zip
-ROR_VERSION=$(unzip -p /tmp/ror.zip plugin-descriptor.properties | grep -oP '^version=\K.*')
+ROR_VERSION=$(unzip -p /tmp/ror.zip '*/plugin-descriptor.properties' | grep -oP '^version=\K.*')
 
 if [[ ! -v ROR_VERSION || -z "$ROR_VERSION" ]]; then
   echo "No ROR_VERSION variable is set"

shared/init-scripts/utils/lib.sh

@@ -9,23 +9,23 @@ function pick_randomly() {
 
 function putDocument() {
   if [ "$#" -ne 2 ]; then
-    echo "ERROR: Three parameters required: 1) index name, 2) document JSON string"
+    echo "ERROR: Two parameters required: 1) index name, 2) document JSON string"
     return 1
   fi
 
   if ! [ -v ELASTICSEARCH_ADDRESS ] || [ -z "$ELASTICSEARCH_ADDRESS" ]; then
     echo "ERROR: required variable ELASTICSEARCH_ADDRESS not set or empty"
-    exit 2
+    return 2
   fi
 
   if ! [ -v ELASTICSEARCH_USER ] || [ -z "$ELASTICSEARCH_USER" ]; then
     echo "ERROR: required variable ELASTICSEARCH_USER not set or empty"
-    exit 3
+    return 3
   fi
 
   if ! [ -v ELASTICSEARCH_PASSWORD ] || [ -z "$ELASTICSEARCH_PASSWORD" ]; then
     echo "ERROR: required variable ELASTICSEARCH_PASSWORD not set or empty"
-    exit 4
+    return 4
   fi
 
   INDEX_NAME=$1
@@ -48,3 +48,43 @@ set -x
 
   return 0
 }
+
+function importSavedObjects() {
+  if [ "$#" -ne 1 ]; then
+    echo "ERROR: One parameter required: 1) saved objects file"
+    return 1
+  fi
+
+  SAVED_OBJECTS_FILE=$1
+
+  if ! [ -v KIBANA_ADDRESS ] || [ -z "$KIBANA_ADDRESS" ]; then
+    echo "ERROR: required variable KIBANA_ADDRESS not set or empty"
+    return 2
+  fi
+
+  if ! [ -v ELASTICSEARCH_USER ] || [ -z "$ELASTICSEARCH_USER" ]; then
+    echo "ERROR: required variable ELASTICSEARCH_USER not set or empty"
+    return 3
+  fi
+
+  if ! [ -v ELASTICSEARCH_PASSWORD ] || [ -z "$ELASTICSEARCH_PASSWORD" ]; then
+    echo "ERROR: required variable ELASTICSEARCH_PASSWORD not set or empty"
+    return 4
+  fi
+
+  RESPONSE=$(curl -k -s -L -w "\n%{http_code}" -u "$ELASTICSEARCH_USER:$ELASTICSEARCH_PASSWORD" \
+    -X POST "$KIBANA_ADDRESS/api/saved_objects/_import?overwrite=true" \
+    -H "kbn-xsrf: true" \
+    -F "file=@${SAVED_OBJECTS_FILE}"
+  )
+
+  HTTP_STATUS=$(echo "$RESPONSE" | tail -n 1)
+  RESPONSE_BODY=$(echo "$RESPONSE" | sed \$d)
+
+  if [[ "$HTTP_STATUS" != 2* ]] ; then
+    echo "ERROR: Cannot import saved objects from file [$SAVED_OBJECTS_FILE].\nHTTP status: $HTTP_STATUS, response body: $RESPONSE_BODY"
+    return 5
+  fi
+
+  return 0
+}