Installation assistant Wazuh API default password change

tests/unattended/install/test_unattended.py

@@ -96,7 +96,7 @@ def get_wazuh_api_status():
     host = get_indexer_ip()
     port = 55000
     user = 'wazuh'
-    password = 'wazuh'
+    password = get_password("wazuh")
     login_endpoint = 'security/user/authenticate'
 
     login_url = f"{protocol}://{host}:{port}/{login_endpoint}"

tests/unattended/unit/suites/test-dashboard.sh

@@ -6,7 +6,7 @@ source "${base_dir}"/bach.sh
 @setup-test {
     @ignore common_logger
     k_certs_path="/etc/wazuh-dashboard/certs/"
-    wazuh_version="4.3.1"
+    wazuh_version="4.3.0"
     elasticsearch_oss_version="7.10.2"
     wazuh_kibana_plugin_revision="1"
     repobaseurl="https://packages.wazuh.com/4.x"

unattended_installer/install_functions/installCommon.sh

@@ -274,7 +274,7 @@ function installCommon_installPrerequisites() {
 
 function installCommon_readPasswordFileUsers() {
 
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9.*+?()[{\|]+\s*)+\Z')
     if [[ "${filecorrect}" -ne 1 ]]; then
         common_logger -e "The password file doesn't have a correct format.
 
@@ -527,4 +527,4 @@ function installCommon_startService() {
         exit 1
     fi
 
-}
+}

unattended_installer/install_functions/installMain.sh

@@ -290,6 +290,7 @@ function main() {
         installCommon_changePasswords
         installCommon_startService "wazuh-dashboard"
         dashboard_initialize
+        passwords_updateDashborad_WUI_Password
 
     fi
 
@@ -306,6 +307,7 @@ function main() {
         filebeat_install
         filebeat_configure
         installCommon_changePasswords
+        passwords_changePasswordAPI
         installCommon_startService "filebeat"
     fi
 
@@ -329,7 +331,10 @@ function main() {
         dashboard_configure
         installCommon_startService "wazuh-dashboard"
         installCommon_changePasswords
+        passwords_changePasswordAPI
         dashboard_initializeAIO
+        passwords_updateDashborad_WUI_Password
+
     fi
 
 # -------------- Offline case  ------------------------------------------

unattended_installer/install_functions/installVariables.sh

@@ -8,7 +8,7 @@
 
 ## Package vars
 readonly wazuh_major="4.3"
-readonly wazuh_version="4.3.1"
+readonly wazuh_version="4.3.0"
 readonly wazuh_revision_deb="1"
 readonly wazuh_revision_rpm="1"
 readonly indexer_revision_deb="1"

unattended_installer/passwords_tool/passwordsFunctions.sh

@@ -177,6 +177,7 @@ function passwords_generatePasswordFile() {
         echo "  password: ${passwords[${i}]}" >> "${gen_file}"
         echo ""	>> "${gen_file}"
     done
+    passwords_createPasswordAPI
 
 }
 
@@ -217,7 +218,7 @@ function passwords_readAdmincerts() {
 }
 
 function passwords_readFileUsers() {
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9.*+?()[{\|]+\s*)+\Z')
     if [[ "${filecorrect}" -ne 1 ]]; then
         common_logger -e "The password file doesn't have a correct format.
 
@@ -380,3 +381,62 @@ function passwords_runSecurityAdmin() {
     fi
 
 }
+
+function passwords_genereatePasswordSpecialChar() {
+
+    choose() { echo ${1:RANDOM%${#1}:1} $RANDOM; }
+    pass="$({ choose '.*+?()[{\|'
+    choose '0123456789'
+    choose 'abcdefghijklmnopqrstuvwxyz'
+    choose 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+    for i in $( seq 1 $(( 20 + RANDOM % 8 )) )
+        do
+            choose '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        done
+    } | sort -R | awk '{printf "%s",$1}')"
+
+}
+
+function passwords_createPasswordAPI() {
+
+    passwords_genereatePasswordSpecialChar
+    password_wazuh="${pass}"
+    passwords_genereatePasswordSpecialChar
+    password_wazuh_wui="${pass}"
+
+    echo "# New password for wazuh API" >> "${gen_file}"
+    echo "  username: wazuh" >> "${gen_file}"
+    echo "  password: $password_wazuh" >> "${gen_file}"
+    echo ""	>> "${gen_file}"
+    echo "# New password for wazuh-wui API" >> "${gen_file}"
+    echo "  username: wazuh_wui" >> "${gen_file}"
+    echo "  password: $password_wazuh_wui" >> "${gen_file}"
+    echo ""	>> "${gen_file}"
+
+}
+
+function passwords_changePasswordAPI() {
+
+    password_wazuh=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh" {getline;print;}' | awk -F': ' '{print $2}')
+    password_wazuh_wui=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh_wui" {getline;print;}' | awk -F': ' '{print $2}')
+    WAZUH_PASS='{"password":"'"$password_wazuh"'"}'
+    WAZUH_WUI_PASS='{"password":"'"$password_wazuh_wui"'"}'
+
+    TOKEN=$(curl -s -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+    eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$WAZUH_PASS" "https://localhost:55000/security/users/1" -o /dev/null'
+
+    TOKEN_WUI=$(curl -s -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+    eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_WUI" -H "Content-Type: application/json" -d "$WAZUH_WUI_PASS" "https://localhost:55000/security/users/2" -o /dev/null'
+
+}
+
+function passwords_updateDashborad_WUI_Password() {
+
+    if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
+        password_wazuh_wui=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh_wui" {getline;print;}' | awk -F': ' '{print $2}')
+        eval 'sed -i "s|password: wazuh-wui|password: ${password_wazuh_wui}|g" /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'
+    else
+        echo "ERROR: File /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml does not exist"
+    fi
+
+}