Merge pull request #1663 from wazuh/improve-password-tool-api-features

Improve password tool api features
wazuh · Jun 28, 2022 · 9e1ee10 · 9e1ee10
2 parents cd33804 + e1b90ba
commit 9e1ee10
Show file tree

Hide file tree

Showing 8 changed files with 394 additions and 158 deletions.
diff --git a/tests/unattended/install/test_unattended.py b/tests/unattended/install/test_unattended.py
@@ -36,7 +36,13 @@ def get_password(username):
         while pass_dict["username"] != username:
             for i in range(4):
                 tmp_yaml+=pass_file.readline()
-            pass_dict=yaml.safe_load(tmp_yaml)
+            tmp_dict=yaml.safe_load(tmp_yaml)
+            if 'indexer_username' in tmp_dict:
+                pass_dict["username"]=tmp_dict["indexer_username"]
+                pass_dict["password"]=tmp_dict["indexer_password"]
+            if 'api_username' in tmp_dict:
+                pass_dict["username"]=tmp_dict["api_username"]
+                pass_dict["password"]=tmp_dict["api_password"]
     return pass_dict["password"]
 
 def get_wazuh_version():

diff --git a/unattended_installer/install_functions/checks.sh b/unattended_installer/install_functions/checks.sh
@@ -37,7 +37,7 @@ function checks_arguments() {
 
     # -------------- Overwrite --------------------------------------
 
-    if [ -n "${overwrite}" ] && [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ]; then 
+    if [ -n "${overwrite}" ] && [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ]; then
         common_logger -e "The argument -o|--overwrite must be used in conjunction with -a|--all-in-one, -wd|--wazuh-dashboard, -wi|--wazuh-indexer, or -ws|--wazuh-server."
         exit 1
     fi
@@ -86,7 +86,7 @@ function checks_arguments() {
             common_logger -e "Wazuh manager already installed."
             installedComponent=1
         fi
-        if [ -z "${overwrite}" ] && ([ -n "${indexer_installed}" ] || [ -n "${indexer_remaining_files}" ]);then 
+        if [ -z "${overwrite}" ] && ([ -n "${indexer_installed}" ] || [ -n "${indexer_remaining_files}" ]);then
             common_logger -e "Wazuh indexer already installed."
             installedComponent=1
         fi
@@ -113,7 +113,7 @@ function checks_arguments() {
             if [ -n "${overwrite}" ]; then
                 installCommon_rollBack
             else
-                common_logger -e "Wazuh indexer is already installed in this node or some of its files haven't been erased. Use option -o|--overwrite to overwrite all components."
+                common_logger -e "Wazuh indexer is already installed in this node or some of its files have not been removed. Use option -o|--overwrite to overwrite all components."
                 exit 1
             fi
         fi
@@ -126,7 +126,7 @@ function checks_arguments() {
             if [ -n "${overwrite}" ]; then
                 installCommon_rollBack
             else
-                common_logger -e "Wazuh dashboard is already installed in this node or some of its files haven't been erased. Use option -o|--overwrite to overwrite all components."
+                common_logger -e "Wazuh dashboard is already installed in this node or some of its files have not been removed. Use option -o|--overwrite to overwrite all components."
                 exit 1
             fi
         fi
@@ -135,20 +135,11 @@ function checks_arguments() {
     # -------------- Wazuh ------------------------------------------
 
     if [ -n "${wazuh}" ]; then
-        if [ -n "${wazuh_installed}" ] || [ -n "${wazuh_remaining_files}" ]; then
+        if [ -n "${wazuh_installed}" ] || [ -n "${wazuh_remaining_files}" ] || [ -n "${filebeat_installed}" ] || [ -n "${filebeat_remaining_files}" ]; then
             if [ -n "${overwrite}" ]; then
                 installCommon_rollBack
             else
-                common_logger -e "Wazuh is already installed in this node or some of its files haven't been erased. Use option -o|--overwrite to overwrite all components."
-                exit 1
-            fi
-        fi
-
-        if [ -n "${filebeat_installed}" ] || [ -n "${filebeat_remaining_files}" ]; then
-            if [ -n "${overwrite}" ]; then
-                installCommon_rollBack
-            else
-                common_logger -e "Filebeat is already installed in this node or some of its files haven't been erased. Use option -o|--overwrite to overwrite all components."
+                common_logger -e "Wazuh server components (wazuh-manager and filebeat) are already installed in this node or some of their files have not been removed. Use option -o|--overwrite to overwrite all components."
                 exit 1
             fi
         fi
@@ -171,7 +162,7 @@ function checks_arguments() {
     if [ -n "${force}" ] && [ -z  "${dashboard}" ]; then
         common_logger -e "The -fd|--force-install-dashboard argument needs to be used alongside -wd|--wazuh-dashboard."
         exit 1
-    fi 
+    fi
 
 }
 
@@ -190,22 +181,22 @@ function check_dist() {
         if [ "${DIST_VER}" == "16" ] || [ "${DIST_VER}" == "18" ] ||
            [ "${DIST_VER}" == "20" ] || [ "${DIST_VER}" == "22" ]; then
             if [ "${DIST_SUBVER}" != "04" ]; then
-                notsupported=1             
+                notsupported=1
             fi
         else
             notsupported=1
         fi
     fi
     if [ -n "${notsupported}" ] && [ -z "${ignore}" ]; then
-        common_logger -e "The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system doesn't match this list. Use -i|--ignore-check to skip this check."
+        common_logger -e "The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check."
         exit 1
     fi
 }
 
 function checks_health() {
 
     logger "Verifying that your system meets the recommended minimum hardware requirements."
-    
+
     checks_specifications
 
     if [ -n "${indexer}" ]; then

diff --git a/unattended_installer/install_functions/dashboard.sh b/unattended_installer/install_functions/dashboard.sh
@@ -154,8 +154,6 @@ function dashboard_initialize() {
         fi
     fi
 
-    passwords_updateDashboard_WUI_Password
-
 }
 
 function dashboard_initializeAIO() {
@@ -172,8 +170,6 @@ function dashboard_initializeAIO() {
         exit 1
     fi
 
-    passwords_updateDashboard_WUI_Password
-
     common_logger "Wazuh dashboard web application initialized."
     common_logger -nl "--- Summary ---"
     common_logger -nl "You can access the web interface https://<wazuh-dashboard-ip>\n    User: admin\n    Password: ${u_pass}"

diff --git a/unattended_installer/install_functions/installCommon.sh b/unattended_installer/install_functions/installCommon.sh
@@ -96,6 +96,38 @@ function installCommon_aptInstall() {
 
 }
 
+function installCommon_changePasswordApi() {
+
+    #Change API password tool
+    if [ -n ${changeall} ]; then
+        for i in "${!api_passwords[@]}"; do
+            if [ -n "${wazuh}" ] || [ -n "${AIO}" ]; then
+                passwords_getApiUserId "${api_users[i]}"
+                WAZUH_PASS_API='{"password":"'"${api_passwords[i]}"'"}'
+                eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null'
+                if [ "${api_users[i]}" == "${adminUser}" ]; then
+                    sleep 1
+                    adminPassword="${api_passwords[i]}"
+                    passwords_getApiToken
+                fi
+            fi
+            if [ "${api_users[i]}" == "wazuh-wui" ] && ([ -n "${dashboard}" ] || [ -n "${AIO}" ]); then
+                passwords_changeDashboardApiPassword "${api_passwords[i]}"
+            fi
+        done
+    else
+        if [ -n "${wazuh}" ] || [ -n "${AIO}" ]; then
+            passwords_getApiUserId ${nuser}
+            WAZUH_PASS_API='{"password":"'"${password}"'"}'
+            eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null'
+        fi
+        if [ "${nuser}" == "wazuh-wui" ] && ([ -n "${dashboard}" ] || [ -n "${AIO}" ]); then
+                passwords_changeDashboardApiPassword "${password}"
+        fi
+    fi
+
+}
+
 function installCommon_createCertificates() {
 
     if [ -n "${AIO}" ]; then
@@ -168,6 +200,13 @@ function installCommon_changePasswords() {
             changeall=1
             passwords_readUsers
         fi
+        if ([ -n "${wazuh}" ] || [ -n "${AIO}" ]) && ([ "${server_node_types[pos]}" == "master" ] || [ "${#server_node_names[@]}" -eq 1 ]); then
+            passwords_getApiToken
+            passwords_getApiUsers
+            passwords_getApiIds
+        else
+            api_users=( wazuh wazuh-wui )
+        fi
         installCommon_readPasswordFileUsers
     else
         common_logger -e "Cannot find passwords file. Exiting"
@@ -185,6 +224,12 @@ function installCommon_changePasswords() {
         passwords_runSecurityAdmin
     fi
 
+    if [ -n "${wazuh}" ] || [ -n "${dashboard}" ] || [ -n "${AIO}" ]; then
+        if [ "${server_node_types[pos]}" == "master" ] || [ "${#server_node_names[@]}" -eq 0 ] || [ -n "${dashboard_installed}" ]; then
+            installCommon_changePasswordApi
+        fi
+    fi
+
 }
 
 function installCommon_extractConfig() {
@@ -273,17 +318,21 @@ function installCommon_installPrerequisites() {
 
 function installCommon_readPasswordFileUsers() {
 
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc "\A(\s*username:[ \t]+[\'\"]?\w+[\'\"]?\s*password:[ \t]+[\'\"]?[A-Za-z0-9.*+?]+[\'\"]?\s*)+\Z")
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc "\A(\s*(indexer_username|api_username|indexer_password|api_password):[ \t]+[\'\"]?[\w.*+?-]+[\'\"]?)+\Z")
     if [[ "${filecorrect}" -ne 1 ]]; then
-        common_logger -e "The password file doesn't have a correct format or password uses invalid characters. Allowed characters: A-Za-z0-9.*+?
+        common_logger -e "The password file does not have a correct format or password uses invalid characters. Allowed characters: A-Za-z0-9.*+?
+
+For Wazuh indexer users, the file must have this format:
 
 # Description
-  username: name
-  password: password
+  indexer_username: <user>
+  indexer_password: <password>
+
+For Wazuh API users, the file must have this format:
 
-# Wazuh indexer admin user
-  username: kibanaserver
-  password: NiwXQw82pIf0dToiwczduLBnUPEvg7T0
+# Description
+  api_username: <user>
+  api_password: <password>
 
 "
 	    installCommon_rollBack
@@ -293,14 +342,21 @@ function installCommon_readPasswordFileUsers() {
     sfileusers=$(grep username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
     sfilepasswords=$(grep password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
 
+    sfileapiusers=$(grep api_username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
+    sfileapipasswords=$(grep api_password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
+
     fileusers=(${sfileusers})
     filepasswords=(${sfilepasswords})
 
+    fileapiusers=(${sfileapiusers})
+    fileapipasswords=(${sfileapipasswords})
+
     if [ -n "${changeall}" ]; then
         for j in "${!fileusers[@]}"; do
             supported=false
             for i in "${!users[@]}"; do
                 if [[ ${users[i]} == "${fileusers[j]}" ]]; then
+                    passwords_checkPassword ${filepasswords[j]}
                     passwords[i]=${filepasswords[j]}
                     supported=true
                 fi
@@ -309,10 +365,27 @@ function installCommon_readPasswordFileUsers() {
                 common_logger -e -d "The given user ${fileusers[j]} does not exist"
             fi
         done
+
+        for j in "${!fileapiusers[@]}"; do
+            supported=false
+            for i in "${!api_users[@]}"; do
+                if [[ "${api_users[i]}" == "${fileapiusers[j]}" ]]; then
+                    passwords_checkPassword ${fileapipasswords[j]}
+                    api_passwords[i]=${fileapipasswords[j]}
+                    supported=true
+                fi
+            done
+            if [ "${supported}" = false ] && [ -n "${indexer_installed}" ]; then
+                common_logger -e "The Wazuh API user ${fileapiusers[j]} does not exist"
+            fi
+        done
     else
         finalusers=()
         finalpasswords=()
 
+        finalapiusers=()
+        finalapipasswords=()
+
         if [ -n "${dashboard_installed}" ] &&  [ -n "${dashboard}" ]; then
             users=( kibanaserver admin )
         fi
@@ -325,6 +398,7 @@ function installCommon_readPasswordFileUsers() {
             supported=false
             for i in "${!users[@]}"; do
                 if [[ "${users[i]}" == "${fileusers[j]}" ]]; then
+                    passwords_checkPassword ${filepasswords[j]}
                     finalusers+=(${fileusers[j]})
                     finalpasswords+=(${filepasswords[j]})
                     supported=true
@@ -335,9 +409,26 @@ function installCommon_readPasswordFileUsers() {
             fi
         done
 
+        for j in "${!fileapiusers[@]}"; do
+            supported=false
+            for i in "${!api_users[@]}"; do
+                if [[ "${api_users[i]}" == "${fileapiusers[j]}" ]]; then
+                    passwords_checkPassword ${fileapipasswords[j]}
+                    finalapiusers+=("${fileapiusers[j]}")
+                    finalapipasswords+=("${fileapipasswords[j]}")
+                    supported=true
+                fi
+            done
+            if [ ${supported} = false ] && [ -n "${indexer_installed}" ]; then
+                common_logger -e "The Wazuh API user ${fileapiusers[j]} does not exist"
+            fi
+        done
+
         users=()
         users=(${finalusers[@]})
         passwords=(${finalpasswords[@]})
+        api_users=(${finalapiusers[@]})
+        api_passwords=(${finalapipasswords[@]})
         changeall=1
     fi
 
@@ -526,4 +617,4 @@ function installCommon_startService() {
         exit 1
     fi
 
-}
+}
diff --git a/unattended_installer/install_functions/installMain.sh b/unattended_installer/install_functions/installMain.sh
@@ -22,6 +22,9 @@ function getHelp() {
     echo -e "        -c,  --config-file <path-to-config-yml>"
     echo -e "                Path to the configuration file used to generate wazuh-install-files.tar file containing the files that will be needed for installation. By default, the Wazuh installation assistant will search for a file named config.yml in the same path as the script."
     echo -e ""
+    echo -e "        -dw,  --download-wazuh <deb|rpm>"
+    echo -e "                Download all the packages necessary for offline installation."
+    echo -e ""
     echo -e "        -fd,  --force-install-dashboard"
     echo -e "                Force Wazuh dashboard installation to continue even when it is not capable of connecting to the Wazuh indexer."
     echo -e ""
@@ -60,9 +63,6 @@ function getHelp() {
     echo -e ""
     echo -e "        -ws,  --wazuh-server <server-node-name>"
     echo -e "                Install and configure Wazuh manager and Filebeat, used for distributed deployments."
-    echo -e ""
-    echo -e "        -dw,  --download-wazuh <deb|rpm>"
-    echo -e "                Download all the packages necessary for offline installation."
     exit 1
 
 }
@@ -275,8 +275,8 @@ function main() {
 
         dashboard_install
         dashboard_configure
-        installCommon_changePasswords
         installCommon_startService "wazuh-dashboard"
+        installCommon_changePasswords
         dashboard_initialize
 
     fi
@@ -294,7 +294,6 @@ function main() {
         filebeat_install
         filebeat_configure
         installCommon_changePasswords
-        passwords_changePasswordAPI
         installCommon_startService "filebeat"
     fi
 
@@ -318,7 +317,6 @@ function main() {
         dashboard_configure
         installCommon_startService "wazuh-dashboard"
         installCommon_changePasswords
-        passwords_changePasswordAPI
         dashboard_initializeAIO
 
     fi

diff --git a/unattended_installer/install_functions/installVariables.sh b/unattended_installer/install_functions/installVariables.sh
@@ -55,3 +55,6 @@ readonly dashboard_rpm_base_url="${base_url}/yum"
 readonly dashboard_rpm_package="wazuh-dashboard-${wazuh_version}-${dashboard_revision_rpm}.x86_64.rpm"
 readonly wazuh_gpg_key="https://${bucket}/key/GPG-KEY-WAZUH"
 readonly filebeat_config_file="${resources}/tpl/wazuh/filebeat/filebeat.yml"
+
+adminUser="wazuh"
+adminPassword="wazuh"