Installation assistant Wazuh API default password change

tests/unattended/install/test_unattended.py

@@ -96,7 +96,7 @@ def get_wazuh_api_status():
     host = get_indexer_ip()
     port = 55000
     user = 'wazuh'
-    password = 'wazuh'
+    password = get_password("wazuh")
     login_endpoint = 'security/user/authenticate'
 
     login_url = f"{protocol}://{host}:{port}/{login_endpoint}"

tests/unattended/unit/suites/test-dashboard.sh

@@ -6,7 +6,7 @@ source "${base_dir}"/bach.sh
 @setup-test {
     @ignore common_logger
     k_certs_path="/etc/wazuh-dashboard/certs/"
-    wazuh_version="4.3.1"
+    wazuh_version="4.3.0"
     elasticsearch_oss_version="7.10.2"
     wazuh_kibana_plugin_revision="1"
     repobaseurl="https://packages.wazuh.com/4.x"

unattended_installer/install_functions/installCommon.sh

@@ -274,7 +274,7 @@ function installCommon_installPrerequisites() {
 
 function installCommon_readPasswordFileUsers() {
 
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9.*+?]+\s*)+\Z')
     if [[ "${filecorrect}" -ne 1 ]]; then
         common_logger -e "The password file doesn't have a correct format.
 
@@ -527,4 +527,4 @@ function installCommon_startService() {
         exit 1
     fi
 
-}
+}

unattended_installer/install_functions/installMain.sh

@@ -290,6 +290,7 @@ function main() {
         installCommon_changePasswords
         installCommon_startService "wazuh-dashboard"
         dashboard_initialize
+        passwords_updateDashborad_WUI_Password
 
     fi
 
@@ -306,6 +307,7 @@ function main() {
         filebeat_install
         filebeat_configure
         installCommon_changePasswords
+        passwords_changePasswordAPI
         installCommon_startService "filebeat"
     fi
 
@@ -329,7 +331,10 @@ function main() {
         dashboard_configure
         installCommon_startService "wazuh-dashboard"
         installCommon_changePasswords
+        passwords_changePasswordAPI
         dashboard_initializeAIO
+        passwords_updateDashborad_WUI_Password
+
     fi
 
 # -------------- Offline case  ------------------------------------------

unattended_installer/install_functions/installVariables.sh

@@ -8,7 +8,7 @@
 
 ## Package vars
 readonly wazuh_major="4.3"
-readonly wazuh_version="4.3.1"
+readonly wazuh_version="4.3.0"
 readonly wazuh_revision_deb="1"
 readonly wazuh_revision_rpm="1"
 readonly indexer_revision_deb="1"

unattended_installer/passwords_tool/passwordsFunctions.sh

@@ -177,6 +177,7 @@ function passwords_generatePasswordFile() {
         echo "  password: ${passwords[${i}]}" >> "${gen_file}"
         echo ""	>> "${gen_file}"
     done
+    passwords_createPasswordAPI
 
 }
 
@@ -217,7 +218,7 @@ function passwords_readAdmincerts() {
 }
 
 function passwords_readFileUsers() {
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9.*+?]+\s*)+\Z')
     if [[ "${filecorrect}" -ne 1 ]]; then
         common_logger -e "The password file doesn't have a correct format.
 
@@ -380,3 +381,82 @@ function passwords_runSecurityAdmin() {
     fi
 
 }
+
+function passwords_genereatePasswordSpecialChar() {
+
+    choose() { echo ${1:RANDOM%${#1}:1} $RANDOM; }
+    pass="$({ choose '.*+?'
+    choose '0123456789'
+    choose 'abcdefghijklmnopqrstuvwxyz'
+    choose 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+    for i in $( seq 1 $(( 20 + RANDOM % 8 )) )
+        do
+            choose '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        done
+    } | sort -R | awk '{printf "%s",$1}')"
+
+}
+
+function passwords_createPasswordAPI() {
+
+    passwords_genereatePasswordSpecialChar
+    password_wazuh="${pass}"
+    passwords_genereatePasswordSpecialChar
+    password_wazuh_wui="${pass}"
+
+    echo "# New password for wazuh API" >> "${gen_file}"
+    echo "  username: wazuh" >> "${gen_file}"
+    echo "  password: $password_wazuh" >> "${gen_file}"
+    echo ""	>> "${gen_file}"
+    echo "# New password for wazuh-wui API" >> "${gen_file}"
+    echo "  username: wazuh_wui" >> "${gen_file}"
+    echo "  password: $password_wazuh_wui" >> "${gen_file}"
+    echo ""	>> "${gen_file}"
+
+}
+
+function passwords_changePasswordAPI() {
+
+    #Change API password tool
+
+    if [[ -n "${api}" ]]; then
+        if [[ -n "${adminAPI}" ]]; then
+        common_logger -nl $'Changing API user '${nuser}' password'
+        WAZUH_PASS_API='{"password":"'"$password"'"}'
+        TOKEN_API=$(curl -s -u "${adminUser}":"${adminPassword}" -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${id}" -o /dev/null'
+        common_logger -nl $'API password changed'
+        common_logger -nl $'The new password for user '${nuser}' is '${password}''
+        else
+        common_logger -nl $'Changing API user '${nuser}' password'
+        WAZUH_PASS_API='{"password":"'"$password"'"}'
+        TOKEN_API=$(curl -s -u "${nuser}":"${currentPassword}" -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${id}" -o /dev/null'
+        common_logger -nl $'API password changed'
+        common_logger -nl $'The new password for user '${nuser}' is '${password}''
+        fi
+    else
+        password_wazuh=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh" {getline;print;}' | awk -F': ' '{print $2}')
+        password_wazuh_wui=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh_wui" {getline;print;}' | awk -F': ' '{print $2}')
+        WAZUH_PASS='{"password":"'"$password_wazuh"'"}'
+        WAZUH_WUI_PASS='{"password":"'"$password_wazuh_wui"'"}'
+
+        TOKEN=$(curl -s -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$WAZUH_PASS" "https://localhost:55000/security/users/1" -o /dev/null'
+
+        TOKEN_WUI=$(curl -s -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_WUI" -H "Content-Type: application/json" -d "$WAZUH_WUI_PASS" "https://localhost:55000/security/users/2" -o /dev/null'
+    fi
+
+}
+
+function passwords_updateDashborad_WUI_Password() {
+
+    if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
+        password_wazuh_wui=$(< /tmp/wazuh-install-files/passwords.wazuh awk '$2 == "wazuh_wui" {getline;print;}' | awk -F': ' '{print $2}')
+        eval 'sed -i "s|password: wazuh-wui|password: ${password_wazuh_wui}|g" /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'
+    else
+        echo "ERROR: File /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml does not exist"
+    fi
+
+}

unattended_installer/passwords_tool/passwordsMain.sh

@@ -19,6 +19,19 @@ function getHelp() {
     echo -e "        -a,  --change-all"
     echo -e "                Changes all the Wazuh indexer user passwords and prints them on screen."
     echo -e ""
+    echo -e "        -ai,  --api <currentPassword>"
+    echo -e "                Change the Wazuh API password given the current password, it needs --id-api ,--user and --password."
+    echo -e "                If not an administrator --admin-user and --admin-password need to be provided."
+    echo -e ""
+    echo -e "        -au,  --admin-user <adminUser>"
+    echo -e "                Admin user for Wazuh API it is needed when the user given it is not an administrator"
+    echo -e ""
+    echo -e "        -ap,  --admin-password <adminPassword>"
+    echo -e "                Password for Wazuh API admin user, it is needed when the user given it is not an administrator"
+    echo -e ""
+    echo -e "        -id,  --id-api <id>"
+    echo -e "                ID for Wazuh API user to be changed"
+    echo -e ""
     echo -e "        -u,  --user <user>"
     echo -e "                Indicates the name of the user whose password will be changed."
     echo -e "                If no password specified it will generate a random one."
@@ -71,6 +84,48 @@ function main() {
                 changeall=1
                 shift 1
                 ;;
+            "-A"|"--api")
+                api=1
+                if [ -z ${2} ]; then
+                    echo "Argument --api-id needs a second argument"
+                    getHelp
+                    exit 1
+                fi
+                currentPassword=${2}
+                shift
+                shift
+                ;;
+            "-au"|"--admin-user")
+                adminAPI=1
+                if [ -z ${2} ]; then
+                    echo "Argument --admin needs a second argument"
+                    getHelp
+                    exit 1
+                fi
+                adminUser=${2}
+                shift
+                shift
+                ;;
+            "-ap"|"--admin-password")
+                if [ -z ${2} ]; then
+                    echo "Argument --admin needs a second argument"
+                    getHelp
+                    exit 1
+                fi
+                adminPassword=${2}
+                shift
+                shift
+                ;;
+            "-id"|"--id-api")
+                if [ -z ${2} ]; then
+                    echo "Argument --id-api needs a second argument"
+                    getHelp
+                    exit 1
+                fi
+                id=${2}
+                shift
+                shift
+                ;;
             "-u"|"--user")
                 if [ -z ${2} ]; then
                     echo "Argument --user needs a second argument"
@@ -155,6 +210,8 @@ function main() {
         common_checkSystem
         common_checkInstalled
 
+        if [ -z "${api}" ]; then
+
         if [ -n "${p_file}" ] && [ ! -f "${p_file}" ]; then
             getHelp
         fi
@@ -212,10 +269,20 @@ function main() {
         passwords_changePassword
         passwords_runSecurityAdmin
 
-    else
+        else
+            if [ -z "${currentPassword}" ] || [ -z "${id}" ] || [ -z "${nuser}" ] || [ -z "${password}" ]; then
+                getHelp
+                fi
 
+            if [ -n "${adminAPI}" ]; then
+                if [ -z "${currentPassword}" ] || [ -z "${id}" ] || [ -z "${nuser}" ] || [ -z "${password}" ] || [ -z "${adminUser}" ] || [ -z "${adminPassword}" ]; then
+                getHelp
+                fi
+            fi
+            passwords_changePasswordAPI
+        fi
+    else
         getHelp
-
     fi
 
 }