From d548e8015184d3baf081b801354a7224f582b9f7 Mon Sep 17 00:00:00 2001 From: Jack Sheriff <> Date: Fri, 15 Sep 2023 12:11:09 -0400 Subject: [PATCH 1/4] Add info on configuring workbench to use OIDC authentication. --- README.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/README.md b/README.md index a4df2a53..103799bb 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,41 @@ Sample configuration file setting the server port and database url: } ``` +### Configuring Workbench to Enable OIDC Authentication for Users + +Workbench supports OIDC authentication for users, allowing you to integrate Workbench with your organization's authentication system. + +#### Registering with the OIDC Server + +In order to use OIDC authentication, your Workbench instance must be registered with your organization's OIDC authentication server. +The details depend on your authentication server, but the following values should cover most of what you need: + +* Workbench uses the *Authorization Code Flow* for authenticating users +* Claims: + +| claim | required | description | +|------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------| +| **email** | yes | Identifies the user account associated with an authenticated user | +| **preferred_username** | no | If present, the `preferred_username` claim is used to set the `name` property of the user account when the user initially registers with Workbench | +| **name** | no | If present, the `name` claim is used to set the `displayName` property of the user account when the user initially registers with Workbench | + +* Grant Types: *Client Credentials*, *Authorization Code* and *Refresh Token* +* Redirect URL: `/api/authn/oidc/callback` + +After registering with the OIDC authentication system, you will need the `client_id` and `client_secret` assigned as part of that process. +You will also need the Issuer URL for the OIDC Identity Server. + +#### Workbench Configuration + +Configuring Workbench to use OIDC can be done using environment variables or the corresponding properties in a configuration file. + +| environment variable | required | description | configuration file property name | +|--------------------------------|----------|-------------------------------------------------------------------------------------------------------|----------------------------------| +| **AUTHN_MECHANISM** | yes | Must be set to `oidc` | userAuthn.mechanism | +| **AUTHN_OIDC_CLIENT_ID** | yes | Client ID assigned to the Workbench instance when registering with the OIDC authentication system | userAuthn.oidc.clientId | +| **AUTHN_OIDC_CLIENT_SECRET** | yes | Client secret assigned to the Workbench instance when registering with the OIDC authentication system | userAuthn.oidc.clientSecret | +| **AUTHN_OIDC_ISSUER_URL** | yes | Issuer URL for the Identity Server | userAuthn.oidc.issuerUrl | +| **AUTHN_OIDC_REDIRECT_ORIGIN** | yes | URL for the Workbench host | userAuthn.oidc.redirectOrigin | ##### Step 4. Run the app From 96671669a5815ed56347fe356d6ee2747d9b4159 Mon Sep 17 00:00:00 2001 From: Jack Sheriff <> Date: Fri, 15 Sep 2023 12:15:46 -0400 Subject: [PATCH 2/4] Fix placement of new README content. --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 103799bb..8c0965ec 100644 --- a/README.md +++ b/README.md @@ -108,6 +108,12 @@ Sample configuration file setting the server port and database url: } ``` +##### Step 4. Run the app + +``` +node ./bin/www +``` + ### Configuring Workbench to Enable OIDC Authentication for Users Workbench supports OIDC authentication for users, allowing you to integrate Workbench with your organization's authentication system. @@ -144,12 +150,6 @@ Configuring Workbench to use OIDC can be done using environment variables or the | **AUTHN_OIDC_ISSUER_URL** | yes | Issuer URL for the Identity Server | userAuthn.oidc.issuerUrl | | **AUTHN_OIDC_REDIRECT_ORIGIN** | yes | URL for the Workbench host | userAuthn.oidc.redirectOrigin | -##### Step 4. Run the app - -``` -node ./bin/www -``` - ## Scripts `package.json` contains a number of scripts that can be used to perform recurring tasks. From d87bdecad9badcc5bfdb832b1ce8590717f800c1 Mon Sep 17 00:00:00 2001 From: Jack Sheriff <> Date: Fri, 15 Sep 2023 12:17:46 -0400 Subject: [PATCH 3/4] Fix lint warnings. --- app/services/recent-activity-service.js | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/app/services/recent-activity-service.js b/app/services/recent-activity-service.js index 41d6f164..0800127b 100644 --- a/app/services/recent-activity-service.js +++ b/app/services/recent-activity-service.js @@ -4,8 +4,6 @@ const AttackObject = require('../models/attack-object-model'); const Relationship = require('../models/relationship-model'); const identitiesService = require('./identities-service'); -const logger = require('../lib/logger'); - const { lastUpdatedByQueryHelper } = require('../lib/request-parameter-helper'); const errors = { @@ -50,7 +48,7 @@ exports.retrieveAll = async function(options) { aggregation.push({ $match: query }); // Retrieve the documents - let objectDocuments = await AttackObject.aggregate(aggregation); + const objectDocuments = await AttackObject.aggregate(aggregation); // Lookup source/target refs for relationships aggregation.push({ @@ -69,8 +67,8 @@ exports.retrieveAll = async function(options) { as: 'target_objects' } }); - let relationshipDocuments = await Relationship.aggregate(aggregation); - let documents = objectDocuments.concat(relationshipDocuments); + const relationshipDocuments = await Relationship.aggregate(aggregation); + const documents = objectDocuments.concat(relationshipDocuments); // Sort by most recent documents.sort((a, b) => b.stix.modified - a.stix.modified); From 761c30eede55876bb4de78dcb7a481236da4c5fd Mon Sep 17 00:00:00 2001 From: Jack Sheriff <> Date: Fri, 15 Sep 2023 12:56:34 -0400 Subject: [PATCH 4/4] Update mongoose to address Snyk warning. --- package-lock.json | 166 +++++++++++++++++----------------------------- package.json | 2 +- 2 files changed, 63 insertions(+), 105 deletions(-) diff --git a/package-lock.json b/package-lock.json index bca931ea..bdd9bcee 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,7 +25,7 @@ "jwt-decode": "^3.1.2", "lodash": "^4.17.21", "migrate-mongo": "^9.0.0", - "mongoose": "^6.5.1", + "mongoose": "^6.12.0", "morgan": "^1.10.0", "nanoid": "^3.3.6", "node-cache": "^5.1.2", @@ -1493,6 +1493,15 @@ "resolved": "https://registry.npmjs.org/@jsdevtools/ono/-/ono-7.1.3.tgz", "integrity": "sha512-4JQNk+3mVzK3xh2rqd6RB4J46qUR19azEHBneZyTZM+c456qOrbbM/5xcR8huNCCcbVt7+UmizG6GuUvPvKUYg==" }, + "node_modules/@mongodb-js/saslprep": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@mongodb-js/saslprep/-/saslprep-1.1.0.tgz", + "integrity": "sha512-Xfijy7HvfzzqiOAhAepF4SGN5e9leLkMvg/OPOF97XemjfVCYN/oWa75wnkc6mltMSTwY+XlbhWgUOJmkFspSw==", + "optional": true, + "dependencies": { + "sparse-bitfield": "^3.0.3" + } + }, "node_modules/@nodelib/fs.scandir": { "version": "2.1.5", "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", @@ -4508,9 +4517,12 @@ "integrity": "sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==" }, "node_modules/kareem": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.4.1.tgz", - "integrity": "sha512-aJ9opVoXroQUPfovYP5kaj2lM7Jn02Gw13bL0lg9v0V7SaUc0qavPs0Eue7d2DcC3NjqI6QAUElXNsuZSeM+EA==" + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.5.1.tgz", + "integrity": "sha512-7jFxRVm+jD+rkq3kY0iZDJfsO2/t4BBPeEb2qKn2lR/9KhuksYk5hxzfRYWMPV8P/x2d0kHD306YyWLzjjH+uA==", + "engines": { + "node": ">=12.0.0" + } }, "node_modules/kuler": { "version": "2.0.0", @@ -5090,12 +5102,12 @@ } }, "node_modules/mongodb": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.14.0.tgz", - "integrity": "sha512-coGKkWXIBczZPr284tYKFLg+KbGPPLlSbdgfKAb6QqCFt5bo5VFZ50O3FFzsw4rnkqjwT6D8Qcoo9nshYKM7Mg==", + "version": "4.17.1", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.17.1.tgz", + "integrity": "sha512-MBuyYiPUPRTqfH2dV0ya4dcr2E5N52ocBuZ8Sgg/M030nGF78v855B3Z27mZJnp8PxjnUquEnAtjOsphgMZOlQ==", "dependencies": { - "bson": "^4.7.0", - "mongodb-connection-string-url": "^2.5.4", + "bson": "^4.7.2", + "mongodb-connection-string-url": "^2.6.0", "socks": "^2.7.1" }, "engines": { @@ -5103,7 +5115,7 @@ }, "optionalDependencies": { "@aws-sdk/credential-providers": "^3.186.0", - "saslprep": "^1.0.3" + "@mongodb-js/saslprep": "^1.1.0" } }, "node_modules/mongodb-connection-string-url": { @@ -5209,17 +5221,17 @@ "dev": true }, "node_modules/mongoose": { - "version": "6.5.1", - "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.5.1.tgz", - "integrity": "sha512-8C0213y279nrSp6Au+WB+l/VczcotMU65jalTJJxU6KYf/Kd8gNW9+B3giWNJOVd8VvKvUQG0suWv/Vngp/83A==", + "version": "6.12.0", + "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.12.0.tgz", + "integrity": "sha512-sd/q83C6TBRPBrrD2A/POSbA/exbCFM2WOuY7Lf2JuIJFlHFG39zYSDTTAEiYlzIfahNOLmXPxBGFxdAch41Mw==", "dependencies": { - "bson": "^4.6.5", - "kareem": "2.4.1", - "mongodb": "4.8.1", + "bson": "^4.7.2", + "kareem": "2.5.1", + "mongodb": "4.17.1", "mpath": "0.9.0", "mquery": "4.0.3", "ms": "2.1.3", - "sift": "16.0.0" + "sift": "16.0.1" }, "engines": { "node": ">=12.0.0" @@ -5229,31 +5241,6 @@ "url": "https://opencollective.com/mongoose" } }, - "node_modules/mongoose/node_modules/denque": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", - "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==", - "engines": { - "node": ">=0.10" - } - }, - "node_modules/mongoose/node_modules/mongodb": { - "version": "4.8.1", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.8.1.tgz", - "integrity": "sha512-/NyiM3Ox9AwP5zrfT9TXjRKDJbXlLaUDQ9Rg//2lbg8D2A8GXV0VidYYnA/gfdK6uwbnL4FnAflH7FbGw3TS7w==", - "dependencies": { - "bson": "^4.6.5", - "denque": "^2.0.1", - "mongodb-connection-string-url": "^2.5.2", - "socks": "^2.6.2" - }, - "engines": { - "node": ">=12.9.0" - }, - "optionalDependencies": { - "saslprep": "^1.0.3" - } - }, "node_modules/mongoose/node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -6077,18 +6064,6 @@ "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, - "node_modules/saslprep": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/saslprep/-/saslprep-1.0.3.tgz", - "integrity": "sha512-/MY/PEMbk2SuY5sScONwhUDsV2p77Znkb/q3nSVstq/yQzYJOH/Azh29p9oJLsl3LnQwSvZDKagDGBsBwSooag==", - "optional": true, - "dependencies": { - "sparse-bitfield": "^3.0.3" - }, - "engines": { - "node": ">=6" - } - }, "node_modules/semver": { "version": "7.5.4", "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", @@ -6244,9 +6219,9 @@ } }, "node_modules/sift": { - "version": "16.0.0", - "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.0.tgz", - "integrity": "sha512-ILTjdP2Mv9V1kIxWMXeMTIRbOBrqKc4JAXmFMnFq3fKeyQ2Qwa3Dw1ubcye3vR+Y6ofA0b9gNDr/y2t6eUeIzQ==" + "version": "16.0.1", + "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.1.tgz", + "integrity": "sha512-Wv6BjQ5zbhW7VFefWusVP33T/EM0vYikCaQ2qR8yULbsilAT8/wQaXvuQ3ptGLpoKx+lihJE3y2UTgKDyyNHZQ==" }, "node_modules/signal-exit": { "version": "3.0.3", @@ -6313,7 +6288,7 @@ "node_modules/sparse-bitfield": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/sparse-bitfield/-/sparse-bitfield-3.0.3.tgz", - "integrity": "sha1-/0rm5oZWBWuks+eSqzM004JzyhE=", + "integrity": "sha512-kvzhi7vqKTfkh0PZU+2D2PIllw2ymqJKujUcyPMd9Y75Nv4nPbGJZXNhxsgdQab2BmlDct1YnfQCguEvHr7VsQ==", "optional": true, "dependencies": { "memory-pager": "^1.0.2" @@ -8149,6 +8124,15 @@ "resolved": "https://registry.npmjs.org/@jsdevtools/ono/-/ono-7.1.3.tgz", "integrity": "sha512-4JQNk+3mVzK3xh2rqd6RB4J46qUR19azEHBneZyTZM+c456qOrbbM/5xcR8huNCCcbVt7+UmizG6GuUvPvKUYg==" }, + "@mongodb-js/saslprep": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/@mongodb-js/saslprep/-/saslprep-1.1.0.tgz", + "integrity": "sha512-Xfijy7HvfzzqiOAhAepF4SGN5e9leLkMvg/OPOF97XemjfVCYN/oWa75wnkc6mltMSTwY+XlbhWgUOJmkFspSw==", + "optional": true, + "requires": { + "sparse-bitfield": "^3.0.3" + } + }, "@nodelib/fs.scandir": { "version": "2.1.5", "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz", @@ -10462,9 +10446,9 @@ "integrity": "sha512-UfpWE/VZn0iP50d8cz9NrZLM9lSWhcJ+0Gt/nm4by88UL+J1SiKN8/5dkjMmbEzwL2CAe+67GsegCbIKtbp75A==" }, "kareem": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.4.1.tgz", - "integrity": "sha512-aJ9opVoXroQUPfovYP5kaj2lM7Jn02Gw13bL0lg9v0V7SaUc0qavPs0Eue7d2DcC3NjqI6QAUElXNsuZSeM+EA==" + "version": "2.5.1", + "resolved": "https://registry.npmjs.org/kareem/-/kareem-2.5.1.tgz", + "integrity": "sha512-7jFxRVm+jD+rkq3kY0iZDJfsO2/t4BBPeEb2qKn2lR/9KhuksYk5hxzfRYWMPV8P/x2d0kHD306YyWLzjjH+uA==" }, "kuler": { "version": "2.0.0", @@ -10908,14 +10892,14 @@ } }, "mongodb": { - "version": "4.14.0", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.14.0.tgz", - "integrity": "sha512-coGKkWXIBczZPr284tYKFLg+KbGPPLlSbdgfKAb6QqCFt5bo5VFZ50O3FFzsw4rnkqjwT6D8Qcoo9nshYKM7Mg==", + "version": "4.17.1", + "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.17.1.tgz", + "integrity": "sha512-MBuyYiPUPRTqfH2dV0ya4dcr2E5N52ocBuZ8Sgg/M030nGF78v855B3Z27mZJnp8PxjnUquEnAtjOsphgMZOlQ==", "requires": { "@aws-sdk/credential-providers": "^3.186.0", - "bson": "^4.7.0", - "mongodb-connection-string-url": "^2.5.4", - "saslprep": "^1.0.3", + "@mongodb-js/saslprep": "^1.1.0", + "bson": "^4.7.2", + "mongodb-connection-string-url": "^2.6.0", "socks": "^2.7.1" } }, @@ -11002,36 +10986,19 @@ } }, "mongoose": { - "version": "6.5.1", - "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.5.1.tgz", - "integrity": "sha512-8C0213y279nrSp6Au+WB+l/VczcotMU65jalTJJxU6KYf/Kd8gNW9+B3giWNJOVd8VvKvUQG0suWv/Vngp/83A==", + "version": "6.12.0", + "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-6.12.0.tgz", + "integrity": "sha512-sd/q83C6TBRPBrrD2A/POSbA/exbCFM2WOuY7Lf2JuIJFlHFG39zYSDTTAEiYlzIfahNOLmXPxBGFxdAch41Mw==", "requires": { - "bson": "^4.6.5", - "kareem": "2.4.1", - "mongodb": "4.8.1", + "bson": "^4.7.2", + "kareem": "2.5.1", + "mongodb": "4.17.1", "mpath": "0.9.0", "mquery": "4.0.3", "ms": "2.1.3", - "sift": "16.0.0" + "sift": "16.0.1" }, "dependencies": { - "denque": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", - "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==" - }, - "mongodb": { - "version": "4.8.1", - "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-4.8.1.tgz", - "integrity": "sha512-/NyiM3Ox9AwP5zrfT9TXjRKDJbXlLaUDQ9Rg//2lbg8D2A8GXV0VidYYnA/gfdK6uwbnL4FnAflH7FbGw3TS7w==", - "requires": { - "bson": "^4.6.5", - "denque": "^2.0.1", - "mongodb-connection-string-url": "^2.5.2", - "saslprep": "^1.0.3", - "socks": "^2.6.2" - } - }, "ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -11633,15 +11600,6 @@ "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, - "saslprep": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/saslprep/-/saslprep-1.0.3.tgz", - "integrity": "sha512-/MY/PEMbk2SuY5sScONwhUDsV2p77Znkb/q3nSVstq/yQzYJOH/Azh29p9oJLsl3LnQwSvZDKagDGBsBwSooag==", - "optional": true, - "requires": { - "sparse-bitfield": "^3.0.3" - } - }, "semver": { "version": "7.5.4", "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", @@ -11765,9 +11723,9 @@ } }, "sift": { - "version": "16.0.0", - "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.0.tgz", - "integrity": "sha512-ILTjdP2Mv9V1kIxWMXeMTIRbOBrqKc4JAXmFMnFq3fKeyQ2Qwa3Dw1ubcye3vR+Y6ofA0b9gNDr/y2t6eUeIzQ==" + "version": "16.0.1", + "resolved": "https://registry.npmjs.org/sift/-/sift-16.0.1.tgz", + "integrity": "sha512-Wv6BjQ5zbhW7VFefWusVP33T/EM0vYikCaQ2qR8yULbsilAT8/wQaXvuQ3ptGLpoKx+lihJE3y2UTgKDyyNHZQ==" }, "signal-exit": { "version": "3.0.3", @@ -11816,7 +11774,7 @@ "sparse-bitfield": { "version": "3.0.3", "resolved": "https://registry.npmjs.org/sparse-bitfield/-/sparse-bitfield-3.0.3.tgz", - "integrity": "sha1-/0rm5oZWBWuks+eSqzM004JzyhE=", + "integrity": "sha512-kvzhi7vqKTfkh0PZU+2D2PIllw2ymqJKujUcyPMd9Y75Nv4nPbGJZXNhxsgdQab2BmlDct1YnfQCguEvHr7VsQ==", "optional": true, "requires": { "memory-pager": "^1.0.2" diff --git a/package.json b/package.json index e97c93ba..aab61826 100644 --- a/package.json +++ b/package.json @@ -50,7 +50,7 @@ "jwt-decode": "^3.1.2", "lodash": "^4.17.21", "migrate-mongo": "^9.0.0", - "mongoose": "^6.5.1", + "mongoose": "^6.12.0", "morgan": "^1.10.0", "nanoid": "^3.3.6", "node-cache": "^5.1.2",