Merge pull request #86 from wazuh/change/wazuh-packages-PR-2968

Solve bugs when changing passwords in the manager, indexer and dashboard services.
wazuh · Sep 30, 2024 · abfa47b · abfa47b
2 parents c2f2c70 + 1ba17d2
commit abfa47b
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 23 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 
 ### Changed
 
+- Solve bugs when changing passwords in the manager, indexer and dashboard services. ([#86](https://github.com/wazuh/wazuh-installation-assistant/pull/86))
 - Fixed typo in Wazuh Installation Assistant. ([#85](https://github.com/wazuh/wazuh-installation-assistant/pull/85))
 - Print on console the wazuh user's password when installing Wazuh server. ([#84](https://github.com/wazuh/wazuh-installation-assistant/pull/84))
 - Improved service status and output management in Installation assistant. ([#82](https://github.com/wazuh/wazuh-installation-assistant/pull/82))

diff --git a/passwords_tool/passwordsFunctions.sh b/passwords_tool/passwordsFunctions.sh
@@ -14,6 +14,7 @@ function passwords_changePassword() {
             eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ ${debug}"
             passwords_createBackUp
         fi
+
         for i in "${!passwords[@]}"
         do
             if [ -n "${indexer_installed}" ] && [ -f "/etc/wazuh-indexer/backup/internal_users.yml" ]; then
@@ -61,6 +62,8 @@ function passwords_changePassword() {
             common_logger "The filebeat.yml file has been updated to use the Filebeat Keystore username and password."
             passwords_restartService "filebeat"
             eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}"
+            common_logger -nl $"The new password for Filebeat is ${adminpass}"
+
             passwords_restartService "wazuh-manager"
         fi
     fi
@@ -77,15 +80,22 @@ function passwords_changePassword() {
                 echo "${conf}" > /etc/wazuh-dashboard/opensearch_dashboards.yml
             fi
             passwords_restartService "wazuh-dashboard"
+
+            if [ -z "${indexer_installed}" ]; then
+                # only for when the indexer is not installed, so as not to put the same information several times.
+                common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass"
+            fi
         fi
     fi
 
 }
 
 function passwords_changePasswordApi() {
     #Change API password tool
-    if [ -n "${changeall}" ]; then
+    if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
         wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)
+    fi
+    if [ -n "${changeall}" ]; then
         for i in "${!api_passwords[@]}"; do
             if [ -n "${wazuh_installed}" ]; then
                 passwords_getApiUserId "${api_users[i]}"
@@ -125,8 +135,16 @@ function passwords_changeDashboardApiPassword() {
     until [ -n "${file_exists}" ] || [ "${j}" -eq "12" ]; do
         if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
             eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}"
+            # Restart the service only if we change the api password. If we change all, the service is restarted when changing the kibanaserver password.
+            if [ -z "${changeall}" ]; then
+                passwords_restartService "wazuh-dashboard"
+            fi
             if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then
-                common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service."
+                if [ -z "${wazuh_installed}" ]; then
+                    common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'."
+                else
+                    common_logger "Updated wazuh-wui user password in wazuh dashboard."
+                fi
             fi
             file_exists=1
         fi
@@ -138,20 +156,20 @@ function passwords_changeDashboardApiPassword() {
 
 function passwords_checkUser() {
 
-    if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
+    if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
         for i in "${!api_users[@]}"; do
             if [ "${api_users[i]}" == "${nuser}" ]; then
                 exists=1
             fi
         done
-    else
-        for i in "${!users[@]}"; do
-            if [ "${users[i]}" == "${nuser}" ]; then
-                exists=1
-            fi
-        done
     fi
 
+    for i in "${!users[@]}"; do
+        if [ "${users[i]}" == "${nuser}" ]; then
+            exists=1
+        fi
+    done
+
     if [ -z "${exists}" ]; then
         common_logger -e "The given user does not exist"
         exit 1;
@@ -483,7 +501,7 @@ For Wazuh API users, the file must have this format:
             fi
         done
 
-        if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
+        if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then
             for j in "${!fileapiusers[@]}"; do
                 supported=false
                 for i in "${!api_users[@]}"; do
@@ -512,11 +530,28 @@ For Wazuh API users, the file must have this format:
 
 }
 
+function passwords_readDashboardUsers() {
+
+    wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)
+
+    api_users=("$wazuh_yml_user")
+
+    if [ -z "${indexer_installed}" ]; then
+        users+=("kibanaserver")
+    fi
+
+}
+
 function passwords_readUsers() {
 
-    passwords_updateInternalUsers
-    susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
-    mapfile -t users <<< "${susers[@]}"
+    if [ -n "${indexer_installed}" ]; then
+        passwords_updateInternalUsers
+        susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
+        mapfile -t users <<< "${susers[@]}"
+    elif  [ -n "${wazuh_installed}" ]; then
+        # Only need the user admin for Filebeat connection
+        users=("admin")
+    fi
 
 }
 

diff --git a/passwords_tool/passwordsMain.sh b/passwords_tool/passwordsMain.sh
@@ -228,7 +228,9 @@ function main() {
                 passwords_getApiToken
                 passwords_getApiUsers
                 passwords_getApiIds
-            elif [ -n "${indexer_installed}" ]; then
+            elif [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; then
+                passwords_readDashboardUsers
+            elif [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
                 passwords_readUsers
             fi
             passwords_checkUser
@@ -242,18 +244,23 @@ function main() {
         if [ -n "${nuser}" ] && [ -n "${password}" ]; then
             passwords_checkPassword "${password}"
         fi
-        
+
 
         if [ -n "${changeall}" ] || [ -n "${p_file}" ]; then
-            if [ -n "${indexer_installed}" ]; then
+            if [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
                 passwords_readUsers
             fi
-            if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
-                passwords_getApiToken
-                passwords_getApiUsers
-                passwords_getApiIds
-            else
-                common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."
+
+            if [ -n "${wazuh_installed}" ]; then
+                if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
+                    passwords_getApiToken
+                    passwords_getApiUsers
+                    passwords_getApiIds
+                else
+                    common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."
+                fi
+            elif  [ -n "${dashboard_installed}" ]; then
+                passwords_readDashboardUsers
             fi
             if [ -n "${changeall}" ]; then
                 passwords_generatePassword
@@ -272,8 +279,13 @@ function main() {
             passwords_runSecurityAdmin
         fi
 
+        # Call the function to change the password for filebeat and/or kibanaserver
+        if [ -z "${indexer_installed}" ] && { [ -n "${wazuh_installed}" ] || [ -n "${dashboard_installed}" ]; }; then
+            passwords_changePassword
+        fi
+
         if [ -n "${api}" ] || [ -n "${changeall}" ]; then
-            if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
+            if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
                 passwords_changePasswordApi
             fi
         fi