Installation assistant Wazuh API default password change

tests/unattended/install/test_unattended.py

@@ -16,7 +16,6 @@
 
 # ----------------------------- Aux functions -----------------------------
 
-
 def read_services():
     services = None
     p = Popen(['/var/ossec/bin/wazuh-control', 'status'], stdin=PIPE, stdout=PIPE, stderr=PIPE)
@@ -96,7 +95,7 @@ def get_wazuh_api_status():
     host = get_indexer_ip()
     port = 55000
     user = 'wazuh'
-    password = 'wazuh'
+    password = get_password('wazuh')
     login_endpoint = 'security/user/authenticate'
 
     login_url = f"{protocol}://{host}:{port}/{login_endpoint}"
@@ -108,7 +107,6 @@ def get_wazuh_api_status():
     requests_headers = {'Content-Type': 'application/json',
                         'Authorization': f'Bearer {token}'}
     response = requests.get(f"{protocol}://{host}:{port}/?pretty=true", headers=requests_headers, verify=False)
-
     return response.json()['data']['title']
 
 # ----------------------------- Tests -----------------------------

unattended_installer/install_functions/dashboard.sh

@@ -143,17 +143,19 @@ function dashboard_initialize() {
         if [ -n "${sec_not_initialized}" ]; then
             common_logger "${flag}" "Wazuh indexer security settings not initialized. Please run the installation assistant using -s|--start-cluster in one of the wazuh indexer nodes."
         fi
-        
+
         if [ -z "${force}" ]; then
             common_logger "If you want to install Wazuh dashboard without waiting for the Wazuh indexer cluster, use the -fd option"
             installCommon_rollBack
             exit 1
         else
             common_logger -nl "--- Summary ---"
             common_logger -nl "When Wazuh dashboard is able to connect to your Wazuh indexer cluster, you can access the web interface https://${print_ip}\n    User: admin\n    Password: ${u_pass}"
-        fi       
+        fi
     fi
 
+    passwords_updateDashboard_WUI_Password
+
 }
 
 function dashboard_initializeAIO() {
@@ -170,6 +172,8 @@ function dashboard_initializeAIO() {
         exit 1
     fi
 
+    passwords_updateDashboard_WUI_Password
+
     common_logger "Wazuh dashboard web application initialized."
     common_logger -nl "--- Summary ---"
     common_logger -nl "You can access the web interface https://<wazuh-dashboard-ip>\n    User: admin\n    Password: ${u_pass}"

unattended_installer/install_functions/installCommon.sh

@@ -220,7 +220,6 @@ function installCommon_getPass() {
             u_pass=${passwords[i]}
         fi
     done
-
 }
 
 function installCommon_installPrerequisites() {
@@ -274,9 +273,9 @@ function installCommon_installPrerequisites() {
 
 function installCommon_readPasswordFileUsers() {
 
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc "\A(\s*username:[ \t]+[\'\"]?\w+[\'\"]?\s*password:[ \t]+[\'\"]?[A-Za-z0-9.*+?]+[\'\"]?\s*)+\Z")
     if [[ "${filecorrect}" -ne 1 ]]; then
-        common_logger -e "The password file doesn't have a correct format.
+        common_logger -e "The password file doesn't have a correct format or password uses invalid characters. Allowed characters: A-Za-z0-9.*+?
 
 # Description
   username: name
@@ -287,12 +286,12 @@ function installCommon_readPasswordFileUsers() {
   password: NiwXQw82pIf0dToiwczduLBnUPEvg7T0
 
 "
-
-	    exit 1
+	    installCommon_rollBack
+        exit 1
     fi
 
-    sfileusers=$(grep username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }')
-    sfilepasswords=$(grep password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }')
+    sfileusers=$(grep username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
+    sfilepasswords=$(grep password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
 
     fileusers=(${sfileusers})
     filepasswords=(${sfilepasswords})
@@ -527,4 +526,4 @@ function installCommon_startService() {
         exit 1
     fi
 
-}
+}

unattended_installer/install_functions/installMain.sh

@@ -294,6 +294,7 @@ function main() {
         filebeat_install
         filebeat_configure
         installCommon_changePasswords
+        passwords_changePasswordAPI
         installCommon_startService "filebeat"
     fi
 
@@ -317,7 +318,9 @@ function main() {
         dashboard_configure
         installCommon_startService "wazuh-dashboard"
         installCommon_changePasswords
+        passwords_changePasswordAPI
         dashboard_initializeAIO
+
     fi
 
 # -------------- Offline case  ------------------------------------------

unattended_installer/install_functions/installVariables.sh

@@ -54,4 +54,4 @@ readonly indexer_rpm_package="wazuh-indexer-${wazuh_version}-${indexer_revision_
 readonly dashboard_rpm_base_url="${base_url}/yum"
 readonly dashboard_rpm_package="wazuh-dashboard-${wazuh_version}-${dashboard_revision_rpm}.x86_64.rpm"
 readonly wazuh_gpg_key="https://${bucket}/key/GPG-KEY-WAZUH"
-readonly filebeat_config_file="${resources}/tpl/wazuh/filebeat/filebeat.yml"
+readonly filebeat_config_file="${resources}/tpl/wazuh/filebeat/filebeat.yml"

unattended_installer/passwords_tool/passwordsFunctions.sh

@@ -139,16 +139,19 @@ function passwords_generatePassword() {
 
     if [ -n "${nuser}" ]; then
         common_logger -d "Generating random password."
-        password=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo;)
+        pass=$(< /dev/urandom tr -dc "A-Za-z0-9.*+?" | head -c ${1:-31};echo;)
+        special_char=$(< /dev/urandom tr -dc ".*+?" | head -c ${1:-1};echo;)
+        password="$(echo ${pass}${special_char} | fold -w1 | shuf | tr -d '\n')"
         if [  "${PIPESTATUS[0]}" != 0  ]; then
             common_logger -e "The password could not been generated."
             exit 1;
         fi
     else
         common_logger -d "Generating random passwords."
         for i in "${!users[@]}"; do
-            PASS=$(< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo;)
-            passwords+=("${PASS}")
+            pass=$(< /dev/urandom tr -dc "A-Za-z0-9.*+?" | head -c ${1:-31};echo;)
+            special_char=$(< /dev/urandom tr -dc ".*+?" | head -c ${1:-1};echo;)
+            passwords+=("$(echo ${pass}${special_char} | fold -w1 | shuf | tr -d '\n')")
             if [ "${PIPESTATUS[0]}" != 0 ]; then
                 common_logger -e "The password could not been generated."
                 exit 1;
@@ -159,7 +162,7 @@ function passwords_generatePassword() {
 
 function passwords_generatePasswordFile() {
 
-    users=( admin kibanaserver kibanaro logstash readall snapshotrestore wazuh_admin wazuh_user )
+    users=( admin kibanaserver kibanaro logstash readall snapshotrestore wazuh_admin wazuh_user wazuh wazuh_wui)
     user_description=(
         "Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard"
         "Wazuh dashboard user for establishing the connection with Wazuh indexer"
@@ -169,12 +172,14 @@ function passwords_generatePasswordFile() {
         "User with permissions to perform snapshot and restore operations"
         "Admin user used to communicate with Wazuh API"
         "Regular user to query Wazuh API"
+        "Password for wazuh API user"
+        "Password for wazuh-wui API user"
     )
     passwords_generatePassword
     for i in "${!users[@]}"; do
         echo "# ${user_description[${i}]}" >> "${gen_file}"
-        echo "  username: ${users[${i}]}" >> "${gen_file}"
-        echo "  password: ${passwords[${i}]}" >> "${gen_file}"
+        echo "  username: '${users[${i}]}'" >> "${gen_file}"
+        echo "  password: '${passwords[${i}]}'" >> "${gen_file}"
         echo ""	>> "${gen_file}"
     done
 
@@ -217,9 +222,10 @@ function passwords_readAdmincerts() {
 }
 
 function passwords_readFileUsers() {
-    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc '\A(\s*username:[ \t]+\w+\s*password:[ \t]+[A-Za-z0-9_\-]+\s*)+\Z')
+
+    filecorrect=$(grep -Ev '^#|^\s*$' "${p_file}" | grep -Pzc "\A(\s*username:[ \t]+[\'\"]?\w+[\'\"]?\s*password:[ \t]+[\'\"]?[A-Za-z0-9.*+?]+[\'\"]?\s*)+\Z")
     if [[ "${filecorrect}" -ne 1 ]]; then
-        common_logger -e "The password file doesn't have a correct format.
+        common_logger -e "The password file doesn't have a correct format or password uses invalid characters. Allowed characters: A-Za-z0-9.*+?
 
 It must have this format:
 
@@ -235,8 +241,8 @@ It must have this format:
 	    exit 1
     fi
 
-    sfileusers=$(grep username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }')
-    sfilepasswords=$(grep password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }')
+    sfileusers=$(grep username: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
+    sfilepasswords=$(grep password: "${p_file}" | awk '{ print substr( $2, 1, length($2) ) }' | sed -e "s/[\'\"]//g")
 
     fileusers=(${sfileusers})
     filepasswords=(${sfilepasswords})
@@ -380,3 +386,49 @@ function passwords_runSecurityAdmin() {
     fi
 
 }
+
+function passwords_changePasswordAPI() {
+
+    #Change API password tool
+
+    if [[ -n "${api}" ]]; then
+        if [[ -n "${adminAPI}" ]]; then
+            common_logger $"Changing API user ${nuser} password"
+            WAZUH_PASS_API='{"password":"'"$password"'"}'
+            TOKEN_API=$(curl -s -u "${adminUser}":"${adminPassword}" -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+            eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${id}" -o /dev/null'
+            common_logger $"API password changed"
+            common_logger -nl $"The new password for user ${nuser} is ${password}"
+        else
+            common_logger $"Changing API user ${nuser} password"
+            WAZUH_PASS_API='{"password":"'"$password"'"}'
+            TOKEN_API=$(curl -s -u "${nuser}":"${currentPassword}" -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+            eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_API" -H "Content-Type: application/json" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${id}" -o /dev/null'
+            common_logger $"API password changed"
+            common_logger -nl $"The new password for user ${nuser} is ${password}"
+        fi
+    else
+        password_wazuh=$(grep -A 1 "username: 'wazuh'" "${p_file}" | tail -n1 | awk -F': ' '{print $2}' | sed -e "s/[\'\"]//g")
+        password_wazuh_wui=$(grep -A 1 "username: 'wazuh_wui'" "${p_file}" | tail -n1 | awk -F': ' '{print $2}' | sed -e "s/[\'\"]//g")
+        WAZUH_PASS='{"password":"'"$password_wazuh"'"}'
+        WAZUH_WUI_PASS='{"password":"'"$password_wazuh_wui"'"}'
+
+        TOKEN=$(curl -s -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "$WAZUH_PASS" "https://localhost:55000/security/users/1" -o /dev/null'
+
+        TOKEN_WUI=$(curl -s -u wazuh-wui:wazuh-wui -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
+        eval 'curl -s -k -X PUT -H "Authorization: Bearer $TOKEN_WUI" -H "Content-Type: application/json" -d "$WAZUH_WUI_PASS" "https://localhost:55000/security/users/2" -o /dev/null'
+    fi
+
+}
+
+function passwords_updateDashboard_WUI_Password() {
+
+    if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
+        password_wazuh_wui=$(< "${p_file}" awk '$2 == "wazuh_wui" {getline;print;}' | awk -F': ' '{print $2}')
+        eval 'sed -i "s|password: wazuh-wui|password: ${password_wazuh_wui}|g" /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml'
+    else
+        common_logger -e "File /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml does not exist"
+    fi
+
+}